Page 1 of 4
Is possible monitor the source of the network from a device?
Posted: Tue Oct 13, 2015 2:26 am
by xerez
Hi, is possible monitor all the source of the network traffic from only one device?
For example, I have a firewall with one interface connected to the LAN. I know that I can monitor that interface and get the values of inbound and outbound of network traffic. However, I want know which device is using more bandwidth, the amount, and send alerts if is necessary. Is possible? Perhaps with the IP? Or the only way is monitor each device in the LAN?
Thank you.
Re: Is possible monitor the source of the network from a dev
Posted: Tue Oct 13, 2015 12:41 pm
by jdalrymple
That requires analysis of flow data. I don't know of any plugins that work with Core to provide this data, but we do have our commercial offering that does exactly what you want.
Nagios Network Analyzer
Re: Is possible monitor the source of the network from a dev
Posted: Mon Oct 26, 2015 7:11 am
by xerez
Finally I have decided to test that tool. I have downloaded the VMware Image trial version. However I am trying to monitor two machines (Linux and Window) but in "Sources" I see always the same.
I followed these instructions:
https://assets.nagios.com/downloads/nag ... alyzer.pdf
Code: Select all
fprobe <NetworkAnalyzer server>:2000
For Windows:
https://assets.nagios.com/downloads/nag ... alyzer.pdf
I use Flow Exporter and the port 2001.
What happen? Thanks.
Re: Is possible monitor the source of the network from a dev
Posted: Mon Oct 26, 2015 4:30 pm
by jdalrymple
If you click on the source names do you get any additional information?
There are a number of things that can cause this. The NNA box is supposed to automatically handle firewall ports for you, but it wouldn't be bad to verify that they are opened with a `service iptables status | grep 200[01]`
It could be a clock sync issue - this is very common
Double check and make sure your services are running on the collecting hosts.
For what it's worth, going back to your original problem, the best place to get your flow data would be your mentioned firewall:
xerez wrote:For example, I have a firewall with one interface connected to the LAN.
Re: Is possible monitor the source of the network from a dev
Posted: Tue Oct 27, 2015 3:18 am
by xerez
jdalrymple wrote:If you click on the source names do you get any additional information?
No, just "No data available" and "No data found".
[root@localhost ~]# service iptables status | grep 200[01]
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2001
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2001
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2000
jdalrymple wrote:It could be a clock sync issue - this is very common
Double check and make sure your services are running on the collecting hosts.
How can I check that? Also, for example I don't see anything service in Window for Flow Exporter...
jdalrymple wrote:For what it's worth, going back to your original problem, the best place to get your flow data would be your mentioned firewall:
That is my goal, but I would like try with these machines as well.
Thanks.
Re: Is possible monitor the source of the network from a dev
Posted: Tue Oct 27, 2015 4:42 pm
by tgriep
Can you login to the NA system and run the following in a shell and post the output here?
This will show us that the NA server is listening on the ports you have configured.
Re: Is possible monitor the source of the network from a dev
Posted: Tue Oct 27, 2015 5:17 pm
by eloyd
What are the device(s) you're monitoring and how are you sending that data to Network Analyzer?
Re: Is possible monitor the source of the network from a dev
Posted: Wed Oct 28, 2015 3:32 am
by xerez
tgriep wrote:Can you login to the NA system and run the following in a shell and post the output here?
This will show us that the NA server is listening on the ports you have configured.
Code: Select all
[root@localhost ~]# ps -ef | grep nfcap
nna 2747 1 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/[windows]/flows -p 2001 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[windows]/2001.pid -D -e -w -z
nna 2748 2747 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/[windows]/flows -p 2001 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[windows]/2001.pid -D -e -w -z
nna 3394 1 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/[linux]/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[linux]/2055.pid -D -e -w -z
nna 3395 3394 0 Oct26 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/[linux]/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/[linux]/2055.pid -D -e -w -z
root 13188 13168 0 07:26 pts/0 00:00:00 grep nfcap
I changed the Linux port to 2055.
eloyd wrote:What are the device(s) you're monitoring and how are you sending that data to Network Analyzer?
Now I am trying to monitor a Windows 8.1 and Centos 7.1. In the Linux case I just follow the PDF and ran this:
Code: Select all
cd /tmp
wget http://assets.nagios.com/downloads/nagios-network-analyzer/scripts/fprobeinstall.sh
chmod +x fprobeinstall.sh
./fprobeinstall.sh
fprobe [IP NNA]:2055
For Windows I also follow the PDF, but I choose "Flow Exporter" instead "nProbe". I did the next:
Code: Select all
1. Download the installer from
http://www.flowtraq.com/corporate/product/flow-exporter.
2. Run the installer, accept the EULA and default locations.
3. Choose the interface.
4. Configuring the export:
• Destination Address: Enter the IP of the Nagios NA server here.
• Destination Port: 2001
Re: Is possible monitor the source of the network from a dev
Posted: Wed Oct 28, 2015 9:21 am
by jdalrymple
Start at the beginning and work to the end:
1) Are the flow export services running on the monitored devices:
i - for Windows check in services.msc
ii - for Linux ps -ef | grep nprobe
2) Are the netflow datagrams making it to the NNA server:
i - install tcpdump yum -y install tcpdump
ii - tcpdump port 2001 or port 2055
3) Is your firewall open on those ports? iptables --list | grep 200
If all those things - then I suspect you have flow data and it's bogus for one reason or another. Tackle this first then we'll look at that.
Re: Is possible monitor the source of the network from a dev
Posted: Wed Oct 28, 2015 10:22 am
by xerez
jdalrymple wrote:Start at the beginning and work to the end:
1) Are the flow export services running on the monitored devices:
i - for Windows check in services.msc
ii - for Linux ps -ef | grep nprobe
2) Are the netflow datagrams making it to the NNA server:
i - install tcpdump yum -y install tcpdump
ii - tcpdump port 2001 or port 2055
3) Is your firewall open on those ports? iptables --list | grep 200
If all those things - then I suspect you have flow data and it's bogus for one reason or another. Tackle this first then we'll look at that.
Sorry but I don't understand you in this step:
Code: Select all
i - for Windows check in services.msc
Which service I must check? I don't see any service related with Flow Exporter.