2

I have a linux box set up running as a router using iptables.

My question is: What is the best way to monitor the traffic passing through it, on a per-IP basis? I've tried using Ntop, but it just gives me the shits, associates computer names with other peoples IP's etc...

Surely there's something out there that doesn't try sniff the whole network, but just what traffic is actually passing through the network cards ON the router/box??

Also, iptables logs are proving useless to me.. I can't get it to show traffic flows correctly, I.e. remote traffic is always shown as going to the routers IP, not the actual client IP on the LAN..

Any help MUCH appreciated, cheers.

  • see http://serverfault.com/questions/116509/generating-and-capturing-netflow-on-a-linux-router/116535#116535 basically you want something that works with flows.. – Justin Feb 25 '10 at 02:39

3 Answers3

1

Have you looked into Smoothwall. I set it up at home on a very old machine. I let it handle DHCP also.

I like it for the stats and because its sort of a 'project' for me.

Edit: to be more clear, there are several different possible configurations. I am running all traffic, including a wireless router though my Smoothwall machine. Internet comes into my cable modem and goes straight to the Smoothwall box, then out to an 8-port switch. From there it goes to a wireless router and to a few wired machines. I can monitor traffic/bandwidth in real time and/or look at history in graph or text form. I am still a newbie, but am having a great time with it.

Another Edit: I am not sure this would be appropriate for a huge network and, after rereading the question, I am not sure it is what you are looking for, but I am leaving it up for the info.

cop1152
  • 2,626
  • 3
  • 21
  • 32
  • Tried installing smoothwall on this particular machine, don't know if the installers just a load of fail, but it couldn't load drivers for the NIC's for some reason... (RTL**) –  Feb 25 '10 at 02:24
  • bummer.....I had problems with realtek NICs also. I ended up rummaging through a box of old cards I had until I found two that it recognized. I ended up installing it 7-8 times before getting it up and running. – cop1152 Feb 25 '10 at 02:28
1
  1. On a switched network (typical today) the only IP traffic that a router sees will be the traffic it is processing (routing across its ports).
  2. Most sniffing tools are capable of skipping name lookups (to show actual IP values for example)
  3. You can add additional lines to your filter rules for logging specific IP packets
    • this will be easier if you know the IP addresses you want to meter and they are a handful rather than a whole subnet
nik
  • 7,040
  • 2
  • 24
  • 30
1

I thing you might worth trying http://iptraf.seul.org

Tiberiu
  • 229
  • 1
  • 2
  • 7