hi ya
something trivial/simple .... nothing fancy...
you can just use trafshow to see which machines is talking
to the other machines... and what kind of traffic..
( udp, tcp... ssh, dns, http, smtp.... )
- only the highest usage users will show in the list
c ya
alvin
On Thu, 18 Apr 2002, Rory Campbell-Lange wrote:
> I wish to setup a network monitoring machine to track network traffic
> in an office of about 100 users. The main focus of attention is the
> traffic passing between our router and the network, as we recently and
> inexplicably had most of the bandwidth of our half meg leased line
> saturated by network traffic for over a day.
>
> The router is a proprietary network appliance providing NAT/VPN and a
> firewall.
>
> I have tested tcpdump at another smaller office where I was able to
> trace all the network traffic between the gateway and workstations all
> linked on the same small switch. However in the larger office the Bay
> 450-24T (now Nortel) managed switches we use appear to confound tcpdump
> so that only traffic between the localhost and the targeted system
> appear, even if I place a mini-hub between the tracing machine and the
> switch (which also provides the network connection to the router).
>
> I get a message from tcpdump saying that eth0 has entered promiscuous
> mode so I guess that the capabilities of the ethernet card aren't the
> problem.
>
> Is the solution to use the Bay switch port mirroring feature? If this is
> the thing to do, would I need another ethernet interface to connect to
> the network normally? I would like to run arpwatch on the same machine
> (so only one machine in the office is in promiscuous mode) - is that
> feasible?
>
> I hope to hold 3 day's tcpdump information on disk, and analyse this
> with Ethereal or some similar tool if necessary. I'm hoping not to lose
> too much of the information, so I wasn't thinking of filtering much. I'd
> be grateful for some expert advice on the suitability of this approach.
> The disk of the network monitoring machine has about 15G free.
>
> I'm running Debian woody on i386.
>
> [ps I posted this to the tcpdump workers list, but haven't had any
> replies, so I thought I'd try here!]
>
> Thanks for any help
> Rory
>
> --
> Rory Campbell-Lange
> <[EMAIL PROTECTED]>
> <www.campbell-lange.net>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
