Newsgroups: comp.os.linux.networking Date: 1999/06/09
Newsgroups: comp.os.linux.networking Date: 1999/06/09
> I need to watch what's going on the local network. > Can any kind soul explain to me how this can be done using > my linux (slackware 4.0) box? I especially need to watch > what a particular machine puts on the ethernet. >
Try tcpdump for starters. If that doesn't do it for you, try iptraf or ksniffer.
Walt
Some little utilities like trafshow, ntop, and netwatch are nice little programs to watch basic network traffic, like if one pc is using ftp, telnet, or what port/type of traffic if going through. ntop is a really nice package because you can set it up to have a web interface and it breaks down the info into nice little pages, but it adds a few to your load average.
aris
Thanks a lot. I'm using netwatch.
mysniff-1.3.tar.gz 201733 Jul 5 17:22:57 2002 http://packetstormsecurity.nl/sniffers/mysniff-1.3.tar.gz Mysniff is a libpcap sniffer with RC4 encryption. It sniffs the first 128 bytes of data sent to ftp / telnet / pop2 / pop3 / imap & rlogin servers, therefore revealing the logins & passwords used.
IPTraf 2.5.0
Date: August 16th, 2001 License: GPL
IPTraf is a network monitor and statistics generator for IP LANs.
With this program, you can get an idea as to the type of IP traffic passing over your network, the loads various hosts connected to it and the activity of the entire segment.
Ethereal is a network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers.
License: GPL
Ethereal 0.8.15 has one of the biggest GUI changes in recent history; display filters can now be constructed via an easy-to-use point-and-click interface. Protocol dissectors now exist for: NFSv4, Mobile IPv6, X.25 over TCP, LAPBETHER, DEC LANBridge Spanning Tree Protocol, X.25 over LLC, Frame Relay, MTP3 User Adaptation Layer, and ISDN Q.921 User Adaptation Layer. Many other dissectors and core features were improved, and bugs were squashed. The wiretap library can now read Sniffer Frame Relay files. Capturing supports the "any" pseudo-device on Linux if you use libpcap 0.6.1 from www.tcpdump.org.
JFF NMS is a NMS (Network Management System) designed to mantain a IP SNMP / Syslog / Tacacs+ Network. I use it in a Cisco-based Network (Routers, Switches, etc) for my employer TIBA (Buenos Aires International Teleport) in Argentina.
Peep, the Network Auralizer, monitoring your network with sound. Peep is a network monitoring tool that represents network information via an audio interface. Network diagnostics are made not only based on single network events but whether the network sounds "normal".
Tcpdump is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card. It is installed by default on RedHat linux and has very simple syntax, especially if you are doing simpler types of troubleshooting.
One of the most common uses of tcpdump is to determine whether you are getting basic two way communication. Lack of communication could be due to:
Bad routing
Faulty cables, interfaces of devices in the packet flow
The server not listening on the port because the software isn't installed or started
Analyzing tcpdump in much greater detail is beyond the scope of this section.
Like most Linux commands, tcpdump uses command line switches to modify the output. Some of the more useful command line switches would include:
Possible TCPdump Messages
tcpdump command switch Description
-c Stop after viewing count packets.
-i Listen on interface. If this is not
specified, then tcpdump will use the
lowest numbered interface that is UP
-t Don't print a timestamp at the
beginning of each line
You can also add expressions after all the command line switches. These act as filters to limit the volume of data presented on the screen. You can also use keywords such as "and" or "or" between expressions to further fine tune your selection criteria. Some useful expressions include:
Useful TCPdump Expressions
tcpdump command expression Description
host host-address View packets from the IP address host-
address
icmp View icmp packets
tcp port port-number View TCP packets with packets with either a
source or destination TCP port of port-
number
udp port port-number View UDP packets with either a source or
destination UDP port of port-number
Example: tcpdump used to view ICMP "ping" packets going through interface wlan0
[root@bigboy tmp]# tcpdump -i wlan0 icmp
tcpdump: listening on wlan0 21:48:58.927091 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.927510 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.928257 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.928365 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.943926 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.944034 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.962244 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.963966 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.968556 bigboy.my-site.com > smallfry: icmp: echo reply
9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
The first column of data is a packet time stamp.
The second column of data shows the packet source then destination IP address or server name of the packet
The third column shows the packet type
Two way communication is occurring as each echo gets an echo reply
Example: tcpdump used to view packets on interface wlan0 to/from host 192.168.1.102 on TCP port 22 with no timestamps in the output
[root@bigboy root]# tcpdump -i wlan0 -t host 192.168.1.102 and tcp port 22
tcpdump: listening on wlan0 smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 2013297021 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10]
bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10]
9 packets received by filter 0 packets dropped by kernel [root@bigboy root]#
The first column of data shows the packet source then destination IP address or server name of the packet
The second column shows the TCP flags within the packet
The client named "bigboy" is using port 32938 to communicate with the server named "smallfry" on the TCP SSH port 22.
Two way communication is occurring
Newsgroups: comp.os.linux.misc Date: 2001-07-18 11:40:26 PST
> I have setup a linux machine as a gateway for my windows boxes. Now I suspect > some software to send out data I don't want it to. How can I dump the entire > traffic that is going over my linux box? I tried to use tcpdump but that gives > only the first n bytes from each package and also doesn't provide the actual > data, only hexvalues. I don't need to have the protocol interpreted (though it > wouldn't hurt) but I want the raw binary data.
You'll like ethereal. I also like snort.
Silviu Minut
[ethereal]
> Thanks. I just downloaded it, but I don't know how to handle it. How do > I specify that I want all data that is going over eth0 dumped to a file? > Even better would be if I could specify that this is only to be done to > certain adresses.
Fire up ethereal (with root priviliges).
Select Start… from the Capture menu; a dialog box entitled Capture Preferences should pop up.
Select eth0 in the interface selector at the top of the dialog and type a tcpdump compatible filter in the Filter field. For example:
host myhostname and host 192.168.1.1 and host www.linux.com
You can extend the filter to do all sorts of stuff; have a read of the tcpdump man page for more info. Test your filters with tcpdump itself; it's faster to play with them.
Now you just specify a filename to write the output into in the File field. I just did a test and called mine capture.pcap. I set the packet capture length to the maximum 65535 bytes. The output is in tcpdump format.
$ file capture.pcap capture.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
> I don;t know much about networking so these question may sound dumb but > I read the man pages and I can't make much of it.
No probs. Keep posting. A very useful feature of ethereal is the Follow TCP Stream tool (from the Tools menu). Select a TCP packet that is part of a TCP conversation you're interested in and then select it. You get a new window with the conversation that took place between client and server; especially handy for text based protocols. Note - it creates a view filter so when you're done with a stream click the Reset button at the bottom of the main window to show all packets again…
Another tip; you can actually do the capturing with tcpdump (see the documentation for the -s option for setting packet capture length) and get it to write the output to a file. Then you can load it into ethereal for viewing…
The tcpdump man page also says
Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffer- ing. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're inter- ested in.
Probably not a problem for you if your traffic is not enormous, but worth bearing in mind.
Graham
Newsgroups: comp.os.linux.announce Date: 2002-09-19 08:51:16 PST
We have made Network Probe 0.3beta1 available for download. It's a free web based network monitor and traffic analyzer.
Network Probe gives you an instant picture of the traffic situation on your network and enables you to identify and isolate traffic problems.
See http://www.network-monitor.net for details.
Features:
Java based, client runs in web browser
Gives you traffic data in table and bar chart
Displays all protocols used
Displays traffic information about each host seen
Displays traffic between every host seen
Displays protocols used per host
Displays protocols used per conversation
Displays traffic for each network card on the segment
Displays traffic for each network card conversation
Enables you to sort, search, and filter traffic data
User management
Changes from version 0.2.2 to 0.3beta1:
Added password protection for the probe
Added users management and resource restriction
Added reset functionality (intervals and on-demand)
Improved network protocol detection algorithm
Added first seen/last seen entry to the network statistics entries
Added links to http entries so the pages can be opened
Added selection of network card with command line parameter
Added selection of probe port with command line parameter
Fixed bug with Linux driver; all network cards are now listed
Requirements:
Windows 2000, Windows XP, Windows NT or Linux
Network card capable of promiscuous mode
Java runtime installed (1.1.8 or above)
Regards, Network Team at ObjectPlanet http://www.network-monitor.net
Newsgroups: comp.os.linux.announce Date: 2002-09-19 08:50:27 PST
Squidalyser is a squid traffic analyser, designed to allow per-user scrutiny and analysis of squid logfiles. The program allows a non-technical user to extract information about web usage patterns, the type of information downloaded, the sites visited by users, the graphics downloaded, and the amount of information (per-byte or per-file) accessed. The program runs from a Unix system via a web browser.
The current alpha-but-stable version of squidalyser is now available for download from http://ababa.org/. The program now has support for other languages (ie non-English), a completely revised modular design, web-based configuration and a simplified installation procedure. A mailing list has been created at http://ababa.org/mailman/listinfo/squidalist. Please download, test and submit bug reports and suggestions for improvement.
Squidalyser is released under the GPL of the FSF.
Simon Burns
>> 2001.01.14 Sun 18:51:39
Date: Mon, 23 Sep 2002 11:31:16 GMT Newsgroups: comp.os.linux.networking
I am looking for free network monitoring software.
Basically I am looking at monitoring a non profit organization ( a church and school) with about 60 systems mac and pc. we can use some linux if we want to.
Loriot is one that works pretty well but I am always looking for something better. It has an smtp interface.
Things I'll want to monitor are:
Our squid proxy
pix firewall
backups of accounting software data
mail server
some other things I suspose.
What free software is available to inform us when thing go down?
I use Angel at http://www.paganini.net/angel/
There are a host of others. Google search might find them all. I use Angel because it is simple and all source is included (perl) so you can make any changes you want, which I have…
Mark
Checkout: http://www.bb4.com[]
Steve Cowles
You could take a look onto MRTG at http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ It's a nice and highly customizable tool which can handle SMTP and other tests through external scripts.
Matthias
N-View can be used for free (with some limitations). Try it out: www.n-view.de
Wolfgang Ullrich