OpenBSD Journal

network traffic analyzer

Contributed by jose on from the keeping-track-of-things dept.

tamas writes: "Hi,

does anyone know/use a configurable network traffic analyzer? We have an 1000+ network in our dorm, gigabit connenction to the university, and we'd like to monitor and filter the traffic of our users (all of them have static ip's).

We'd also like to have a web interface to plot out the daily traffic of individual pc's sorted by ports ("services"), and the sum traffic per host per day (maybe, per-week also).

Is there any pre-written _free_ software (software groups) that can be used to do this?

All of your help would be appreciated. Thanks!"

(Comments are closed)


Comments
  1. By djm () on

    You could use Cisco Netflow, most gigabit-capable routers support it, and it is well documented . If you are using an OpenBSD box as a firewall/router (and you don't mind me plugging software I have written), you can use softflowd or pfflowd .

    You will still need something to process the traffic records. There are plenty of options here: flow-scan , cflowd , autofocus , or you could just shove all the flows into a SQL database and make your own frontend (it isn't hard).

    Comments
    1. By Chad Loder () on

      I agree that pfflowd would be the best way to do the data collection. It's in the ports (net/pfflowd)

  2. By Matt Van Mater () on

    give ntop a try. The one in the ports collection is a little old, but you should be able to download your own and compile it yourself.

    It has rudimentary netflow support, and gives lots of nice traffic summaries that can be sorted by src, dest, protocol, throughput, etc. It has a nice little built in web front end to view all these things.

    Comments
    1. By raiten () julien.touche @lycos.com on mailto:julien.touche @lycos.com

      ntop3 (pre2 for now) is fine. i've manage to make it work. a port is on the way but too late for 3.5

      but it needs some recent hardware (> 500MHz and a lot of memory depending on your setup)

    2. By Anonymous Coward () on

      Or a more likeweight tool like "pktstat". Does the job quite well for me. Low resource usage, written soley for OpenBSD, and I like the interface better than that of NTOP. That's not to say that they do all of the same things as each other.

  3. By free () null@example.org on example.org

    ntp.org

    else simply setup a bridge, use pf to allow to/fro each ip as an individual rule (with a label) then flex ya inner perl and pass mrtg/rrd some values to plot

  4. By Anonymous Coward () on

    bandwidthd is your friend (see earlier article on deadly)

  5. By Justin () on

    Hatchet has some nice features that might have what you want.

    See this screenshot for an example:
    http://www.dixongroup.net/hatchet/screen_v06a.jpg

    It also has pfstat graphs as well.

    Comments
    1. By Thomas () on

      How big is a default hatchet install? I'm asking because I want to visualize the traffic on my soekris box and don't want to waste too much space on the CF card and in /var on my memory file system. There wont be to much logs, because there aren't many users behind this firewall.

      Thanks,
      Thomas

  6. By Chris Cappuccio () chris@nmedia.net on mailto:chris@nmedia.net

    Damien's tools for netflow collection are great, pfflowd and softflowd. NeTraMet is another tool that you can use by itself or you can use NetFlowMet (part of NetTraMet) in combination with *flowd to gather stats. Finally, ipfm (from the ports tree?) is the easiest and most simpe way to get started. ipa from the ports tree is another option. None of these tools just give you a web interface, but they have various features and levels of complexity, and all can measure traffic for you.

  7. By j0rd () on

    give ntop a try, seems to do everything you asked. The admins at my office building use it, and from browsing the one they have set up, it seems pretty nice.

    Comments
    1. By Anonymous Coward () on

      How do you get -w working?

      Comments
      1. By michiel () michiel@vanbaak.info on mailto:michiel@vanbaak.info

        cd /usr/ports/net/ntop && rm patches/patch-ntop.c && make install

        Comments
        1. By Anonymous Coward () on

          Thank you!

          Comments
          1. By michiel () michiel@vanbaak.info on mailto:michiel@vanbaak.info

            One thing I noticed under 2.4-CURRENT Wed Jan 21 09:51:03 MST 2004 is that the -d switch makes ntop die after 5 minutes. I run it in "screen" now without the -d flag and now all keeps running :)

            I also followed the apache-mod_proxy howto that is on the ntop homepage. That way you don't have to open direct access to the ntop port. :)

            Have fun

  8. By jose () on http://monkey.org/~jose/

    have a look at processing flow data with flowscan.

    http://net.doit.wisc.edu/~plonka/FlowScan/

    can pivot on lots of data easily ...

  9. By Steve () on

    While not having all the features required, I've had a lot of joy with this tool:
    http://qosient.com/argus/

    - Steve

  10. By hubertf () hubertf@hubertf.de on mailto:hubertf@hubertf.de

    helps you watch pr0n without searching!

    Screenshots:
    http://www.uni-magdeburg.de/steschum/6clt/imgp1740r.jpg
    http://www.uni-magdeburg.de/steschum/6clt/imgp1743.jpg
    http://www.uni-magdeburg.de/steschum/6clt/imgp1745r.jpg

    - Hubert

    Comments
    1. By Anonymous Coward () on

      that is uber-funky :-)

  11. By Darian Lanx () spamtrap@uptime.at on mailto:spamtrap@uptime.at

    Yes, we wrote a logger which is trimmed to cope with gigabit links that are fully saturated. We took great care in designing the buffer so your I/O subsystem can keep up. It is not released to the public yet, but if you contact me, I can give you details and do not worry, it is of course free.

  12. By Jurgen Kobierczynski () on

    http://jkflow.sourceforge.net
    http://www.caida.org

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]