I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything.
What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info.
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
I think the answer is probably highly dependent on your network setup and network device capabilities.
The easiest way would be to export netflow data to a netflow collector, if your main router/firewall supports it. There are netflow collectors, for example, that I’ve used in the past to graph most of that with Grafana.
(https://grafana.com/grafana/dashboards/11408-netflow-exporter-overview/ and https://github.com/javadmohebbi/goNfCollector)
If netflow isn’t possible directly from your network device but port mirroring is, you can set that up to mirror all traffic to a specific port, and then as you describe, enable promiscuous mode on a network adapter and use something to turn that into netflow, or a different piece of software to aggregate stats as you like.
Promiscuous mode by itself won’t work in most networks, because the switch will not forward you packets it knows are not intended for you.
If port mirroring isn’t possible with your existing network devices, you may be able to put an OPNSense or PFSense box “in-line” and export netflow from that. That would require the most resources though, and probably slow down your network and make things like routing and NATting a little more tricky, depending on how you set it up. At that point you may as well just swap it out for OPNSense or PFSense, though.
Overall, if your main network device doesn’t support some of these more complex features, I think you’re better off (in time and complexity certainly, but I’d wager monetarily as well) to replace it with something that does rather than chaining a ton of workarounds together.
David
From: Kevin McGregor kevin.a.mcgregor@gmail.com Sent: Tuesday, October 8, 2024 2:03 PM To: Continuation of Round Table discussion roundtable@muug.ca Subject: [RndTbl] Monitoring network traffic
I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything.
What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info.
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
I was thinking of getting something like the Mikrotik CRS326-24G-2S+INhttps://mikrotik.com/product/crs326_24g_2s_in and using a separate PC running ntopng. I definitely want VLAN support as well as port mirroring, and lots of gigabit ports - with the option of a couple of 10GbE ports - would be useful.
On Tue, Oct 8, 2024 at 2:14 PM <dndyck6@gmail.commailto:dndyck6@gmail.com> wrote: I think the answer is probably highly dependent on your network setup and network device capabilities.
The easiest way would be to export netflow data to a netflow collector, if your main router/firewall supports it. There are netflow collectors, for example, that I’ve used in the past to graph most of that with Grafana.
(https://grafana.com/grafana/dashboards/11408-netflow-exporter-overview/ and https://github.com/javadmohebbi/goNfCollector)
If netflow isn’t possible directly from your network device but port mirroring is, you can set that up to mirror all traffic to a specific port, and then as you describe, enable promiscuous mode on a network adapter and use something to turn that into netflow, or a different piece of software to aggregate stats as you like.
Promiscuous mode by itself won’t work in most networks, because the switch will not forward you packets it knows are not intended for you.
If port mirroring isn’t possible with your existing network devices, you may be able to put an OPNSense or PFSense box “in-line” and export netflow from that. That would require the most resources though, and probably slow down your network and make things like routing and NATting a little more tricky, depending on how you set it up. At that point you may as well just swap it out for OPNSense or PFSense, though.
Overall, if your main network device doesn’t support some of these more complex features, I think you’re better off (in time and complexity certainly, but I’d wager monetarily as well) to replace it with something that does rather than chaining a ton of workarounds together.
David
From: Kevin McGregor <kevin.a.mcgregor@gmail.commailto:kevin.a.mcgregor@gmail.com> Sent: Tuesday, October 8, 2024 2:03 PM To: Continuation of Round Table discussion <roundtable@muug.camailto:roundtable@muug.ca> Subject: [RndTbl] Monitoring network traffic
I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything.
What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info. _______________________________________________ Roundtable mailing list -- roundtable@muug.camailto:roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.camailto:roundtable-leave@muug.ca
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
That’s a good idea. Ntopng supports netflow (as does that Mikrotik router https://help.mikrotik.com/docs/display/ROS/Traffic+Flow), but in the case that you’re not getting all the data you want, you can beef it up a bit and go for straight port mirroring.
From: Kevin McGregor kevin.a.mcgregor@gmail.com Sent: Tuesday, October 8, 2024 2:46 PM To: Continuation of Round Table discussion roundtable@muug.ca Subject: [RndTbl] Re: Monitoring network traffic
I was thinking of getting something like the Mikrotik CRS326-24G-2S+INhttps://mikrotik.com/product/crs326_24g_2s_in and using a separate PC running ntopng. I definitely want VLAN support as well as port mirroring, and lots of gigabit ports - with the option of a couple of 10GbE ports - would be useful.
On Tue, Oct 8, 2024 at 2:14 PM <dndyck6@gmail.commailto:dndyck6@gmail.com> wrote: I think the answer is probably highly dependent on your network setup and network device capabilities.
The easiest way would be to export netflow data to a netflow collector, if your main router/firewall supports it. There are netflow collectors, for example, that I’ve used in the past to graph most of that with Grafana.
(https://grafana.com/grafana/dashboards/11408-netflow-exporter-overview/ and https://github.com/javadmohebbi/goNfCollector)
If netflow isn’t possible directly from your network device but port mirroring is, you can set that up to mirror all traffic to a specific port, and then as you describe, enable promiscuous mode on a network adapter and use something to turn that into netflow, or a different piece of software to aggregate stats as you like.
Promiscuous mode by itself won’t work in most networks, because the switch will not forward you packets it knows are not intended for you.
If port mirroring isn’t possible with your existing network devices, you may be able to put an OPNSense or PFSense box “in-line” and export netflow from that. That would require the most resources though, and probably slow down your network and make things like routing and NATting a little more tricky, depending on how you set it up. At that point you may as well just swap it out for OPNSense or PFSense, though.
Overall, if your main network device doesn’t support some of these more complex features, I think you’re better off (in time and complexity certainly, but I’d wager monetarily as well) to replace it with something that does rather than chaining a ton of workarounds together.
David
From: Kevin McGregor <kevin.a.mcgregor@gmail.commailto:kevin.a.mcgregor@gmail.com> Sent: Tuesday, October 8, 2024 2:03 PM To: Continuation of Round Table discussion <roundtable@muug.camailto:roundtable@muug.ca> Subject: [RndTbl] Monitoring network traffic
I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything.
What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info. _______________________________________________ Roundtable mailing list -- roundtable@muug.camailto:roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.camailto:roundtable-leave@muug.ca
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
I used to use Wireshark in classes to demonstrate the "under the hood" stuff. My use was limited but it might do at least some of what you want. Peter
On Tue, Oct 8, 2024 at 2:03 PM Kevin McGregor <kevin.a.mcgregor@gmail.commailto:kevin.a.mcgregor@gmail.com> wrote:
I'd like to set up something that I can plug into my network that will track network sources, destinations, ports, packet types, etc. and allow me to graph the results. Presumably the network card and port will be in promiscuous mode to capture everything.
What software should I be looking at? Free/libre software only, please. Also, what kind of hardware would be needed to support this (CPU, RAM, etc.)? I don't want to capture entire packets, just the key header info. _______________________________________________ Roundtable mailing list -- roundtable@muug.camailto:roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.camailto:roundtable-leave@muug.ca
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
If your router was a linux/bsd box to begin with, this is all trivial. You just do whatever you want. Everything a router can do a linux box can do (better).
David is right, if you want to do something hanging off your network you'll need a router than can forward every packet somewhere or a switch that is managed or semi-managed so you can set a port to get all traffic. Semi-managed switches ("smart switches") can be fairly affordable.
I have no experience with mikrotik, but I'm sure there are devices that can do everything you want... until you find another neat thing you want to do that it can't! _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
-
dndyck6@gmail.com -
Kevin McGregor -
Peter Graham -
Trevor Cordes