?
Solved

Need User Internet Usage monitor for linux

Posted on 2003-03-11
11
Medium Priority
?
220 Views
Last Modified: 2010-03-18
My network has 150+ users on NT/2000.  They all run through a Watchguard firewall.  I need to implement a internet use monitor (on Linux) for port 80 25 110 143 .  I can attach the monitor with a hub to sniff the traffic, but I was wondering if there are any better suggestions?
Thanks
0
Comment
Question by:bkern
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 3

Expert Comment

by:Flash828
ID: 8116033
Well what are you trying to see the usage of?  Succesfull connections to these ports?  Connection attempts to these ports?  Unauthorized attempts at these ports?

In these cases, if you run IPTABLES, you can create a logging Chain (or table.. never figured out the difference), to log these events.  For instance,



-A LOGGING --dport 80 -j LOG --log-prefix "Port 80 Access:"

This would show all TCP/UDP connection attempts to port 80 on your machine.

However im not sure thats what your looking for...  can you be more specific?
0
 
LVL 6

Expert Comment

by:TheAmigo
ID: 8117662
As a side note to clarify the difference between a chain and a table:  With 2.4 (iptables), there are only three tables (filter, mangle & nat).  To have more tables, you need to find/write more kernel modules.  Chains can be created at will with the -N option and are placed in one of the existing tables. (e.g. PREROUTING and OUTPUT are the default chains in the mangle table)

To monitor the internet usage for many machines, you could add a couple rules (one for each port) in the style that Flash828 mentioned to the FORWARD chain of the filter table.  However, this will only work if the linux box doing this monitoring is also routing all the packets that you're interested in.

If sniffing the traffic is your only option, then you'll need a different solution.
0
 

Author Comment

by:bkern
ID: 8120059
I need to log all incoming out going email  as well as all web surfing.  The linux box will be off of a hub so I think that dsniff may be my answer.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 3

Accepted Solution

by:
Flash828 earned 500 total points
ID: 8122712
Then you can run the interface in permiscuos (sp?) mode to see all trafic then log ports 25 (smtp), 80 (http) and 110 (pop3) using iptables.
0
 
LVL 6

Expert Comment

by:TheAmigo
ID: 8122942
I don't think that will work.  Which table and chain would you put that in, Flash828?  iptables allows you to log traffic for one of three conditions:
1) your IP is the destination [INPUT]
2) you are sending it [OUPUT]
3) you are routing the packet [FORWARD]

Even in promiscuous (ok, so I don't know how to spell it either) mode, you'd need software other than iptables to create a log of the traffic as it won't match any of the above conditions.
0
 
LVL 6

Expert Comment

by:TheAmigo
ID: 8122955
I don't think that will work.  Which table and chain would you put that in, Flash828?  AFAIK, iptables allows you to log traffic for one of three conditions:
1) your IP is the destination [INPUT]
2) you are sending it [OUPUT]
3) you are routing the packet [FORWARD]

Even in promiscuous (ok, so I don't know how to spell it either) mode how would you add a rule to match packets that aren't any of the above three conditions?
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8123085
Thats an interesting point.  However since the interface is operating is promiscious mode, it means the packets are moving into kernel-space then user-space.  If that is the case, then IPTABLES should be able to pick it up with a rule where the source and destination is not equal to the IP of the machine, for an input packet.... Im going to look into this.  more about this a little later.
0
 
LVL 3

Assisted Solution

by:Flash828
Flash828 earned 500 total points
ID: 8123102
oh and I do believe there are more conditions than just input output and forward.. I think theres pre-routing, post-routing, and a bunch more... Again I haven't used iptables in these conditions as of yet, so I dont know how these options work.  However I have been playing with iptables long enough to know that its an incredibly powerful tool above being just a packet filter.
0
 
LVL 6

Assisted Solution

by:TheAmigo
TheAmigo earned 500 total points
ID: 8123205
The PREROUTING and POSTROUTING chains are only in the mangle and nat tables.  While I haven't tried it, I don't think you can write a rule in either of those tables that would match a packet that you're not routing.

I'd always wondered where there are so many dup posts on the boards here.  Today my 'net connection's flaky and I posted a dup... now I know. :)
0
 

Author Comment

by:bkern
ID: 8749012
I ended up with dsniff and using MailScanner over sendmail.
0
 

Expert Comment

by:CleanupPing
ID: 9077687
bkern:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Automating Terraform w Jenkins & AWS CodeCommit

How to configure Jenkins and CodeCommit to allow users to easily create and destroy infrastructure using Terraform code.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question