Introduction

This document outlines the creation of a network monitoring bridge on Ubuntu 14.04 but should work on any supported versions at this time. (15/4/16) The bridge can be transparently plugged into any segment of a local subnet to analyze network traffic without disturbing network services. Several services are used for monitoring and they provide comprehensive statistics on network usage and throughput. For more information on what a bridge is see the Linux Documentation Project Bridging Howto.

Sample uses of the network monitor

  1. Analyze connection problems to local database server

    • Network configuration: LAN <=> switch <=> Database server

      Network with monitoring: LAN <=> switch <=> Network Monitoring Bridge <= PATCH CABLE => Database server

  2. Analyze network usage on a subnet at our University

    • Network configuration: INTERNET <=> Gateway firewall <=> Switch <=> Local network Computers

      Network with monitoring: INTERNET <=> Gateway firewall <= PATCH CABLE => Network Monitoring Bridge <=> Switch <=> Local network Computers

Prerequisites

Begin with a PC. Almost any modern PC will be enough for moderate bandwidth, but if you need close to full gigabit speeds, you will need a more powerful CPU and buss. (PCI will not support full gigabit speeds as you will fill the buss one way and have no room going back out.) Install two network cards on this machine and obtain a Patch cable. If you use gigabit cards, you will not need a crossover cable to connect directly to another PC. If, however, you use 100 meg cards, you may need a crossover cable. You may begin with either a Desktop or Server installation of Ubuntu. See InstallingSoftware for more information.

You will need to know your interfaces names. This used to be eth0 and eth1, but now we have Predictable Network Interface Names which means they could be eth0, p3p1, p2p1, enp9s0, wlp9s0, or eno16777728. (Yes, those are all real examples. Do an ifconfig from the cli to find out what Ubuntu is actually calling your nics.

Install and configure the Software

Install bridge utilities from Main repository 

sudo apt-get install bridge-utils

Install monitoring tools 

sudo apt-get install darkstat etherape ntop ssh traceroute wireshark zenmap

NOTE: ntopng is a similar, but updated ntop that you may want to consider.

Configure the Bridge

Edit /etc/network/interfaces to reflect your network topology. The following example configuration configures the bridge via DHCP. You could easily modify the line  iface bridge01 inet dhcp  to be  iface bridge01 192.168.1.2 netmask 255.255.255.0 up  for a static IP address.

Sample /etc/network/interfaces file 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The bridge interface
auto br0
iface br0 inet dhcp
        bridge_ports eth0 eth1
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

If you have used bridge utilities on older versions of Linux, you will note that auto eth0 and iface eth0 inet manual are not in the file. This is because br0 will bring up the components assigned to it.

Restart networking 

sudo /etc/init.d/networking restart

or 

sudo reboot

Configure ntop

Edit ntop configuration 

sudo nano /var/lib/ntop/init.cfg

Change the INTERFACES line to the name of your bridge. Something like... 

INTERFACES="br0"

configure NTOP to recognize your local subnet 

sudo nano /etc/default/ntop

Change the GETOPTS variable to something like... 

GETOPTS="--local-subnets=192.168.1.0/24"

Set the admin password for NTOP (Enter the password for your sudo account) 

sudo ntop --set-admin-password

Restart NTOP 

sudo /etc/init.d/ntop restart

Test ntop by browsing to http://localhost:3000

Configuing DarkStat

Edit the configuration file: 

sudo nano /etc/darkstat/init.cfg

# Turn this to yes when you have configured the options below.
START_DARKSTAT=yes

# Don't forget to read the man page.

# You must set this option, else darkstat may not listen to
# the interface you want
INTERFACE="-i br0"

PORT="-p 8888"
#BINDIP="-b 127.0.0.1"
#LOCAL="-l 10.1.1.0/24"
#FIP="-f 127.0.0.1"
#DNS="-n"
#SPY="--spy br0"

NOTE: You can also pick eth0 or eth1 as the interface to prevent tracking your own monitoring traffic. Simply pick the interface that is not between you and the core.

Configuing Wireshark

Wireshark is a GUI application. But it does not need a GUI on the monitoring server to run. You can access it remotely with ssh -X even with no GUI on the server.

You will need to configure wireshark to allow non root users to capture packets. 

sudo dpkg-reconfigure wireshark-common

You will need to add allowed users to "wireshark" group. 

sudo nano /etc/group

Install device and begin monitoring

  1. To begin monitoring choose a place on your network that you would like to monitor as shown in the examples above
  2. Plug the patch cable to one of the network devices on the Network Monitoring Bridge
  3. Unplug the network cable from the computer you would like to monitor and plug the cable into the other network device of the Network Monitoring Bridge
  4. Plug free end of the patch cable to the computer that will be monitored
  5. Restart networking on the Network Monitoring Bridge 
     sudo /etc/init.d/networking restart

View network traffic statistics via ntop at http://ip_address_of_network_monitor:3000

View network traffic statistics via darkstat at http://ip_address_of_network_monitor:8888

Access the other programs via ssh. 

ssh -X ip_address_of_network_monitor

Run wireshark, etherape or zenmap in a GUI on your local workstation. (If you are on Windows, youmay wantto install MobaXterm It is a Windows ssh client with X already integrated, with easy setup.

Run nmap from an ssh command line without X if needed.

Additional Information

Bridging is popular, and so it has reference material in several places that may not all be updated at once. These are the links I know of;

NetworkMonitoringBridge (last edited 2016-04-15 18:44:26 by c-73-136-18-217)