Internet Link Detective Audit
Edward Elhauge
ee at uncanny.net
Mon Oct 23 17:09:49 PDT 2006
I'm hoping someone on this list can steer me in the right direction
towards figuring out what is going on with my internet link. (Or rather
the tools to figure it out on my own).
I had a call from my ISP claiming that they saw unusual network
activity (high usage). At first we though it was simply my New peering
but a few weeks later they claimed up to 7GB on port 5560 (iMesh).
Since I block port 5560 incoming I have to figure it must be from the
inside.
I'm puzzled because as far as I can tell from my Postfix and Inn logs
I'm using only 100 MB per do or so. With about 15 machines on our
buildings network, it might be a bit difficult to figure out what is
going on just by inspection (also some of the clients are Mac, Windows
XP and Ubuntu).
What I'd like is a tool running on FreeBSD that will sort IP traffic
coming across my Internet interface by:
SRC IP, PROTOCOL and PORT
DEST IP, PROTOCOL and PORT
then give me total KBs passed in that interval.
I currently have one FreeBSD machine devoted to Gateway Router and NAT.
It runs ipfilter (ipf). From reading the list over the years I know
about tools that do things like this but don't know of one that does
this exactly.
I set up ifstat, but it doesn't sort the traffic by src, dest, port,
etc, just a total KB/s in/out.
I know that one can use dummynet, or ALTQ to do bandwith shaping, but
I'd rather find out where all the traffic is going rather than just
restricting it.
Perhaps snort would do what I want, but before I spent the time setting
it up I wanted to make sure that I could easily get a count of Kb/s flowing
across the interface, since my main interest isn't intrusion detection,
but really something more like a traffic audit.
Any pointers for how to instrument this are greatly appreciated.
--
Edward Elhauge <ee at uncanny.net>
"The life which is unexamined is not worth living." -- Plato
More information about the freebsd-isp
mailing list