This document outlines the creation of a network monitoring bridge on Ubuntu 14.04 but should work on any supported versions at this time. (15/4/16) The bridge can be transparently plugged into any segment of a local subnet to analyze network traffic without disturbing network services. Several services are used for monitoring and they provide comprehensive statistics on network usage and throughput. For more information on what a bridge is see the Linux Documentation Project Bridging Howto.
Sample uses of the network monitor
- Analyze connection problems to local database server
Network configuration: LAN <=> switch <=> Database server
Network with monitoring: LAN <=> switch <=> Network Monitoring Bridge <= PATCH CABLE => Database server
- Analyze network usage on a subnet at our University
Network configuration: INTERNET <=> Gateway firewall <=> Switch <=> Local network Computers
Network with monitoring: INTERNET <=> Gateway firewall <= PATCH CABLE => Network Monitoring Bridge <=> Switch <=> Local network Computers
Begin with a PC. Almost any modern PC will be enough for moderate bandwidth, but if you need close to full gigabit speeds, you will need a more powerful CPU and buss. (PCI will not support full gigabit speeds as you will fill the buss one way and have no room going back out.) Install two network cards on this machine and obtain a Patch cable. If you use gigabit cards, you will not need a crossover cable to connect directly to another PC. If, however, you use 100 meg cards, you may need a crossover cable. You may begin with either a Desktop or Server installation of Ubuntu. See InstallingSoftware for more information.
You will need to know your interfaces names. This used to be eth0 and eth1, but now we have Predictable Network Interface Names which means they could be eth0, p3p1, p2p1, enp9s0, wlp9s0, or eno16777728. (Yes, those are all real examples. Do an ifconfig from the cli to find out what Ubuntu is actually calling your nics.
Install and configure the Software
Install bridge utilities from Main repository
sudo apt-get install bridge-utils
Install monitoring tools
sudo apt-get install darkstat etherape ntop ssh traceroute wireshark zenmap
NOTE: ntopng is a similar, but updated ntop that you may want to consider.
Configure the Bridge
Edit /etc/network/interfaces to reflect your network topology. The following example configuration configures the bridge via DHCP. You could easily modify the line iface bridge01 inet dhcp to be iface bridge01 192.168.1.2 netmask 255.255.255.0 up for a static IP address.
Sample /etc/network/interfaces file
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The bridge interface auto br0 iface br0 inet dhcp bridge_ports eth0 eth1 bridge_stp off bridge_fd 0 bridge_maxwait 0
If you have used bridge utilities on older versions of Linux, you will note that auto eth0 and iface eth0 inet manual are not in the file. This is because br0 will bring up the components assigned to it.
sudo /etc/init.d/networking restart
Edit ntop configuration
sudo nano /var/lib/ntop/init.cfg
Change the INTERFACES line to the name of your bridge. Something like...
configure NTOP to recognize your local subnet
sudo nano /etc/default/ntop
Change the GETOPTS variable to something like...
Set the admin password for NTOP (Enter the password for your sudo account)
sudo ntop --set-admin-password
sudo /etc/init.d/ntop restart
Test ntop by browsing to http://localhost:3000
Edit the configuration file:
sudo nano /etc/darkstat/init.cfg
# Turn this to yes when you have configured the options below. START_DARKSTAT=yes # Don't forget to read the man page. # You must set this option, else darkstat may not listen to # the interface you want INTERFACE="-i br0" PORT="-p 8888" #BINDIP="-b 127.0.0.1" #LOCAL="-l 10.1.1.0/24" #FIP="-f 127.0.0.1" #DNS="-n" #SPY="--spy br0"
NOTE: You can also pick eth0 or eth1 as the interface to prevent tracking your own monitoring traffic. Simply pick the interface that is not between you and the core.
Wireshark is a GUI application. But it does not need a GUI on the monitoring server to run. You can access it remotely with ssh -X even with no GUI on the server.
You will need to configure wireshark to allow non root users to capture packets.
sudo dpkg-reconfigure wireshark-common
You will need to add allowed users to "wireshark" group.
sudo nano /etc/group
Install device and begin monitoring
- To begin monitoring choose a place on your network that you would like to monitor as shown in the examples above
- Plug the patch cable to one of the network devices on the Network Monitoring Bridge
- Unplug the network cable from the computer you would like to monitor and plug the cable into the other network device of the Network Monitoring Bridge
- Plug free end of the patch cable to the computer that will be monitored
- Restart networking on the Network Monitoring Bridge
sudo /etc/init.d/networking restart
View network traffic statistics via ntop at http://ip_address_of_network_monitor:3000
View network traffic statistics via darkstat at http://ip_address_of_network_monitor:8888
Access the other programs via ssh.
ssh -X ip_address_of_network_monitor
Run wireshark, etherape or zenmap in a GUI on your local workstation. (If you are on Windows, youmay wantto install MobaXterm It is a Windows ssh client with X already integrated, with easy setup.
Run nmap from an ssh command line without X if needed.
Bridging is popular, and so it has reference material in several places that may not all be updated at once. These are the links I know of;
KVM Networking - Network configuration for the KVM virtual machines server.
Network Connection Bridge - This page.
Installing bridge utilities - A similar page from a Bridge-Utils point of view.
Network Monitoring Bridge - An in-line sniffer page.