network sniffer/monitor

[Brian Candler]

On Thu, Aug 03, 2006 at 10:33:07AM -0600, mike wrote:
> I need to put a couple network sniffers on our network. The
> purpose is to track and log usage. I would hope to discover
> everything from "who is viewing what website" to typical
> network trends about usage. I would expect having a span
> port on a switch forwarding all traffic to a nic on the box
> listening promiscuously. Something that put it into nice
> web-viewable tables/stats would be ideal, but before I go
> trying to re-invent the wheel...
> 
> It just seems like something that would be "out there".
> 
> I was wondering if there is something out there (preferably
> open-source, but not necessarily a requirement) that some 
> folks use and are reasonably happy with?

Well, at worst you can capture all the traffic using tcpdump -w to write to
a pcap file, and browse it at your leisure with tcpdump -r. That approach
needs a big and/or fast hard drive. However if you use selective port
mirroring, this is a technique I've used for debugging specific problems.

If you want to record your entire network activity, compressing this data
can be achieved using netflow (Cisco's mechanism for identifying flows) or
sflow (simple statistical sampling, e.g. keep 1 in 128 packets), depending
on what your switch or router supports.

If you want to have a pretty graphical analysis of this, you can look at
ntop, which can tcpdump for itself, or input netflow or sflow data. I'm told
it's a bit flakey though.

Another option is argus, but I've not tried that. I don't know if it takes
netflow/sflow, but I understand it can read traffic directly from the
network and summarise it for itself.

Both ntop and argus are in ports.

HTH,

Brian.