BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Network monitoring tool recommendation

Subject: [Discuss] Network monitoring tool recommendation
From: matt at mattshields.org (Matt Shields)
Date: Wed, 6 Feb 2013 22:12:34 -0500
In-reply-to: <5112E76F.8030203@darose.net>
References: <51128EAD.3070808@darose.net> <CADdM39yLjvXx+YVijNwnpZQV-Y_4GLB8G6sVm1qey-NDVGWUAQ@mail.gmail.com> <CAOTD2YRBZaZve+CNvMPjN+f5AU4+GCJ5eAuDx4oRQWb8pc-pqA@mail.gmail.com> <5112A853.3010600@darose.net> <5112E76F.8030203@darose.net>

On Wed, Feb 6, 2013 at 6:29 PM, David Rosenstrauch <darose at darose.net>wrote:

> On 02/06/2013 02:00 PM, David Rosenstrauch wrote:
>
>> On 02/06/2013 12:34 PM, Matt Shields wrote:
>>
>>> Also try ntop.  Set it up on a standalone computer.  2 network ports, one
>>> for management, one where you mirror all your traffic at the
>>> switchport to
>>> it and have the interface in promiscuous mode.  Then it'll give you nice
>>> charts to show you who is talking to what (ie. User1 is streaming content
>>> from Youtube, etc).
>>>
>>> Matt
>>>
>>
>> Will check that out - thanks!
>>
>> DR
>>
>
> Great suggestion on ntop!  Looks like what I need.
>
>
> Just one thing I'm not sure about with it, though:
>
> It seems like the intention is that you would run ntop on your gateway
> machine (which all traffic on the network passes through) and that way get
> full stats for the entire network.
>
> However, that's not the setup I have.  I do have a gateway, but it's our
> firewall box, which I can't run ntop on.  The machine I am running it on is
> our ssh entrypoint into the network.  But the other machines on the network
> can initiate connections directly to the Internet through firewall without
> going through the ssh entrypoint.  So I'm thinking that by running ntop on
> the ssh entrypoint box, it's not going to actually be seeing all the
> incoming or outgoing traffic for the network, and so won't be able to
> report on it accurately.
>
> Am I right on this?  And if so, how best to work around this?  (Without
> having to run an instance of ntop on every machine in the network.)
>
> Thanks,
>
>
> DR
> ______________________________**_________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/**listinfo/discuss<http://lists.blu.org/mailman/listinfo/discuss>
>

I have a separate machine that I use for ntop, snort, tcpdump, nessus and
other monitoring tools.  It has 2 nics, one is management (ssh, http, etc)
and the second is set to promiscuous mode and connected to my core switch.
 On the core switch I have that port be a mirror of the main link.  So all
traffic in and out of the network is mirrored to my monitoring server where
I do analysis on what's going on.

Matt

References:
- [Discuss] Network monitoring tool recommendation
  - From: darose at darose.net (David Rosenstrauch)
- [Discuss] Network monitoring tool recommendation
  - From: drew.vanzandt at gmail.com (Drew Van Zandt)
- [Discuss] Network monitoring tool recommendation
  - From: matt at mattshields.org (Matt Shields)
- [Discuss] Network monitoring tool recommendation
  - From: darose at darose.net (David Rosenstrauch)
- [Discuss] Network monitoring tool recommendation
  - From: darose at darose.net (David Rosenstrauch)

Prev by Date: [Discuss] Network monitoring tool recommendation
Next by Date: [Discuss] [OT] Migrating domain to Google?
Previous by thread: [Discuss] Network monitoring tool recommendation
Next by thread: [Discuss] Network monitoring tool recommendation
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org