||<>|| = Introduction = This document outlines the creation of a network monitoring bridge on Ubuntu 14.04 but should work on any supported versions at this time. (15/4/16) The bridge can be transparently plugged into any segment of a local subnet to analyze network traffic without disturbing network services. Several services are used for monitoring and they provide comprehensive statistics on network usage and throughput. For more information on what a bridge is see the Linux Documentation Project [[http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/index.html|Bridging Howto]]. == Sample uses of the network monitor == 1. Analyze connection problems to local database server ''Network configuration'': LAN <=> switch <=> Database server ''Network with monitoring'': LAN <=> switch <=> Network Monitoring Bridge <= PATCH CABLE => Database server 2. Analyze network usage on a subnet at our University ''Network configuration'': INTERNET <=> Gateway firewall <=> Switch <=> Local network Computers ''Network with monitoring'': INTERNET <=> Gateway firewall <= PATCH CABLE => Network Monitoring Bridge <=> Switch <=> Local network Computers = Prerequisites = Begin with a PC. Almost any modern PC will be enough for moderate bandwidth, but if you need close to full gigabit speeds, you will need a more powerful CPU and buss. (PCI will not support full gigabit speeds as you will fill the buss one way and have no room going back out.) Install two network cards on this machine and obtain a Patch cable. If you use gigabit cards, you will not need a crossover cable to connect directly to another PC. If, however, you use 100 meg cards, you may need a crossover cable. You may begin with either a Desktop or Server installation of Ubuntu. See InstallingSoftware for more information. You will need to know your interfaces names. This used to be eth0 and eth1, but now we have [[https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/|Predictable Network Interface Names]] which means they could be eth0, p3p1, p2p1, enp9s0, wlp9s0, or eno16777728. (Yes, those are all real examples. Do an {{{ifconfig}}} from the cli to find out what Ubuntu is actually calling your nics. = Install and configure the Software = Install bridge utilities from Main repository {{{ sudo apt-get install bridge-utils }}} Install monitoring tools {{{ sudo apt-get install darkstat etherape ntop ssh traceroute wireshark zenmap }}} '''NOTE:''' ntopng is a similar, but updated ntop that you may want to consider. == Configure the Bridge == Edit /etc/network/interfaces to reflect your network topology. The following example configuration configures the bridge via DHCP. You could easily modify the line {{{ iface bridge01 inet dhcp }}} to be {{{ iface bridge01 192.168.1.2 netmask 255.255.255.0 up }}} for a static IP address. Sample /etc/network/interfaces file {{{ # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The bridge interface auto br0 iface br0 inet dhcp bridge_ports eth0 eth1 bridge_stp off bridge_fd 0 bridge_maxwait 0 }}} If you have used bridge utilities on older versions of Linux, you will note that {{{auto eth0}}} and {{{iface eth0 inet manual}}} are not in the file. This is because br0 will bring up the components assigned to it. Restart networking {{{ sudo /etc/init.d/networking restart }}} or {{{ sudo reboot }}} == Configure ntop == Edit ntop configuration {{{ sudo nano /var/lib/ntop/init.cfg }}} Change the INTERFACES line to the name of your bridge. Something like... {{{ INTERFACES="br0" }}} configure NTOP to recognize your local subnet {{{ sudo nano /etc/default/ntop }}} Change the GETOPTS variable to something like... {{{ GETOPTS="--local-subnets=192.168.1.0/24" }}} Set the admin password for NTOP (Enter the password for your sudo account) {{{ sudo ntop --set-admin-password }}} Restart NTOP {{{ sudo /etc/init.d/ntop restart }}} Test ntop by browsing to http://localhost:3000 == Configuing DarkStat == Edit the configuration file: {{{ sudo nano /etc/darkstat/init.cfg }}} {{{ # Turn this to yes when you have configured the options below. START_DARKSTAT=yes # Don't forget to read the man page. # You must set this option, else darkstat may not listen to # the interface you want INTERFACE="-i br0" PORT="-p 8888" #BINDIP="-b 127.0.0.1" #LOCAL="-l 10.1.1.0/24" #FIP="-f 127.0.0.1" #DNS="-n" #SPY="--spy br0" }}} '''NOTE:''' You can also pick eth0 or eth1 as the interface to prevent tracking your own monitoring traffic. Simply pick the interface that is not between you and the core. == Configuing Wireshark == Wireshark is a GUI application. But it does not need a GUI on the monitoring server to run. You can access it remotely with ssh -X even with no GUI on the server. You will need to configure wireshark to allow non root users to capture packets. {{{ sudo dpkg-reconfigure wireshark-common }}} You will need to add allowed users to "wireshark" group. {{{ sudo nano /etc/group }}} = Install device and begin monitoring = 1. To begin monitoring choose a place on your network that you would like to monitor as shown in the examples above 1. Plug the patch cable to one of the network devices on the Network Monitoring Bridge 1. Unplug the network cable from the computer you would like to monitor and plug the cable into the other network device of the Network Monitoring Bridge 1. Plug free end of the patch cable to the computer that will be monitored 1. Restart networking on the Network Monitoring Bridge {{{ sudo /etc/init.d/networking restart }}} View network traffic statistics via ntop at http://ip_address_of_network_monitor:3000 View network traffic statistics via darkstat at http://ip_address_of_network_monitor:8888 Access the other programs via ssh. {{{ ssh -X ip_address_of_network_monitor }}} Run wireshark, etherape or zenmap in a GUI on your local workstation. (If you are on Windows, youmay wantto install [[http://mobaxterm.mobatek.net/|MobaXterm]] It is a Windows ssh client with X already integrated, with easy setup. Run nmap from an ssh command line without X if needed. = Additional Information = Bridging is popular, and so it has reference material in several places that may not all be updated at once. These are the links I know of; * [[KVM/Networking|KVM Networking]] - Network configuration for the KVM virtual machines server. * [[NetworkConnectionBridge|Network Connection Bridge]] - This page. * [[BridgingNetworkInterfaces|Installing bridge utilities]] - A similar page from a Bridge-Utils point of view. * [[NetworkMonitoringBridge|Network Monitoring Bridge]] - An in-line sniffer page. ----