[Madlug] Networking Question?

[Marcin Antkiewicz]

> I was thinking of using a server on the backbone with mrtg, nmap, iptraf(?)
> to
> characterize the traffic and the volume. The characterization needs to
> include
> from/to volume traffic as each local library comes in on a separate t1 to
> the
> backbone. The question:

Drop nmap, it's a very good tool, but a poor match for your needs.

> do these tools capture all the packet traffic on an ethernet backbone? Does
> one need specialilzed network monitor hardware to see all the packets
> flying about? Analyzing all the packet traffic seems like a pretty cpu
> intensive task. Would I need a super beefed server to do this?

I don't think you will need a huge server. If anything, you would want to use
a few normal machines, as it's cheaper to scale out the IO load.

How many T1s and how are they terminated?

If hte goal is to count traffic flow to and from the branches, than I would get
counts from the subinterfaces. In general, you will  want to count as close to
the source of traffic as possible, so get the counters from the branch routers
or the access router.  Rancid is your friend here [1].

If, in addition to traffic accounting, you want to gather statistics from your
data center, than you can get counters from switch ports. Rancid is the tool.

Going one level up, it would be nice to account per IP, port, protocol, etc.
There are two choices here - use a flow recorder like Argus [2] and some form
of port/vlan mirroring (usual caveats apply) or taps (no one got fired
for choosing
NetOptics). Taps are a bit tricky, as they require downtime to install/remove.

Another alternative is to use Snort, with a custom signature library. The goal
is to identify interesting patterns (keywords, protocol verbs) and
counts the number of
hits. Argus or other netflow tools will do a better job on layer 3/4.

1 - http://www.shrubbery.net/rancid/
2 - http://qosient.com/argus/

Ping me off the list for more information.

--
Marcin Antkiewicz