Skip to main content
Super User

Return to Answer

added 1 characters in body
Source Link
David Spillett
David Spillett
  • 23.6k
  • 2
  • 49
  • 71

What you need to do is put the machine in the network between those machines and your connection to the internet, like so:

PC1 ----\
PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs
PC3 ----/

You need two network cards in the monitor box, one for the local LAN's switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd's iptables module (see here) to record packet and byte counts. You could also use tools like bandwidthbandwidthd though I've not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.

Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.

What you need to do is put the machine in the network between those machines and your connection to the internet, like so:

PC1 ----\
PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs
PC3 ----/

You need two network cards in the monitor box, one for the local LAN's switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd's iptables module (see here) to record packet and byte counts. You could also use tools like bandwidth though I've not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.

Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.

What you need to do is put the machine in the network between those machines and your connection to the internet, like so:

PC1 ----\
PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs
PC3 ----/

You need two network cards in the monitor box, one for the local LAN's switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd's iptables module (see here) to record packet and byte counts. You could also use tools like bandwidthd though I've not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.

Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.

Source Link
David Spillett
David Spillett
  • 23.6k
  • 2
  • 49
  • 71

What you need to do is put the machine in the network between those machines and your connection to the internet, like so:

PC1 ----\
PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs
PC3 ----/

You need two network cards in the monitor box, one for the local LAN's switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd's iptables module (see here) to record packet and byte counts. You could also use tools like bandwidth though I've not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.

Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.