I wish to setup a network monitoring machine to track network traffic in an office of about 100 users. The main focus of attention is the traffic passing between our router and the network, as we recently and inexplicably had most of the bandwidth of our half meg leased line saturated by network traffic for over a day.
The router is a proprietary network appliance providing NAT/VPN and a firewall. I have tested tcpdump at another smaller office where I was able to trace all the network traffic between the gateway and workstations all linked on the same small switch. However in the larger office the Bay 450-24T (now Nortel) managed switches we use appear to confound tcpdump so that only traffic between the localhost and the targeted system appear, even if I place a mini-hub between the tracing machine and the switch (which also provides the network connection to the router). I get a message from tcpdump saying that eth0 has entered promiscuous mode so I guess that the capabilities of the ethernet card aren't the problem. Is the solution to use the Bay switch port mirroring feature? If this is the thing to do, would I need another ethernet interface to connect to the network normally? I would like to run arpwatch on the same machine (so only one machine in the office is in promiscuous mode) - is that feasible? I hope to hold 3 day's tcpdump information on disk, and analyse this with Ethereal or some similar tool if necessary. I'm hoping not to lose too much of the information, so I wasn't thinking of filtering much. I'd be grateful for some expert advice on the suitability of this approach. The disk of the network monitoring machine has about 15G free. I'm running Debian woody on i386. [ps I posted this to the tcpdump workers list, but haven't had any replies, so I thought I'd try here!] Thanks for any help Rory -- Rory Campbell-Lange <[EMAIL PROTECTED]> <www.campbell-lange.net> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
