Any recommendations for a network traffic monitoring package?
-
I just applied the nuclear option to restrict users on my local lan from accessing certain web sites, now before I dive deep into how to manage these restrictions (who to let through and who to ban) I would like to know what the traffic looks like and where people are going. I stumbled across NTOP but after doing some digging it seems like it is too much effort to manage and could possibly make my system unstable so am looking for alternate suggestions. Like anyone else I am hoping to find something that is informative, useful and easy to manage. All suggestions welcome. Thank you.
-
@lpd7 said in Any recommendations for a network traffic monitoring package?:
I just applied the nuclear option to restrict users on my local lan from accessing certain web sites, now before I dive deep into how to manage these restrictions (who to let through and who to ban) I would like to know what the traffic looks like and where people are going. I stumbled across NTOP but after doing some digging it seems like it is too much effort to manage and could possibly make my system unstable so am looking for alternate suggestions. Like anyone else I am hoping to find something that is informative, useful and easy to manage. All suggestions welcome. Thank you.
Your best - and only alternative bet - is the ntopNG package. It works pretty well in 2.6/22.01, but it does take some getting use to as it is a combination of historical summary and near realtime data - but NOT detailed history data for inspection. You can configure the time it keeps “realtime” flow data in memory and what it writes to disk, but it is not a logging/evidence gathering package. It’s a near realtime monitoring tool with historical trends and counters on most measures.
It also has a dpi engine with rules you can get alerts from whenever data/access falls outside of policy. But that part is not very usefull as it cannot be configured much in the community edition. -
@keyser Thanks for the recommend.
So when you say its not for detailed history or for logging/evidence how much info does it maintain and for how long?
My need is to see what sites are being accessed, how much bandwidth is being used, the local time accessed and the IP or mac of local machine accessing the site (thats about all I can think of right now).
Also I have been doing a bit of searching and another package that has come up as one of the top 5 PFS packages, as one reviewer puts it, is Darkstat. Are you familiar with this one?
Intelligence is not a substitute for common sense.
Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
Putting legacy equipment into service and out of landfills. -
@lpd7 You can only really see specific traffic/sessions for clients for at long as flows are in memory (depeding on settings 1 - 10min). After that you only have historical numbers for each client fx:
Amount of traffic, which protocols that traffic was, highlevel distibution of when traffic from the client was active and so on.
Besides that you can get dpi alerts, and those remain until you clear/acknowledge them or they expire (weeks, months or years depending on your settings).
You can have NtopNG track DHCP clients based on MAC addresses rather than IP addresses which is nice.I like the package alot, but it is not a session logging tool. So you still need to log on firewall rules and have a log analysis tool if you want historical specifics.
-
@lpd7 But there is a lot of rather detailed historical data on each client, so it is a very nice tool to spot bandwidth usage on clients. And you get a decent amount of details on how/when/what, rather than just bytes total.
-
@keyser Thanks for that. I am watching a YT vid by Lawrence Systems on installing and configuring and may give it a try to see how it works out, I can always uninstall the package if not happy with it without any issues (i hope). With many of the packages there isnt a lot of user manuals, I havent searched yet so am hoping that I can get detailed docs to help support the package. Thanks again.
-
Just an FYI, I installed NtopNG this morning, install went smooth, did some config per Lawrence Systems YT video and for a few minutes things looked good, twiddling away to understand the data when all of a sudden my LAN went down.
When I stopped the Ntop service and reloaded PFS using reroot the network came back up so I dont know what it did but it wasnt a good thing. Also my mem usage went from approx 30% prior to install to 60% and even with the service stopped my mem is still at 60%.
Once I get my meetings out of the way I will reboot the box without Ntop running and see where my mem lands.
Any ideas what may have been the issue?
This is one of the reasons why I ask about alternatives to some of the more popular packages, so am looking for additional recommends if any.
I can say the 2 things I didnt see or not understand while looking around the application was mapping between internal host and external sites (internal host name or ip address to external site url address) before things went south.
Knowing where internal devices are connecting externally and conversely where external systems are coming from and attempting to go to with as much relevant/actionable data is a key for my current needs.
Thanks for reading.
-
I'm using Graylog..
-
@mcury Thanks for that recommend. I dont see it as an available package within package manager how were you able to get it loaded to your PFS box? Also does this have additional details like urls accessed, ip's of internal devices, etc? I will do a quick search for documentation and see whats under the hood.
-
@lpd7 said in Any recommendations for a network traffic monitoring package?:
@mcury Thanks for that recommend. I dont see it as an available package within package manager how were you able to get it loaded to your PFS box? Also does this have additional details like urls accessed, ip's of internal devices, etc? I will do a quick search for documentation and see whats under the hood.
You don't need a pfsense package to run Graylog.
Just go to Status / System / Logs / Settings
At the bottom of the page, you will see Remote Logging Options, go there and configure it to export the logs to the Graylog server.
You can run it in a VM to learn, I'm currently collecting data from Pfsense, Synology NAS, and Unifi equipments.
It works like a Syslog Server.You don't have info about URLs accessed, just IPs like source, destination, ports used, system logs, dhcp and etc..
Yes, you have IPs of local devices, everything that goes through the Firewall, you will see in Graylog.You can also use it as a Netflow collector.
-
-
@mcury Great stuff much appreciated. I feel like I have to setup a perm VM server for various reasons so this may be the excuse that gets me off my heels. Since my primary driver is to "oversee" where users are visiting so I can apply restrictions, having an easy to digest interface or log that notes URL's might be a necessity but will see if I can get this up and running or take advantage of the 30 minute demo the developer offers to see where if any gaps exist and how I can close them. Thanks again, your input is very welcomed.
PS.. I love the Lawrence videos, great resource.
