[afnog] Network Monitoring Tools
c.ikusan at nixp.net
c.ikusan at nixp.net
Wed May 9 18:23:31 UTC 2012
Hello David,
According to Seun, that's the valuable free tools you can lay your hands on. Especially Nagios, It monitors bandwidth, Its very sensitive, reliable and robust.
Regards
Ikusan Charles A.
Internet Exchange Point of Nigeria
c.ikusan at nixp.net
www.nixp.net
Sent from my BlackBerry® Smartphone, from Etisalat. Enjoy high speed internet service with Etisalat easy net, available at all our experience centres
-----Original Message-----
From: afnog-request at afnog.org
Sender: afnog-bounces at afnog.org
Date: Wed, 09 May 2012 17:47:33
To: <afnog at afnog.org>
Reply-To: afnog at afnog.org
Subject: afnog Digest, Vol 98, Issue 7
Send afnog mailing list submissions to
afnog at afnog.org
To subscribe or unsubscribe via the World Wide Web, visit
http://afnog.org/mailman/listinfo/afnog
or, via email, send a message with subject or body 'help' to
afnog-request at afnog.org
You can reach the person managing the list at
afnog-owner at afnog.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of afnog digest..."
Today's Topics:
1. Network Monitoring Tools (david aliata)
2. Re: Network Monitoring Tools (Seun Ojedeji)
3. Re: Network Monitoring Tools (Chris Wilson)
4. Re: Network Monitoring Tools (Phil Regnauld)
5. Re: Network Monitoring Tools (I?igo Ortiz de Urbina)
----------------------------------------------------------------------
Message: 1
Date: Wed, 9 May 2012 18:23:27 +0300
From: david aliata <aliatadavid at gmail.com>
To: afnog at afnog.org
Subject: [afnog] Network Monitoring Tools
Message-ID:
<CAOdpEMZe-xe=40hYrKWQ5RrHJHQHLGBFNfiHNyn0b6qDg4QYJQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Guys,
I would like some advice on free monitoring tools that you are using to
monitor your WAN.Specifically,I have several sites whose internet
connections is terminated on Cisco ASA
5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like to be
able to capture traffic from this sites and analyze this so that i can
determine
I. Who
are our Top Talkers and who are they "talking" to in this sites
II. What
websites are routinely being visited and what is being downloaded
III. If
there are any signs of rogue network applications or malicious activity on
the network
IV. Determine
Top applications in use in a particular site and bandwidth requirements
Any ideas are appreciated.
Regards!
Aliata D.
"I have seen something else under the sun: The race is not to the swift or
the battle to the strong, nor does food come to the wise or wealth to the
brilliant or favor to the learned; but time and chance happen to them all".
Ecclesiastes 9:11
--
Regards!
Aliata D.
"I have seen something else under the sun: The race is not to the swift or
the battle to the strong, nor does food come to the wise or wealth to the
brilliant or favor to the learned; but time and chance happen to them all".
Ecclesiastes 9:11
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20120509/7ef93b44/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 9 May 2012 17:32:35 +0200
From: Seun Ojedeji <seun.ojedeji at gmail.com>
To: david aliata <aliatadavid at gmail.com>
Cc: afnog at afnog.org
Subject: Re: [afnog] Network Monitoring Tools
Message-ID:
<CAD_dc6i5X3wxq8Vat0KsTY6wC-W=8Se14OsMam4+d-OMa0ONeA at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello David i don't think there is all in one solution to handle all this,
unless you want to go the proprietary way.
Below are a few tools that could help:
Availability logging/monitoring --- Nagios
Bandwidth monitoring: Cacti
User Destination Logging: Ntop
Cheers!
On Wed, May 9, 2012 at 5:23 PM, david aliata <aliatadavid at gmail.com> wrote:
> Hello Guys,
>
> I would like some advice on free monitoring tools that you are using to
> monitor your WAN.Specifically,I have several sites whose internet
> connections is terminated on Cisco ASA
>
> 5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like to be
> able to capture traffic from this sites and analyze this so that i can
> determine
>
> I. Who
> are our Top Talkers and who are they "talking" to in this sites
>
> II. What
> websites are routinely being visited and what is being downloaded
>
> III. If
> there are any signs of rogue network applications or malicious activity
> on the network
>
> IV. Determine
> Top applications in use in a particular site and bandwidth requirements
>
> Any ideas are appreciated.
>
>
> Regards!
>
> Aliata D.
> "I have seen something else under the sun: The race is not to the swift or
> the battle to the strong, nor does food come to the wise or wealth to the
> brilliant or favor to the learned; but time and chance happen to them all".
> Ecclesiastes 9:11
>
> --
> Regards!
>
> Aliata D.
> "I have seen something else under the sun: The race is not to the swift or
> the battle to the strong, nor does food come to the wise or wealth to the
> brilliant or favor to the learned; but time and chance happen to them all".
> Ecclesiastes 9:11
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
--
------------------------------------------------------------------------
*Seun Ojedeji,
Federal University Oye-Ekiti
web: http://www.fuoye.edu.ng
Mobile: +2348035233535
**alt email: <http://goog_1872880453>seun.ojedeji at fuoye.edu.ng*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20120509/8de85cfb/attachment-0001.html>
------------------------------
Message: 3
Date: Wed, 9 May 2012 15:43:05 +0000 (GMT)
From: Chris Wilson <chris+afnog at aptivate.org>
To: david aliata <aliatadavid at gmail.com>
Cc: afnog at afnog.org
Subject: Re: [afnog] Network Monitoring Tools
Message-ID: <alpine.DEB.2.02.1205091535190.9226 at lap-x201>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hi David,
On Wed, 9 May 2012, david aliata wrote:
> I have several sites whose internet connections is terminated on Cisco
> ASA 5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like
> to be able to capture traffic from this sites and analyze this so that i
> can determine?
>
> Who are our Top Talkers and who are they "talking" to in this sites
We don't have Cisco routers, but we use pmacct, which can also receive and
process netflow data from Cisco routers. We also use Argus, which only
does promiscuous mode, for audit records. I know others use NFsen for
things like this.
> What websites are routinely being visited and what is being downloaded
This is much more difficult to monitor. Basically your best bet is to
force everyone to use an HTTP proxy, either by intercepting their
connections with NAT or WCCP and redirecting them to a transparent proxy,
or by blocking port 80.
It might be possible to do some funky passive monitoring with Snort or
Tshark, but I haven't done it and I'm not sure.
> If there are any? signs of rogue network applications or malicious
> activity on the network
We don't use it, but when I worked for a network security company, we used
Snort. It's free, reasonable, but needs very careful tuning to avoid false
alarms. I also don't consider IDS particularly useful unless you either:
(1) automatically block it, and live with the consequences of blocking
legitimate traffic whenever you get a false alarm; or
(2) employ people ("investigators" or "enforcers" to jump on it as soon as
it happens, and live with the cost of maintaining a team of them on call);
or
(3) you don't actually care about stopping it, but you want to be able to
point fingers at someone else after the fact (CYA).
> Determine Top applications in use in a particular site and bandwidth
> requirements
We do this based on ports and IP addresses, but I know Packeteer makes a
big deal about being able to present this data in "user-friendly reports
to management", and they charge appropriately.
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
------------------------------
Message: 4
Date: Wed, 9 May 2012 16:03:42 +0000
From: Phil Regnauld <regnauld at nsrc.org>
To: Chris Wilson <chris+afnog at aptivate.org>
Cc: afnog at afnog.org
Subject: Re: [afnog] Network Monitoring Tools
Message-ID: <20120509160342.GH30024 at macbook.bluepipe.net>
Content-Type: text/plain; charset=utf-8
Chris Wilson (chris+afnog) writes:
> >
> >If there are any? signs of rogue network applications or malicious
> >activity on the network
>
> We don't use it, but when I worked for a network security company,
> we used Snort. It's free, reasonable, but needs very careful tuning
> to avoid false alarms. I also don't consider IDS particularly useful
> unless you either:
NetFlow will go a long way to help you identify anomalous network
usage as well.
> (1) automatically block it, and live with the consequences of
> blocking legitimate traffic whenever you get a false alarm; or
Well, it's still useful to know what's happening.
> (2) employ people ("investigators" or "enforcers" to jump on it as
> soon as it happens, and live with the cost of maintaining a team of
> them on call); or
>
> (3) you don't actually care about stopping it, but you want to be
> able to point fingers at someone else after the fact (CYA).
Audit trails are also useful, the intrusion may be a lead in
for something bigger, or just a good way to know what people
are looking for and fix things before they become a problem.
Phil
------------------------------
Message: 5
Date: Wed, 9 May 2012 19:47:17 +0200
From: I?igo Ortiz de Urbina <inigo at infornografia.net>
To: Chris Wilson <chris+afnog at aptivate.org>
Cc: afnog at afnog.org
Subject: Re: [afnog] Network Monitoring Tools
Message-ID:
<CAEpytbZxfsKqjhPOAiVu0PGTuxeVoCvNj0P1PwxFjebou3dvHg at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Wed, May 9, 2012 at 5:43 PM, Chris Wilson <chris+afnog at aptivate.org> wrote:
> Hi David,
>
>
> On Wed, 9 May 2012, david aliata wrote:
>
>> I have several sites whose internet connections is terminated on Cisco ASA
>> 5510,Cisco 1941/1841,Catalyst Switches and Cisco AP's.I would like to be
>> able to capture traffic from this sites and analyze this so that i can
>> determine
>>
>> Who are our Top Talkers and who are they "talking" to in this sites
>
>
> We don't have Cisco routers, but we use pmacct, which can also receive and
> process netflow data from Cisco routers. We also use Argus, which only does
> promiscuous mode, for audit records. I know others use NFsen for things like
> this.
>
>
>> What websites are routinely being visited and what is being downloaded
>
>
> This is much more difficult to monitor. Basically your best bet is to force
> everyone to use an HTTP proxy, either by intercepting their connections with
> NAT or WCCP and redirecting them to a transparent proxy, or by blocking port
> 80.
>
> It might be possible to do some funky passive monitoring with Snort or
> Tshark, but I haven't done it and I'm not sure.
>
>
>> If there are any? signs of rogue network applications or malicious
>> activity on the network
>
>
> We don't use it, but when I worked for a network security company, we used
> Snort. It's free, reasonable, but needs very careful tuning to avoid false
> alarms. I also don't consider IDS particularly useful unless you either:
>
> (1) automatically block it, and live with the consequences of blocking
> legitimate traffic whenever you get a false alarm; or
>
> (2) employ people ("investigators" or "enforcers" to jump on it as soon as
> it happens, and live with the cost of maintaining a team of them on call);
> or
>
> (3) you don't actually care about stopping it, but you want to be able to
> point fingers at someone else after the fact (CYA).
>
>
>> Determine Top applications in use in a particular site and bandwidth
>> requirements
>
>
> We do this based on ports and IP addresses, but I know Packeteer makes a big
> deal about being able to present this data in "user-friendly reports to
> management", and they charge appropriately.
>
> Cheers, Chris.
> --
> Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
> Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK
>
> Aptivate is a not-for-profit company registered in England and Wales
> with company number 04980791.
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
You can also use Splunk (you do not have to pay unless you index
>500MB/day) to centralize the logs of all your equipment and perform
adhoc research on your data. You can also install the Cisco Security
Suite app [1] which will parse ASA/PIX output specifically and perform
some analysis on your behalf (geolocation visualization as well as TOP
X charts you are interested in). Splunk it is also extensible and can
be used to extract the information you need and make operations with
it.
Also, considering you are up to a fresh start, take a look at
Observium [2] and Icinga, Zabbix [3] as alternatives to Cacti and
Nagios respectively.
As for latency monitoring, smokeping [4] its a perfectly usabe tool
which also lets you customize what kind of probing you want to perform
(HTTP, DNS, ICMP and so on)
I concur with the suggestions of pmacct and nfsen.
Best,
[1] http://splunk-base.splunk.com/apps/22300/cisco-security-suite
[2] http://www.observium.org/wiki/Main_Page
[3] https://www.icinga.org/
http://www.zabbix.com/
[4] http://oss.oetiker.ch/smokeping/
--
- As? que este es el futuro del hombre: calentarse a los rayos del
sol, ba?arse en las claras corrientes de agua, y comer los frutos de
la tierra olvidando todo trabajo y fatiga.
- Bueno, y por qu? no?
"El tiempo en sus manos"
------------------------------
_______________________________________________
afnog mailing list
End of afnog Digest, Vol 98, Issue 7
************************************
More information about the afnog
mailing list