[afnog] Network Monitoring Tools

Iñigo Ortiz de Urbina inigo at infornografia.net
Wed May 9 17:47:17 UTC 2012 

On Wed, May 9, 2012 at 5:43 PM, Chris Wilson <chris+afnog at aptivate.org> wrote:
> Hi David,
>
>
> On Wed, 9 May 2012, david aliata wrote:
>
>> I have several sites whose internet connections is terminated on Cisco ASA
>> 5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like to be
>> able to capture traffic from this sites and analyze this so that i can
>> determine
>>
>> Who are our Top Talkers and who are they "talking" to in this sites
>
>
> We don't have Cisco routers, but we use pmacct, which can also receive and
> process netflow data from Cisco routers. We also use Argus, which only does
> promiscuous mode, for audit records. I know others use NFsen for things like
> this.
>
>
>> What websites are routinely being visited and what is being downloaded
>
>
> This is much more difficult to monitor. Basically your best bet is to force
> everyone to use an HTTP proxy, either by intercepting their connections with
> NAT or WCCP and redirecting them to a transparent proxy, or by blocking port
> 80.
>
> It might be possible to do some funky passive monitoring with Snort or
> Tshark, but I haven't done it and I'm not sure.
>
>
>> If there are any  signs of rogue network applications or malicious
>> activity on the network
>
>
> We don't use it, but when I worked for a network security company, we used
> Snort. It's free, reasonable, but needs very careful tuning to avoid false
> alarms. I also don't consider IDS particularly useful unless you either:
>
> (1) automatically block it, and live with the consequences of blocking
> legitimate traffic whenever you get a false alarm; or
>
> (2) employ people ("investigators" or "enforcers" to jump on it as soon as
> it happens, and live with the cost of maintaining a team of them on call);
> or
>
> (3) you don't actually care about stopping it, but you want to be able to
> point fingers at someone else after the fact (CYA).
>
>
>> Determine Top applications in use in a particular site and bandwidth
>> requirements
>
>
> We do this based on ports and IP addresses, but I know Packeteer makes a big
> deal about being able to present this data in "user-friendly reports to
> management", and they charge appropriately.
>
> Cheers, Chris.
> --
> Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
> Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK
>
> Aptivate is a not-for-profit company registered in England and Wales
> with company number 04980791.
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog

You can also use Splunk (you do not have to pay unless you index
>500MB/day) to centralize the logs of all your equipment and perform
adhoc research on your data. You can also install the Cisco Security
Suite app [1] which will parse ASA/PIX output specifically and perform
some analysis on your behalf (geolocation visualization as well as TOP
X charts you are interested in). Splunk it is also extensible and can
be used to extract the information you need and make operations with
it.

Also, considering you are up to a fresh start, take a look at
Observium [2] and Icinga, Zabbix [3] as alternatives to Cacti and
Nagios respectively.

As for latency monitoring, smokeping [4] its a perfectly usabe tool
which also lets you customize what kind of probing you want to perform
(HTTP, DNS, ICMP and so on)

I concur with the suggestions of pmacct and nfsen.

Best,

[1] http://splunk-base.splunk.com/apps/22300/cisco-security-suite
[2] http://www.observium.org/wiki/Main_Page
[3] https://www.icinga.org/
     http://www.zabbix.com/
[4] http://oss.oetiker.ch/smokeping/

-- 
- Así que este es el futuro del hombre: calentarse a los rayos del
sol, bañarse en las claras corrientes de agua, y comer los frutos de
la tierra olvidando todo trabajo y fatiga.

- Bueno, y por qué no?

"El tiempo en sus manos"

More information about the afnog mailing list