Is possible monitor the source of the network from a device?
Is possible monitor the source of the network from a device?
Hi, is possible monitor all the source of the network traffic from only one device?
For example, I have a firewall with one interface connected to the LAN. I know that I can monitor that interface and get the values of inbound and outbound of network traffic. However, I want know which device is using more bandwidth, the amount, and send alerts if is necessary. Is possible? Perhaps with the IP? Or the only way is monitor each device in the LAN?
Thank you.
For example, I have a firewall with one interface connected to the LAN. I know that I can monitor that interface and get the values of inbound and outbound of network traffic. However, I want know which device is using more bandwidth, the amount, and send alerts if is necessary. Is possible? Perhaps with the IP? Or the only way is monitor each device in the LAN?
Thank you.
-
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Is possible monitor the source of the network from a dev
That requires analysis of flow data. I don't know of any plugins that work with Core to provide this data, but we do have our commercial offering that does exactly what you want.
Nagios Network Analyzer
Nagios Network Analyzer
Re: Is possible monitor the source of the network from a dev
Finally I have decided to test that tool. I have downloaded the VMware Image trial version. However I am trying to monitor two machines (Linux and Window) but in "Sources" I see always the same.
I followed these instructions: https://assets.nagios.com/downloads/nag ... alyzer.pdf
For Windows: https://assets.nagios.com/downloads/nag ... alyzer.pdf
I use Flow Exporter and the port 2001.
What happen? Thanks.
I followed these instructions: https://assets.nagios.com/downloads/nag ... alyzer.pdf
Code: Select all
fprobe <NetworkAnalyzer server>:2000
I use Flow Exporter and the port 2001.
What happen? Thanks.
-
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Is possible monitor the source of the network from a dev
If you click on the source names do you get any additional information?
There are a number of things that can cause this. The NNA box is supposed to automatically handle firewall ports for you, but it wouldn't be bad to verify that they are opened with a `service iptables status | grep 200[01]`
It could be a clock sync issue - this is very common
Double check and make sure your services are running on the collecting hosts.
For what it's worth, going back to your original problem, the best place to get your flow data would be your mentioned firewall:
There are a number of things that can cause this. The NNA box is supposed to automatically handle firewall ports for you, but it wouldn't be bad to verify that they are opened with a `service iptables status | grep 200[01]`
It could be a clock sync issue - this is very common
Double check and make sure your services are running on the collecting hosts.
For what it's worth, going back to your original problem, the best place to get your flow data would be your mentioned firewall:
xerez wrote:For example, I have a firewall with one interface connected to the LAN.
Re: Is possible monitor the source of the network from a dev
No, just "No data available" and "No data found".jdalrymple wrote:If you click on the source names do you get any additional information?
[root@localhost ~]# service iptables status | grep 200[01]
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2001
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2001
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2000
How can I check that? Also, for example I don't see anything service in Window for Flow Exporter...jdalrymple wrote:It could be a clock sync issue - this is very common
Double check and make sure your services are running on the collecting hosts.
That is my goal, but I would like try with these machines as well.jdalrymple wrote:For what it's worth, going back to your original problem, the best place to get your flow data would be your mentioned firewall:
Thanks.
Re: Is possible monitor the source of the network from a dev
Can you login to the NA system and run the following in a shell and post the output here?
This will show us that the NA server is listening on the ports you have configured.
Code: Select all
ps -ef |grep nfcap
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Is possible monitor the source of the network from a dev
What are the device(s) you're monitoring and how are you sending that data to Network Analyzer?
Re: Is possible monitor the source of the network from a dev
tgriep wrote:Can you login to the NA system and run the following in a shell and post the output here?This will show us that the NA server is listening on the ports you have configured.Code: Select all
ps -ef |grep nfcap
Code: Select all
[root@localhost ~]# ps -ef | grep nfcap
nna 2747 1 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/[windows]/flows -p 2001 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[windows]/2001.pid -D -e -w -z
nna 2748 2747 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/[windows]/flows -p 2001 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[windows]/2001.pid -D -e -w -z
nna 3394 1 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/[linux]/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[linux]/2055.pid -D -e -w -z
nna 3395 3394 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/[linux]/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[linux]/2055.pid -D -e -w -z
root 13188 13168 0 07:26 pts/0 00:00:00 grep nfcap
Now I am trying to monitor a Windows 8.1 and Centos 7.1. In the Linux case I just follow the PDF and ran this:eloyd wrote:What are the device(s) you're monitoring and how are you sending that data to Network Analyzer?
Code: Select all
cd /tmp
wget http://assets.nagios.com/downloads/nagios-network-analyzer/scripts/fprobeinstall.sh
chmod +x fprobeinstall.sh
./fprobeinstall.sh
fprobe [IP NNA]:2055
Code: Select all
1. Download the installer from
http://www.flowtraq.com/corporate/product/flow-exporter.
2. Run the installer, accept the EULA and default locations.
3. Choose the interface.
4. Configuring the export:
• Destination Address: Enter the IP of the Nagios NA server here.
• Destination Port: 2001
-
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Is possible monitor the source of the network from a dev
Start at the beginning and work to the end:
1) Are the flow export services running on the monitored devices:
i - for Windows check in services.msc
ii - for Linux ps -ef | grep nprobe
2) Are the netflow datagrams making it to the NNA server:
i - install tcpdump yum -y install tcpdump
ii - tcpdump port 2001 or port 2055
3) Is your firewall open on those ports? iptables --list | grep 200
If all those things - then I suspect you have flow data and it's bogus for one reason or another. Tackle this first then we'll look at that.
1) Are the flow export services running on the monitored devices:
i - for Windows check in services.msc
ii - for Linux ps -ef | grep nprobe
2) Are the netflow datagrams making it to the NNA server:
i - install tcpdump yum -y install tcpdump
ii - tcpdump port 2001 or port 2055
3) Is your firewall open on those ports? iptables --list | grep 200
If all those things - then I suspect you have flow data and it's bogus for one reason or another. Tackle this first then we'll look at that.
Re: Is possible monitor the source of the network from a dev
Sorry but I don't understand you in this step:jdalrymple wrote:Start at the beginning and work to the end:
1) Are the flow export services running on the monitored devices:
i - for Windows check in services.msc
ii - for Linux ps -ef | grep nprobe
2) Are the netflow datagrams making it to the NNA server:
i - install tcpdump yum -y install tcpdump
ii - tcpdump port 2001 or port 2055
3) Is your firewall open on those ports? iptables --list | grep 200
If all those things - then I suspect you have flow data and it's bogus for one reason or another. Tackle this first then we'll look at that.
Code: Select all
i - for Windows check in services.msc