network monitoring systems

Austin Godber godber at no8tech.com
Wed Jun 6 12:28:33 MST 2007 

JT Moree wrote:
> We have a cisco VOIP server that also acts as the gateway for all the internal
> network traffic (i don't know why it's setup this way but it is).  Given that
> it has become difficult to get accurate SNMP data from the router (because all
> traffic looks like it comes from the VOIP server?)
> 
> we are thinking of installing a system  that will let us analyze the traffic.  
> the most important problem we are solving is knowing who is watching streaming
> video on the network (by IP address).
> 
> My first thought was to put one of the switch ports in manage mode where it
> sends all traffic to that port for sniffing but that idea is not popular with
> my superior.
> 
> Perhaps I'll put the system on the network.  All traffic needs to be passed
> through the system so that we can analyze it.
> 
> I can install a Linux box that forwards all traffic though to the VOIP server
> (which runs windows).  Leave the VOIP system at .201 and make the analyzer be
> .203.  then set dhcp to pass out .203 as the gateway.
> 
> or I can put the system in promiscuous/bridging mode where it sits in between
> the VOIP system and the switch.
> 
> The real question is which software should I use to analyze the traffic.  I
> could use wireshark on pretty much anything or maybe use SNORT.  since snort is
> an IDS it may not be the best for this scenario.
> 
> Is anyone else dealing with a similar situation?  How have you solved the
> problem?
> 

I have use ntop for this sort of thing in the past.  I am pretty sure it
would do what you want.

I would tend to disagree with your supervisor on the span port though.
I would much rather do that or say, add a hub and put the listening
computer on the hub, rather than adding another real box inline with all
of your traffic.  A real linux box inline is much more likely to fail
and disrupt everyone's service than a hub or span port.

The privacy issues are the same, regardless of the method, because you
whole GOAL is to monitor all traffic.  Then again he might not like the
idea for a different reason, which may be perfectly valid.

Good luck.  Check out ntop.  It looks like its still active a little bit
and hasn't gone too commercial.

Austin

PS - Moderators can delete my post from godber at asu.edu. Apologies if
this is received twice.  I just realized that my from address was being
rewritten.

More information about the PLUG-discuss mailing list