Analyse Network Traffic

[SpuffMonkey]

I feel almost embarrassed to ask...but...I want to have a close look at the network traffic as things seem to get a bit slow sometimes - and wondered about the best free way to do it. I downloaded Ethereal - as it was mentioned a lot - but having installed it on a server - it seemed to only look at traffic that was originating or destined for that server - what do I need to do to see the whole lot? And are there any freebies out there which are easy to interpret for the neophyte sniffer?

Cheers

[mac_shinobi]

Didnt you get any software that came with your main switch or core switch or the switch you are trying to monitor.

I know at the place I work my network manager ( aka kingswood on here ) used some software that came with the switch that showed traffic, I think there are 2 types of GUI's / interfaces ie web interface and a software type of interface.

[kingswood]

Hi Spuff.

Yes- if you look at the type of switch you have and check with the manufacturer's web site you might be able to download some management tools for free that will do what you want (if you have managed switches). If not you will obviously have to go for a software solution- have you got any Linux boxes on your LAN? Or even a Knoppix or other live CD- if so you could use this:

http://etherape.sourceforge.net/

Geoff will know more- I haven't used this yet but have it ready on my Ubuntu box at home to test.

HTH

Paul

[Ric_]

@SpuffMonkey: If you think back to how switches work, they cleverly route the traffic to their destination so that the only unicast traffic on a partiular port will be destined for the device(s) connected to that port.

You will need to enable promiscuous/debugging/etc. mode on one of the ports and plug a machine into that using promiscuous mode on its NIC - Ethereal will then show all the traffic on that switch.

You will need managed switches for this and you will need to repeat the procedure for each core switch.

[webman]

Our Network Manager uses Colasoft Capsa, but uness you pay for it you can only run a scan/monitor for 30mins at a time.

[Geoff]

Nagios and Cacti are my favorites for System/Device monitoring (uses SNMP)

For scanning and traffic monitoring I use a variety of tools such as iptraf, tcpdump, nmap and ntop.

For security scanning I have been using Nessus however the licensing changes in v3 leave things hanging in the air.

There are windows ports for most of these bits of software, although I find the Linux versions are better maintained and perform better.

I think that covers all bases?

Edit: Forgot to mention Snort for passively picking up all sorts of naughty traffic.

[plexer]

We use HP Procurve switches throughout and I have just been through a replacement program with them so I now have 1 x 2524 managed switch as the top switch in each cabinet the others being 2324's so at least I can telnet, web browse to the managed ones to give me an idea of traffic in that cabinet. Also have spanning tree turned on so if anyone creates a loop it should be restricted to that cabinet.

The HP Web GUI is quite good at showing you alerts etc... for the switch.

These also have the ability to replicate all the traffic on the switch to one port for monitoring. But if you did that on all switches and then had that port connected to your network you would be flooding your network with all the traffic generated and thus defeating the purpose of having a fully switched network.

Hope that helps some,

Ben

[Geoff]

The best way I find is to have all your traffic monitoring stuff on a laptop and plug it in as and when you need to monitor things on a switch.

Its also useful to have two network cards and configure it as a bridge. That way you can plug it inline between devices and monitor traffic transparently.

[pete]

We use Etherape and Ntop here, plus I have periodic safaris using Ethereal.

Etherape's good because it can tell you at a glance if something's getting hammered. Ntop performs the same function for your network that top does for a linux box. This all runs on a documentation / monitoring box.

[CyberNerd]

We use Cacti / SNMP. Cacti produces lots of pretty graphs which management like and lots of info which I like. http://www.cacti.net/

If your switches support syslog (ours dont') then use phpsyslog-ng
http://www.phpwizardry.com/php-syslog-ng.php to get logs in a centralised location. - we have all our servers (inc windows) log to this, it makes checking log files a breeze, especially if the server won't boot

[m25man]

I use Ethereal where possible and LanHound with remote agents.
But you didn't say what it was you were trying to observe?

As Ric said switches intelligently route traffic between MAC addresses so you need a way of ""sniffing" the traffic across the target node.

Most good managed switches have Port Mirroring, just plug your lappy into an empty port and program the switch to mirror the link you wish to monitor to the port you have the lappy in easy.
Protocol analyzers are brilliant for tracing unwanted traffic sources and worms but snmp is the best way to determine real time bandwidth usage.

If you want to monitor realtime traffic then enable snmp on your servers and swtches and use Solarwinds to monitor the snmp agents.

Solarwinds Engineers Edition is my tool of choice (www.solarwinds.net) but it's expensive so we get our school admins to buy the standard toolkit and teach them how to use it correctly.

Cisco, HP and 3Com all come with extremely good network monitoring applications but almost everything else requires you to spend loads of cash on add on suites so there's one good reason to buy quality networking kit in the first place!