[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 788
  • Last Modified:

Logging traffic on the network

Hi

Here's a diagram of my current network setup: http://ccgi.pendulum.plus.com/diag.gif

What I want to do is log all traffic that goes in and out of the target machine.

I'll consider all options (including buying extra equipment if necessary).

Preferably, I would use my server to log traffic in some way (because it's on 24/7), but the solution must not affect the working of my server (httpd/ftpd etc).
Preferably, I'd like to be able to NOT log traffic from my personal computer, or my server, because it'll make the log files big and harder to skim through.
Preferably, I would rather not have to change the setup of the target computer (e.g. by configuring it to use a proxy). Although I could, and I'll listen to any advice on that.

My router does not appear to offer any real logging facility. It's a DG834 (not the wireless version).

I have said "preferably" above, but I'd like to make it clear that I'm not meaning to set any requirements there, I'll listen to any solution! I'll give the points to the solution I choose as being the best one for me, or I may split them if there is more than one good solution. Questions welcome.

Thanks
0
pendulumx
Asked:
pendulumx
  • 8
  • 7
  • 3
  • +3
4 Solutions
 
prashsaxCommented:
All you need is a hub.

Connect Hub with your router and then connect all machines to this hub.

Download GivemeToo from internet.

Install it on the machine where you want to log all the data.

This software will copy all the data being sent and received from any of the machines.

0
 
livedrive777Commented:
Well in terms of monitoring the traffic to the machine I would use Ethereal, but as to how to monitor the traffic I think the ideal solution is to use a switch that allows you to mirror a port on the switch to another port on the switch.  The port you are mirroring would be your target computer's switch port and you would mirror the port to wherever you are running the monitoring software.  This is typically how you would setup most content filtering solutions that require such monitoring and that sort of thing.

One word of caution is that it can be difficult to find a true hub these days.  A lot of times when you think you are buying a hub it is really just a low end switch, but will not allow you to see traffic across all ports, which is what you need.
0
 
pseudocyberCommented:
The best way to do it is to use a firewall - this is what they're designed to do.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
fuzzysbCommented:
A central router or firewall will only log traffic leaving and entering the network as PC's dont send traffic through the default gateway when the other PC is on the same subnet. so IMO you need a packet sniffer to monitor traffic on the whole network
0
 
prashsaxCommented:
If you need to monitor only traffic stats like, bytes send and received by any PC.

Even for this you need a hub.

Then use:
http://lastbit.com/trafmeter/

This tool will give you detailed report spread across all protocol and bytes transferred.(e.g HTTP-300Kb, FTP-2MB etc.)

0
 
pendulumxAuthor Commented:
Thanks for the replies.

I should have mentioned that my server is Slackware linux, so GiveMeToo is out - but Ethereal has Unix versions, so that's looking promising.

In using a hub, another "Preferably" has come up: I'd prefer not to allow the target machine to monitor all the traffic on the network. I suppose I could just plug my PC directly in to the router, but this means the target machine could still monitor the server's traffic (because as I understand it, a hub sends traffic to every machine connected to it). It's not important really, but I'd prefer to do things properly if I can :)

So I come to the switch (with port mirroring function). Sounds better than the hub, but probably more expensive. I can get hubs from eBay for about £10 (although, I know I need to be careful to make sure I get a completely "dumb" one like you advised). However, I've spent s while looking on eBay and places like ebuyer, dabs, etc for a switch with port mirroring (and all the other names they call it), and the ones I find cost a stupid amount of money. I think they are meant for large offices, corporations etc. How much do you realistically think I could buy a switch with the port mirroring for?

If the switch costs a lot of money, I may go with the hub and accept the disadvantages.

@pseudocyber: how much do you think I'll have to spend for a firewall with logging function? From my basic searches it appears I might have to spend a lot.

@fuzzysb: a bit too technical for me I'm afraid. Can't understand that! :o)

I'd like to consider all options. I wonder if it's possible to plug the target machine's RJ45 cable in to some kind of PCI card in my server that has two RJ45 ports, so that the traffic goes in to the server on port 1, gets logged,, and then comes back out through the second connection where it's plugged in to the router? If that was possible then it might get rid of the problems I'd get with the hub and hopefully be a lot cheaper than a firewall/switch? Is there anything like that available? At the moment I'm thinking a good switch or firewall is going to cost me about £150 whereas a dead cheap hub will cost only £10 or £15.

Thanks
0
 
prashsaxCommented:
Ok, if your platform is linux, then you have many tools.

http://iptraf.seul.org/
http://humdi.net/vnstat/

These tools have ability to generate reports for the traffic, ethereal does not have that much capability.

As, for you do not want to use hub then you need a linux machine to act as internet gateway. That way you can have a linux server with two NIC. traffic will come from one and goes out from another.

0
 
pendulumxAuthor Commented:
Thanks for all the replies so far, my main concern is knowing what traffic is going through the system (e.g. what websites are being visited), therefore a packet-sniffer like Ethereal seems most appropriate, but it would also come in handy to have something that tells me how much data has been used for each protocol, I may see if I can install one of your suggested programs alongside Ethereal once I get it all up and running.

My server currently has 1 NIC to connect it to the router I have. The server runs things like a web server, FTP server, etc. Could I add two more NICs (total: 3) and then have my server act as a gateway for the target machine, having data pass in and out of it, while at the same time keeping it as a web server etc. Or would I need to dedicate the machine to being a gateway?

Either way, it sounds quite complicated to set up and I'd have to do a lot of reading. Not necessarily a bad thing. The hub option or switch option seems the most likely of the two solutions at the moment though.
0
 
prashsaxCommented:
If you onlt want to monitor what traffic is coming and going from your web Server and FTP server hosted on this machine, then you do not require anything.

Just install the application and it will log each and every packet pass thru your server, be it for internet or local network.

You require all that setup only if you wish to capture all the traffic from your network on this server.

0
 
pendulumxAuthor Commented:
I need to log all traffic to/from the target machine, this is a separate system from my server or my PC. Here is a diagram: http://ccgi.pendulum.plus.com/diag.gif

So I do need some extra equipment, that's for sure, because my current router (with inbuild modem/firewall) doesn't allow me to log anything.
0
 
pendulumxAuthor Commented:
You suggested the hub option, that's good
You also suggested using the server as a gateway for the target machine - that's good too, I can see how that would work with a dedicated machine (the machine would pass the packets to/from the target machine, acting like a router really, but enabling me to log everything), just wondering if I can let me current server do this while at the same time keeping it as a web/ftp server.
0
 
prashsaxCommented:
I won't do that.

If its your production server, keep it like that, you can take any normal machine for monitoring. Its doen't have to be a huge server.

0
 
pendulumxAuthor Commented:
That makes sense. I know a place where I can get a decent base unit (~300mhz, 64mb RAM) for about £15, probably cheaper than I can buy a hub/switch for! But an extra computer in this small computer room I have would mean even less room.

I'll have a think about what I want to do!
Cheers,
0
 
livedrive777Commented:
Not considering the cost I think if it were me I'd like the switch option still.  I just think it is a much cleaner solution.
0
 
The--CaptainCommented:
The dsniff suite of tools should be able to do what you want.

http://www.monkey.org/~dugsong/dsniff/

(the arpspoof tool can get around those pesky switches ;-)

No network architectural adjustments needed, no additional hardware needed, just linux (which already runs on your server, or you could install another linux monitoring box - lord knows you can get the hardware for cheap or even free if you try hard enough).

Cheers,
-Jon
0
 
pseudocyberCommented:
You can get a Baystack (Nortel) 450 24 port 10/100 Switched with port mirroring capability for about $50 off of Ebay - we still have these - IN PRODUCTION!  Perfectly fine.  Easy to manage with menus.

Do you want to monitor WEB traffic?  Are you just concerned about what web sites, etc?  If so, then you need a content filter with reporting capability.

You can use a packet capture program - but they are NOT designed to do what you want - they are designed for Protocol Analysis.  They will work, but they will be very cumbersome to use to provide you day after day reporting.
0
 
prashsaxCommented:
If you can get a switch with port mirroring capability, nothing like. Its the most compact and clean way to go.
But it all depends on if are ready to buy it.


0
 
pendulumxAuthor Commented:
I've pretty much decided that if I can get a cheapish switch, that's the route I'll take. Otherwise, I'll buy a cheap hub. Roomspace rules out a gateway. Thanks for all the help, will split points.
0
 
The--CaptainCommented:
>if I can get a cheapish switch, that's the route I'll take. Otherwise, I'll buy a cheap hub

The arpspoof tool obliviates the need, just so you know...

Cheers,
-Jon
0
 
pendulumxAuthor Commented:
Yeah, I did download it, untar and read the README. It needed lots of other programs installed in order to work, plus it looked quite a job actually to get going. Probably beyond me. I gave up in the end, I appreciate that it is another possible solution and I asked for all solutions, but I think I'd rather go the hardware route anyway. Less stress!
0
 
The--CaptainCommented:
No problem - I just wanted to make sure you were aware of as many alternatives as possible.

Cheers,
-Jon
0
 
prashsaxCommented:
Just, buy a Hub and set it up.

It will be the most easy thing to do.
0
 
pendulumxAuthor Commented:
I'll have to give most of the points to pseudocyber because he recommended the Nortel/Baystack 450 24-port switch. I put that in to eBay and found a really good auction for two of these switches. Starting bid £0.99, and the seller was local. We agreed that I could pick it up to avoid postage costs. I won both switches for £0.99!

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=9736664217

Am I happy? VERY!

Thanks for all the help.
0
 
pseudocyberCommented:
I'm glad you found a solution!  Thanks.  :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 7
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now