pendulumx
asked on
Logging traffic on the network
Hi
Here's a diagram of my current network setup: http://ccgi.pendulum.plus.com/diag.gif
What I want to do is log all traffic that goes in and out of the target machine.
I'll consider all options (including buying extra equipment if necessary).
Preferably, I would use my server to log traffic in some way (because it's on 24/7), but the solution must not affect the working of my server (httpd/ftpd etc).
Preferably, I'd like to be able to NOT log traffic from my personal computer, or my server, because it'll make the log files big and harder to skim through.
Preferably, I would rather not have to change the setup of the target computer (e.g. by configuring it to use a proxy). Although I could, and I'll listen to any advice on that.
My router does not appear to offer any real logging facility. It's a DG834 (not the wireless version).
I have said "preferably" above, but I'd like to make it clear that I'm not meaning to set any requirements there, I'll listen to any solution! I'll give the points to the solution I choose as being the best one for me, or I may split them if there is more than one good solution. Questions welcome.
Thanks
Here's a diagram of my current network setup: http://ccgi.pendulum.plus.com/diag.gif
What I want to do is log all traffic that goes in and out of the target machine.
I'll consider all options (including buying extra equipment if necessary).
Preferably, I would use my server to log traffic in some way (because it's on 24/7), but the solution must not affect the working of my server (httpd/ftpd etc).
Preferably, I'd like to be able to NOT log traffic from my personal computer, or my server, because it'll make the log files big and harder to skim through.
Preferably, I would rather not have to change the setup of the target computer (e.g. by configuring it to use a proxy). Although I could, and I'll listen to any advice on that.
My router does not appear to offer any real logging facility. It's a DG834 (not the wireless version).
I have said "preferably" above, but I'd like to make it clear that I'm not meaning to set any requirements there, I'll listen to any solution! I'll give the points to the solution I choose as being the best one for me, or I may split them if there is more than one good solution. Questions welcome.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best way to do it is to use a firewall - this is what they're designed to do.
A central router or firewall will only log traffic leaving and entering the network as PC's dont send traffic through the default gateway when the other PC is on the same subnet. so IMO you need a packet sniffer to monitor traffic on the whole network
If you need to monitor only traffic stats like, bytes send and received by any PC.
Even for this you need a hub.
Then use:
http://lastbit.com/trafmeter/
This tool will give you detailed report spread across all protocol and bytes transferred.(e.g HTTP-300Kb, FTP-2MB etc.)
Even for this you need a hub.
Then use:
http://lastbit.com/trafmeter/
This tool will give you detailed report spread across all protocol and bytes transferred.(e.g HTTP-300Kb, FTP-2MB etc.)
ASKER
Thanks for the replies.
I should have mentioned that my server is Slackware linux, so GiveMeToo is out - but Ethereal has Unix versions, so that's looking promising.
In using a hub, another "Preferably" has come up: I'd prefer not to allow the target machine to monitor all the traffic on the network. I suppose I could just plug my PC directly in to the router, but this means the target machine could still monitor the server's traffic (because as I understand it, a hub sends traffic to every machine connected to it). It's not important really, but I'd prefer to do things properly if I can :)
So I come to the switch (with port mirroring function). Sounds better than the hub, but probably more expensive. I can get hubs from eBay for about £10 (although, I know I need to be careful to make sure I get a completely "dumb" one like you advised). However, I've spent s while looking on eBay and places like ebuyer, dabs, etc for a switch with port mirroring (and all the other names they call it), and the ones I find cost a stupid amount of money. I think they are meant for large offices, corporations etc. How much do you realistically think I could buy a switch with the port mirroring for?
If the switch costs a lot of money, I may go with the hub and accept the disadvantages.
@pseudocyber: how much do you think I'll have to spend for a firewall with logging function? From my basic searches it appears I might have to spend a lot.
@fuzzysb: a bit too technical for me I'm afraid. Can't understand that! :o)
I'd like to consider all options. I wonder if it's possible to plug the target machine's RJ45 cable in to some kind of PCI card in my server that has two RJ45 ports, so that the traffic goes in to the server on port 1, gets logged,, and then comes back out through the second connection where it's plugged in to the router? If that was possible then it might get rid of the problems I'd get with the hub and hopefully be a lot cheaper than a firewall/switch? Is there anything like that available? At the moment I'm thinking a good switch or firewall is going to cost me about £150 whereas a dead cheap hub will cost only £10 or £15.
Thanks
I should have mentioned that my server is Slackware linux, so GiveMeToo is out - but Ethereal has Unix versions, so that's looking promising.
In using a hub, another "Preferably" has come up: I'd prefer not to allow the target machine to monitor all the traffic on the network. I suppose I could just plug my PC directly in to the router, but this means the target machine could still monitor the server's traffic (because as I understand it, a hub sends traffic to every machine connected to it). It's not important really, but I'd prefer to do things properly if I can :)
So I come to the switch (with port mirroring function). Sounds better than the hub, but probably more expensive. I can get hubs from eBay for about £10 (although, I know I need to be careful to make sure I get a completely "dumb" one like you advised). However, I've spent s while looking on eBay and places like ebuyer, dabs, etc for a switch with port mirroring (and all the other names they call it), and the ones I find cost a stupid amount of money. I think they are meant for large offices, corporations etc. How much do you realistically think I could buy a switch with the port mirroring for?
If the switch costs a lot of money, I may go with the hub and accept the disadvantages.
@pseudocyber: how much do you think I'll have to spend for a firewall with logging function? From my basic searches it appears I might have to spend a lot.
@fuzzysb: a bit too technical for me I'm afraid. Can't understand that! :o)
I'd like to consider all options. I wonder if it's possible to plug the target machine's RJ45 cable in to some kind of PCI card in my server that has two RJ45 ports, so that the traffic goes in to the server on port 1, gets logged,, and then comes back out through the second connection where it's plugged in to the router? If that was possible then it might get rid of the problems I'd get with the hub and hopefully be a lot cheaper than a firewall/switch? Is there anything like that available? At the moment I'm thinking a good switch or firewall is going to cost me about £150 whereas a dead cheap hub will cost only £10 or £15.
Thanks
Ok, if your platform is linux, then you have many tools.
http://iptraf.seul.org/
http://humdi.net/vnstat/
These tools have ability to generate reports for the traffic, ethereal does not have that much capability.
As, for you do not want to use hub then you need a linux machine to act as internet gateway. That way you can have a linux server with two NIC. traffic will come from one and goes out from another.
http://iptraf.seul.org/
http://humdi.net/vnstat/
These tools have ability to generate reports for the traffic, ethereal does not have that much capability.
As, for you do not want to use hub then you need a linux machine to act as internet gateway. That way you can have a linux server with two NIC. traffic will come from one and goes out from another.
ASKER
Thanks for all the replies so far, my main concern is knowing what traffic is going through the system (e.g. what websites are being visited), therefore a packet-sniffer like Ethereal seems most appropriate, but it would also come in handy to have something that tells me how much data has been used for each protocol, I may see if I can install one of your suggested programs alongside Ethereal once I get it all up and running.
My server currently has 1 NIC to connect it to the router I have. The server runs things like a web server, FTP server, etc. Could I add two more NICs (total: 3) and then have my server act as a gateway for the target machine, having data pass in and out of it, while at the same time keeping it as a web server etc. Or would I need to dedicate the machine to being a gateway?
Either way, it sounds quite complicated to set up and I'd have to do a lot of reading. Not necessarily a bad thing. The hub option or switch option seems the most likely of the two solutions at the moment though.
My server currently has 1 NIC to connect it to the router I have. The server runs things like a web server, FTP server, etc. Could I add two more NICs (total: 3) and then have my server act as a gateway for the target machine, having data pass in and out of it, while at the same time keeping it as a web server etc. Or would I need to dedicate the machine to being a gateway?
Either way, it sounds quite complicated to set up and I'd have to do a lot of reading. Not necessarily a bad thing. The hub option or switch option seems the most likely of the two solutions at the moment though.
If you onlt want to monitor what traffic is coming and going from your web Server and FTP server hosted on this machine, then you do not require anything.
Just install the application and it will log each and every packet pass thru your server, be it for internet or local network.
You require all that setup only if you wish to capture all the traffic from your network on this server.
Just install the application and it will log each and every packet pass thru your server, be it for internet or local network.
You require all that setup only if you wish to capture all the traffic from your network on this server.
ASKER
I need to log all traffic to/from the target machine, this is a separate system from my server or my PC. Here is a diagram: http://ccgi.pendulum.plus.com/diag.gif
So I do need some extra equipment, that's for sure, because my current router (with inbuild modem/firewall) doesn't allow me to log anything.
So I do need some extra equipment, that's for sure, because my current router (with inbuild modem/firewall) doesn't allow me to log anything.
ASKER
You suggested the hub option, that's good
You also suggested using the server as a gateway for the target machine - that's good too, I can see how that would work with a dedicated machine (the machine would pass the packets to/from the target machine, acting like a router really, but enabling me to log everything), just wondering if I can let me current server do this while at the same time keeping it as a web/ftp server.
You also suggested using the server as a gateway for the target machine - that's good too, I can see how that would work with a dedicated machine (the machine would pass the packets to/from the target machine, acting like a router really, but enabling me to log everything), just wondering if I can let me current server do this while at the same time keeping it as a web/ftp server.
I won't do that.
If its your production server, keep it like that, you can take any normal machine for monitoring. Its doen't have to be a huge server.
If its your production server, keep it like that, you can take any normal machine for monitoring. Its doen't have to be a huge server.
ASKER
That makes sense. I know a place where I can get a decent base unit (~300mhz, 64mb RAM) for about £15, probably cheaper than I can buy a hub/switch for! But an extra computer in this small computer room I have would mean even less room.
I'll have a think about what I want to do!
Cheers,
I'll have a think about what I want to do!
Cheers,
Not considering the cost I think if it were me I'd like the switch option still. I just think it is a much cleaner solution.
The dsniff suite of tools should be able to do what you want.
http://www.monkey.org/~dugsong/dsniff/
(the arpspoof tool can get around those pesky switches ;-)
No network architectural adjustments needed, no additional hardware needed, just linux (which already runs on your server, or you could install another linux monitoring box - lord knows you can get the hardware for cheap or even free if you try hard enough).
Cheers,
-Jon
http://www.monkey.org/~dugsong/dsniff/
(the arpspoof tool can get around those pesky switches ;-)
No network architectural adjustments needed, no additional hardware needed, just linux (which already runs on your server, or you could install another linux monitoring box - lord knows you can get the hardware for cheap or even free if you try hard enough).
Cheers,
-Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you can get a switch with port mirroring capability, nothing like. Its the most compact and clean way to go.
But it all depends on if are ready to buy it.
But it all depends on if are ready to buy it.
ASKER
I've pretty much decided that if I can get a cheapish switch, that's the route I'll take. Otherwise, I'll buy a cheap hub. Roomspace rules out a gateway. Thanks for all the help, will split points.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I did download it, untar and read the README. It needed lots of other programs installed in order to work, plus it looked quite a job actually to get going. Probably beyond me. I gave up in the end, I appreciate that it is another possible solution and I asked for all solutions, but I think I'd rather go the hardware route anyway. Less stress!
No problem - I just wanted to make sure you were aware of as many alternatives as possible.
Cheers,
-Jon
Cheers,
-Jon
Just, buy a Hub and set it up.
It will be the most easy thing to do.
It will be the most easy thing to do.
ASKER
I'll have to give most of the points to pseudocyber because he recommended the Nortel/Baystack 450 24-port switch. I put that in to eBay and found a really good auction for two of these switches. Starting bid £0.99, and the seller was local. We agreed that I could pick it up to avoid postage costs. I won both switches for £0.99!
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=9736664217
Am I happy? VERY!
Thanks for all the help.
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=9736664217
Am I happy? VERY!
Thanks for all the help.
I'm glad you found a solution! Thanks. :)