[clug] IP network traffic monitoring

[Andrew Smith]

Sorry, should add that this won't provide the flow analysis bit, just the 
paranoid bit.

Andrew Smith wrote:
> Hi Tony,
> 
> I've got snort running on a high volume network, logging into mysql 4.  
> I use acid to provide reports and queries.  The snort rules take a bit 
> of tuning, they are a little overly sensitive out of the box.
> 
> Don't know about Debian packages, I'm on the other side of the fence :)
> 
> Andrew
> 
> Tony and Robyn Lewis wrote:
> 
>> I am a paranoid bunny.  I want a tool that will sniff my 
>> internet-facing interface, and store "flow" information (source/dest 
>> IP/port, time, proto, packet/byte count).  Does such a beast exist as 
>> a debian package, or any other package?
>>
>> I know there are lots of network monitoring stuff (been through 
>> http://packages.debian.org/testing/net) but nothing that can do graphs 
>> and/or reporting by that resolution.
>>
>> The nearest I can find is something like pmacct, or ulog-acctd, and 
>> pumping that into a database/file and then having a web front end to 
>> generate graphs.  But I'd love to find something already rolled.  
>> flow-tools comes close if I can find something that will generate 
>> netflow data.
>>
>> My underlying requirement is this: I use cacti, and it reported to me 
>> last night that my upload was maxed out between around 3am to 6am.  I 
>> don't know why.  I've checked the logs for the apps that operate on 
>> the ports I have open, and nothing jumps out, and so I'm a little 
>> stumped and curious/nervous.  Some monitoring tool like this would help.
>>
>> Tony Lewis
>>