Traffic Analyzer

[DerekK]

Hi all. I need to know which kind of traffic goes/come to/from internet in my company. I was thinking to put some kind of linux machine with two NIC bridge mode between the firewall and the internet router with some software analyzer... Any idea or advice before I begin?

Thank you!

[oofki]

What do you mean "Which kind of traffic" Like which ports so you can distinguish that? Or something more like a traffic sniffer?

[NullDevice]

tcpdump, tethereal....

[DerekK]

Sorry, I was not clear enough...

That I would like is capture the traffic with something like tcpdump and then analyze it at protocol/application level, I mean, know how many percent is http, smtp, etc... and origin destination of the traffic. I can't do it "by hand" or better "by eye" because is a gateway for a 500+ workstations, need some help in analysis or to do it at once if there is some software that makes it.

Hope I ecplain myself better....

Thank you.

[Tiger Shark]

Got an old hub lying around? Put it inline and attach any box capable of running Ethereal efficiently and there you go.

Or try this... It works quite well for getting a quick picture.

[DerekK]

Is a switched network That's why I wanted to put a box between firewall and router.

I woul be ok if I was able to run the soft in the router or firewall, but none of them are windows.

I think that i need kind of high level traffic analyzer which works with tcpdump files for example...

[NullDevice]

ethereal is fine enuff....you can have a look at statistic from ethereal.
Moreove tethereal is ethereal CLI version.
Ethereal is also capable of understaning tcpdump files very well.

Hope Ethereal helps you.

[NullDevice]

Probably you will also love to have a look at IPTraf
http://iptraf.seul.org/
This one is good if you dont want to dump the traffic, but just see the stats.

[DerekK]

Ok, if I'm using ethereal in a two nic box... How can I configure a bridge having the two nics in the same network???

[IKnowNot]

You didn't say, but you really should be proficient in using Linux before tackling something like this. You could bring your network to a halt or open up holes.

How much have you read about Linux and Bridging?

How can I configure a bridge having the two nics in the same network???

The nics would not have addresses, the box would be transparent to the network passing everything in then out.

Depending on the amount of traffic and connections of your host, you may want to consider something like a TAP instead of bridging? ( BTW, Tiger Shark's hub idea can be placed between the router and firewall like a TAP )

Have you checked out SNORT ?

Although it was designed as an IDS, you can pretty much make your own rules to have it do whatever you want. You can have it save the traffic to be read by something like tcpdump or Ethereal ( binary mode ), send it to a database, whatever. Very flexible.

You'll have to do a lot of reading and experimenting before putting it into production, even then you'll have to fine tune it to your needs. There are also programs such as Barnyard and BASE to support it. ( I'm using BASE with MySQL right now but I am no expert on this, I'm still playing! )