Rudi Ahlers wrote:
> Hi all,
>
> I've been asked by a college to setup a monitor to monitor a Windows
> network, but on internet usage. They want to have detailed usage, i.e.
> on a per IP / PC basis, and if possible to get stats for every
> protocol, and see over a period of time what goes on.
>
> My first though wat ntop, which does all of this, but it doesn't save
> the data in a DB, so if the server reboots the stats are reset to 0.
Are you sure you went through all the ntop options? I thought it had
ways to store and export data. And it can both source and parse netflow
data.
> I
> also can't get Cacti to give me stats per IP & per protocol (unless
> someone knows how todo this).
SNMP normally reports traffic per interface. If you can get by with a
historical total/max bandwidth report, point cacti or other SNMP tool at
the switch ports facing the users. Then use ntop for snapshots of
protocol usage. If, for example, you are trying to track down the
source of a virus, you really only want to see current traffic patterns,
not totals that include last week's bittorrent activity.
> I don't yet know the full network layout, but I have a feeling they're
> using ADSL, and have a Windows Small Business server with ISA, and
> possible Exchange as well. So, I'm either going to put a CentOS box
> between the Windows box & ADSL router, or maybe even setup a CentOS
> Vmware Virtual PC, force all the network to route via the VPS.
>
> Does anyone have some suggestions / experience in setting up something
> like this?
As long as you have a manged switch behind the internet router you
should be able to set up a mirror (monitor) port to feed a copy to an
interface running ntop without actually routing through the Linux box.
Or, if the router supports it, it can send netflow records to something
that understands them.
--
Les Mikesell
lesmikesell at gmail.com