Useful/'Best' network monitoring tools?

zenix · 2010-11-14 01:39:03

So I'm trying to monitor a network full of servers for a competition we hold once a month at school. It's a simple "attack the server" competition, where the users attack the servers, some purposefully insecure while others aren't, and see who can pwn the most boxes. Not a real competition, but to just show off any "l33t hax0rz" skills they may have. Yay network security!

We didn't get a very good log of the last competition at all though, just a big tcpdump file (plain text english, not binary) of all the traffic. We were trying to read it off a projected screen to see if there were any users attacking anything other than the servers.

The network is mostly BackTrack (CD's handed out before hand) but there are some windows users, and other Linux distros. The whole network is run off a few Cisco switches (and 1 router), all fully managed. The tcpdump log was created by hooking the server into a monitoring port. (Replicating all traffic through the port, but without being able to communicate over it.)

What tools/services could I set up on an Arch box to monitor the network? Mostly I just want to watch the network, not to attack clients (to avoid causing a issues due to a false positive).

dmz · 2010-11-14 01:43:06

ntop.

fukawi2 · 2010-11-14 03:45:20

I would setup a box with 2 NIC's between the server(s) and the switch, bridge the 2 NIC's together so the connection is transparent, then use tcpdump and wireshark to analyze. Wireshark's "Follow TCP Stream" option is great for filtering out a specific connection and seeing the connection rather than the individual packets.

zenix · 2010-11-14 04:10:18

Can wireshark be used in a non-graphical manner? (Potentially headless box) Or would I use tcpdump's binary logging feature, and only analyze the traffic afterwards?

Idealy, we would like some human-readable form in real time so we can see if a user is being evil and personally stop them.

dunz0r · 2010-11-14 07:16:35

Perhaps snort would be something for this: http://snort.org

mikesd · 2010-11-14 07:50:56

zenix wrote:

Can wireshark be used in a non-graphical manner? (Potentially headless box) Or would I use tcpdump's binary logging feature, and only analyze the traffic afterwards?
Idealy, we would like some human-readable form in real time so we can see if a user is being evil and personally stop them.

I haven't used it however wireshark comes with a console only version, wireshark-cli in extra. It can save a dump for later analysis with the GUI version.

.:B:. · 2010-11-14 08:09:14

zenix wrote:

Can wireshark be used in a non-graphical manner?

Wireshark is split out into wireshark-gtk and wireshark-cli packages in the Arch repos - so my guess would be yes...

fukawi2 · 2010-11-14 09:23:35

zenix wrote:

Can wireshark be used in a non-graphical manner?

Yes... The command is `tshark` and takes the same options as tcpdump IIRC

rusty99 · 2010-11-14 11:17:14

There's also nstreams

Arch Linux

#1 2010-11-14 01:39:03

Useful/'Best' network monitoring tools?

#2 2010-11-14 01:43:06

Re: Useful/'Best' network monitoring tools?

#3 2010-11-14 03:45:20

Re: Useful/'Best' network monitoring tools?

#4 2010-11-14 04:10:18

Re: Useful/'Best' network monitoring tools?

#5 2010-11-14 07:16:35

Re: Useful/'Best' network monitoring tools?

#6 2010-11-14 07:50:56

Re: Useful/'Best' network monitoring tools?

#7 2010-11-14 08:09:14

Re: Useful/'Best' network monitoring tools?

#8 2010-11-14 09:23:35

Re: Useful/'Best' network monitoring tools?

#9 2010-11-14 11:17:14

Re: Useful/'Best' network monitoring tools?

Board footer