How to monitor remote traffic
Written by Mike James   
Monday, 12 April 2010
Article Index
How to monitor remote traffic
Network engineering

Network engineering

To use a network monitor to view other traffic we have to do more than just enable p-mode. We have to do some network engineering. The simplest solution is to place the monitoring machine logically next to the router and connect the pair of them via a hub. This works and it's a useful technique but it can be difficult to find a hub if you don't have one sitting around.

Banner

A more modern approach is to use a managed switch that supports port mirroring. In this case you can use the switch's management software to mirror all of the traffic on the port you want to monitor onto the port that your monitoring machine is connected to. Notice that you have to connect the machine directly to the port as placing a switch between the two would produce the same problem. The switch would once again only pass packets to the monitoring machine that were addressed to it. You can use multiple managed switches to set up a chain of mirrored ports but this is in most cases excessively complicated - simply dedicate one port on a managed switch as the monitor port.

 

mirror

Mirror = send the traffic of one port to another

Assuming you have a managed switch that the router (port x) and the monitoring machine (port y) are directly connected to then to monitor the traffic going to the router you simply set port x to mirror to port y. Then on the monitoring machine you select p-mode and start collecting data.

In this case after a few seconds you should see a large number of conversations being listed under Other Traffic/Unknown. You will still see all of the local traffic, i.e. between the monitoring machine and the rest of the network.

Filters

At this point you really need to know about filters because the amount of traffic that you are going to see will have increased. You can apply two types of filter - capture and display. A capture filter specifies what packets will be captured and the display filter applies post capture processing so that you can analyse the data you have collected. Apart from this difference filters work in the same way.

The simplest way to find out how filters work is to customise the standard filters. Select the Capture Filter tab, click on the folder icon and select Standard Filters, Addresses, IP4 Addresses. This will load a filter that only captures packets to or from the specified IP address. The filter initially reads:

// Show traffic To or From a specific IPv4 address:

//   192.168.0.100 <-> // Show traffic To or From a specific IPv4 address:

//   192.168.0.100 <-> ANY

 

IPv4.Address == 192.168.0.100

and all you have to do is customise the IP address to the address you are interested in capturing.

filter

Monitoring in action - click to view

After you have made the customisation, click the Verify icon to check that the filter works and as long as it does click the Apply icon. Now when you start the capture you will only see packets to/from the specified IP address.

You can create more complicated filters for IP addresses, ports and types of traffic and the simplest way to find out about them is to look at the supplied filters and edit them to produce what you need.

After you have used the monitor to capture the packets you can load and use an Expert to perform an analysis of the data for you - and this is covered in the third article on Network Monitor 3.3.

<ASIN:1593271794>

<ASIN:0596008406>

<ASIN:0321492668>

Banner


AWS Low Cost Mailing List Using phpList And SES

Running a mailing list is not easy or cheap, but if you use AWS it can be. Find out how to create a low-cost and highly effective mailing list server.



Setting Up Site-To-Site OpenVPN

Setting up a point-to-point VPN is relatively easy but site-to-site is much more complicated involving certificates and more IP addresses than you can count. Find out how to do it using OpenVPN.


Other Projects


 



Last Updated ( Sunday, 09 May 2010 )