That’s a good idea. Ntopng supports netflow (as does that Mikrotik router https://help.mikrotik.com/docs/display/ROS/Traffic+Flow), but in the case that you’re not getting all the data you want, you can beef it up a bit and go for straight port mirroring. From: Kevin McGregor <kevin.a.mcgregor@gmail.com> Sent: Tuesday, October 8, 2024 2:46 PM To: Continuation of Round Table discussion <roundtable@muug.ca> Subject: [RndTbl] Re: Monitoring network traffic I was thinking of getting something like the Mikrotik CRS326-24G-2S+IN<https://mikrotik.com/product/crs326_24g_2s_in> and using a separate PC running ntopng. I definitely want VLAN support as well as port mirroring, and lots of gigabit ports - with the option of a couple of 10GbE ports - would be useful. On Tue, Oct 8, 2024 at 2:14 PM <dndyck6@gmail.com<mailto:dndyck6@gmail.com>> wrote: I think the answer is probably highly dependent on your network setup and network device capabilities. The easiest way would be to export netflow data to a netflow collector, if your main router/firewall supports it. There are netflow collectors, for example, that I’ve used in the past to graph most of that with Grafana. (https://grafana.com/grafana/dashboards/11408-netflow-exporter-overview/ and https://github.com/javadmohebbi/goNfCollector) If netflow isn’t possible directly from your network device but port mirroring is, you can set that up to mirror all traffic to a specific port, and then as you describe, enable promiscuous mode on a network adapter and use something to turn that into netflow, or a different piece of software to aggregate stats as you like. Promiscuous mode by itself won’t work in most networks, because the switch will not forward you packets it knows are not intended for you. If port mirroring isn’t possible with your existing network devices, you may be able to put an OPNSense or PFSense box “in-line” and export netflow from that. That would require the most resources though, and probably slow down your network and make things like routing and NATting a little more tricky, depending on how you set it up. At that point you may as well just swap it out for OPNSense or PFSense, though. Overall, if your main network device doesn’t support some of these more complex features, I think you’re better off (in time and complexity certainly, but I’d wager monetarily as well) to replace it with something that does rather than chaining a ton of workarounds together. David From: Kevin McGregor <kevin.a.mcgregor@gmail.com<mailto:kevin.a.mcgregor@gmail.com>> Sent: Tuesday, October 8, 2024 2:03 PM To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: [RndTbl] Monitoring network traffic I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything. What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca<mailto:roundtable@muug.ca> To unsubscribe send an email to roundtable-leave@muug.ca<mailto:roundtable-leave@muug.ca> _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca