Setup Linux server to monitor network
Hi All
I need to be able to check network traffic usage as sometimes the network slows to a crawl. I think it is Internet traffic that slows it down. I need to see by ip address who is doing what.
I have a 3Com 3300 switch where everything comes to and then goes to the router. I have a Linux server plugged into that switch. If I run Ethereal on this server I can see traffic that involves this server, but not all traffic.
1. Is it possible to do this?
2. It seems either my current server or switch port is not in promiscuous mode. How Do I change this?
3. What software is avaiable to do this task? Ethereal seems like it might do the task, but is not very easy to read.
4. Linux Server is Red Hat 8, but Fedora Core 4 is avaiable.
5. If it has to be I can run it on a Microsoft Win 2000 server.
thanks
mld4165
I need to be able to check network traffic usage as sometimes the network slows to a crawl. I think it is Internet traffic that slows it down. I need to see by ip address who is doing what.
I have a 3Com 3300 switch where everything comes to and then goes to the router. I have a Linux server plugged into that switch. If I run Ethereal on this server I can see traffic that involves this server, but not all traffic.
1. Is it possible to do this?
2. It seems either my current server or switch port is not in promiscuous mode. How Do I change this?
3. What software is avaiable to do this task? Ethereal seems like it might do the task, but is not very easy to read.
4. Linux Server is Red Hat 8, but Fedora Core 4 is avaiable.
5. If it has to be I can run it on a Microsoft Win 2000 server.
thanks
mld4165
The switch only sends traffic over a port if it is destined for that port, based on arp mapping. You need to use a switch that has a sniffer port or configure your port as a sniffer port. This will send everything to that port for that very purpose. I have never used a 3com switch so I don't know if they have that ability.
Which kind of 3COM switch do you have, there are a lot of 3300 varities and each one has diffrent features. As for software, there are a lot of great free programs that will run in Linux. I have posted a website below that shows just some of the options you have. I would decide what to used based on the information you want to monitor.
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html#capture
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html#capture
ASKER
"Which kind of 3COM switch do you have, there are a lot of 3300 varities and each one has diffrent features"
3C16980A Super Stack 3
sorry baout that.
mld4165
3C16980A Super Stack 3
sorry baout that.
mld4165
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So if have this setup right I can hook the Linux box with NTOP or Ethereal into the analysis port and then set another port to be monitored, which will be the only port monitored, and not the whole switch. Correct?
Since one port goes to the router I can see all out bound traffic and broadcasts, but if I want to see internal traffic I would have to monitor another port? Possibly the uplink to the rest of the building, but not both at the same time?
I am not sure but this does not seem to do what I wanted, but that might be my problem because of equipment or my choice of software?
thanks
mld4165
Since one port goes to the router I can see all out bound traffic and broadcasts, but if I want to see internal traffic I would have to monitor another port? Possibly the uplink to the rest of the building, but not both at the same time?
I am not sure but this does not seem to do what I wanted, but that might be my problem because of equipment or my choice of software?
thanks
mld4165
What will happen is the switch will send all the data on the switch directly to your monitoring port. This will allow you to see everybodys network traffic. Anything passed through that switch will show up in your Linux box's ethereal. If you only want to see a specific user or port, I suggest filtering by MAC adress with ethereal.
Re-Reading your post above I think you may be confused by the monitoring port. When you set the monitoring port this does not mean you are monitoring only that port. It means you assigned a port on the switch which will basically transmit all data on the switch. If you plug you Linux box into this monitoring port, you will be able to see every piece of network traffic it deals with.
ASKER
quoting 3Com documents for this switch
==========================
Roving analysis is a system that allows you to attach a network analyzer
to one port and use it to monitor the traffic of other ports in the stack.
The system works by enabling you to define an analysis port (the port
that is connected to the analyzer - "MY LINUX BOX IS HERE"),
and a monitor port (the port that is to be monitored - "PORT TO ROUTER").
Once the pair are defined, and you enable the system, the
stack takes all the traffic going in and out of the monitor port and copies
it to the analysis port.
Roving analysis is used when you need the functions of a network
analyzer, but do not want to change the physical characteristics of the
monitored segment by attaching an analyzer to that segment.
==========================
and that is what it seems to be doing. not showing all traffic, but what is on the monitor port.
mld4165
==========================
Roving analysis is a system that allows you to attach a network analyzer
to one port and use it to monitor the traffic of other ports in the stack.
The system works by enabling you to define an analysis port (the port
that is connected to the analyzer - "MY LINUX BOX IS HERE"),
and a monitor port (the port that is to be monitored - "PORT TO ROUTER").
Once the pair are defined, and you enable the system, the
stack takes all the traffic going in and out of the monitor port and copies
it to the analysis port.
Roving analysis is used when you need the functions of a network
analyzer, but do not want to change the physical characteristics of the
monitored segment by attaching an analyzer to that segment.
==========================
and that is what it seems to be doing. not showing all traffic, but what is on the monitor port.
mld4165
So you have the monitor port set as the one that connects to your router, and you still can't see all the traffic? Evertime a computer tries to contact another host it's going to go to the router to determine where it should go from there. That means you should see every bit of traffic on that switch.
ASKER
kamichie
this seems to be working. ntop seems to do what I need and is much easier then ethereal, as ethereal shows so much it is confusing for someone with my level of expertise.
thanks for your help
mld4165
this seems to be working. ntop seems to do what I need and is much easier then ethereal, as ethereal shows so much it is confusing for someone with my level of expertise.
thanks for your help
mld4165