This is an update of an older post, as the utilities change, so has this concept of a cheap network spike - I use it to troubleshoot network issues, usually between a router and the network to understand what traffic is going where. The concept involves a transparent bridge between two network interface cards, and then looking at that traffic with a variety of tools to determine network traffic specifics. Most recently I used one to determine if a 4MB SDSL connection was saturated or not. It turned out the router was incorrectly configured and the connection had a maximum usage under 100Kb/s (!) At $1600 / month it's probably important to get this right - especially when the client was considering upgrading to a faster (and more expensive) link based on their DSL provider's advice.
I'm using an old Dell Vostro desktop PC with a dual gigabit NIC in it - low profile and fits into the box nicely. Added a bit of extra RAM and a decent disk and that's really it. I'm also running this on an old Dell D420 with a gigabit PCMCIA adaptor - useful for the out and about jobs.
- Ubuntu 12.04 LTS - I've chosen this for longevity purposes, previously I'd used non-LTS operating systems and the updates naturally ran out. I tried this with FreeBSD 9.1 but had issues with packages and getting traffic across the network bridge effectively (probably more my screw up than FreeBSD's)
- ntop - network traffic analysis monitor from www.ntop.org. They have version 5 available from the repositories on the site, version 4 is included in Ubuntu 12.04
- iftop - a neat command line package that shows network usage from a terminal screen. Highly configurable
- tcpdump or equivalent for deeper packet analysis.
Setting up the box and the ethernet bridge
Setting up the box is straight forward - go through the usual Ubuntu installation. Use aptitude or apt-get to install bridge-utils and iftop
We want the network bridge between our ethernet adaptors to come up automatically. To do so edit /etc/rc.local and pop this into it (assuming eth1 and eth2 are the interfaces you want to bridge. I have eth0 configured statically in this instance so I can browse from other machines to it)
brctl addbr br0
ifconfig eth1 0.0.0.0 promisc up
ifconfig eth2 0.0.0.0 promisc up
brctl addif br0 eth1
brctl addif br0 eth2
ip link set br0 up
This will bring the bridge up at boot time.
After you've added the necessary repositories to your aptitude configuration, install ntop5 using apt-get install ntop5
I run this from the command line - as a service it seems to fail fairly consistently. The command is:
ntop -P /var/lib/ntop -Q /usr/local/share/ntop/spool/ -i br0 -u ntop -m 192.168.0.0/24 -d
-P sets the database file path
-Q sets the spool file path
-i sets the interface (br0 as per /etc/rc.local)
-m sets the local subnet - in this case 192.168.0.0/24 (change to suit)
-d sets it to become a daemon freeing up your terminal
Browse to localhost:3000 to find your ntop installation, or if you have a third network card go to the address on the network e.g. 192.168.0.30:3000 and view your traffic stats.
To get what I want out of iftop, I run a script that calls it and configure the /etc/iftoprc file. The script is:
# customisable settings
IFACE="br0" # the bridged interface
/usr/sbin/iftop -p -n -N -i $IFACE -F $LOCALNET -c $CONF
The contects of /etc/iftoprc are:
Again customise to suit and start monitoring that network!