syslog traffic analyzers
Les Mikesell
lesmikesell at gmail.com
Thu Nov 3 15:56:36 UTC 2005
On Thu, 2005-11-03 at 00:08, Rick Stevens wrote:
> > >
> > > I was wondering if anyone had any recommendations for a
> > > traffic analyzer that will read from a syslog file, and not
> > > just by binding to the network interface in promiscuous mode.
> > > I was hoping to find a program that will show traffic usage
> > > by IP address, many of them just show the total traffic statistics.
> > >
> AFAIK, traffic is not logged to any log file. If you have a busy
> machine, the log file would overflow very, very quickly. If you want
> to track "so many bytes went between here and that IP over there" and
> that type of thing, I suspect you want something like Cisco's "netflow"
> system. It tracks traffic at the router and periodically spits it out
> to an analysis machine somewhere. It is proprietary (to an extent) and
> I don't know of a open source version.
If you have a Cisco capable of sending the netflow data, I believe
that ntop (http://www.ntop.org) will process and display it.
> If you want similar data, you really have no choice BUT to put your NIC
> into promiscuous mode to see all the traffic there is. You'd need to
> absorb that data (a'la tcpdump) and process it as you see fit.
If you don't have a high end cisco, ntop can also generate a similar
data flow log and send it another machine to be processed. That is,
you do need a machine with a nic in promiscuous mode on a switch
port configured to monitor the traffic you want to see, but it
can be another machine where you process and view that data.
If you only want to track the traffic on a few servers, I guess
you could run ntop on each of those machines to generate the
flow data and send it to a central location for processing.
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list