[afnog] Network Monitoring Tools

Chris Wilson chris+afnog at aptivate.org
Wed May 9 15:43:05 UTC 2012 

Hi David,

On Wed, 9 May 2012, david aliata wrote:

> I have several sites whose internet connections is terminated on Cisco 
> ASA 5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like 
> to be able to capture traffic from this sites and analyze this so that i 
> can determine 
> 
> Who are our Top Talkers and who are they "talking" to in this sites

We don't have Cisco routers, but we use pmacct, which can also receive and 
process netflow data from Cisco routers. We also use Argus, which only 
does promiscuous mode, for audit records. I know others use NFsen for 
things like this.

> What websites are routinely being visited and what is being downloaded

This is much more difficult to monitor. Basically your best bet is to 
force everyone to use an HTTP proxy, either by intercepting their 
connections with NAT or WCCP and redirecting them to a transparent proxy, 
or by blocking port 80.

It might be possible to do some funky passive monitoring with Snort or 
Tshark, but I haven't done it and I'm not sure.

> If there are any  signs of rogue network applications or malicious 
> activity on the network

We don't use it, but when I worked for a network security company, we used 
Snort. It's free, reasonable, but needs very careful tuning to avoid false 
alarms. I also don't consider IDS particularly useful unless you either:

(1) automatically block it, and live with the consequences of blocking 
legitimate traffic whenever you get a false alarm; or

(2) employ people ("investigators" or "enforcers" to jump on it as soon as 
it happens, and live with the cost of maintaining a team of them on call); 
or

(3) you don't actually care about stopping it, but you want to be able to 
point fingers at someone else after the fact (CYA).

> Determine Top applications in use in a particular site and bandwidth 
> requirements

We do this based on ports and IP addresses, but I know Packeteer makes a 
big deal about being able to present this data in "user-friendly reports 
to management", and they charge appropriately.

Cheers, Chris.
-- 
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK

Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.

More information about the afnog mailing list