[H-GEN] Traffic analysis recommendations, Extended Question
David Jericho
david.jericho at aarnet.edu.au
Tue Apr 19 22:12:21 EDT 2005
Josh Marshall wrote:
> My first suggestion would be to use iptables. It can count the number of
> packets and bytes that match the parameters, and if you don't specify a
> target the packets pass right past it untouched.
Oh, good Lord no.
This very quickly becomes unmanagable as the method does not scale. The
complexity and headspace required to manage a ruleset that could
potentially run into the hundreds or thousands of rules is horrible.
Don't mix your traffic accounting rules with your firewalling rules.[0]
Only leads to mistakes being made.
Anthony (De Crow) mentions he'd like to break it down into PIPE vs
non-PIPE traffic, without some form of automation based on a BGP or OSPF
feed, could very quickly become worthless.[1] If the user wants this to
be correct, they should contact their ISP to see if there is some form
of looking glass.
David de Groot's suggestions of Cacti[2] and ntop[3] are good. Depending
on the config of the router, fprobe[4] and nnfc[5] maybe handy tools
too. I know of NFA[6] being used around the traps.
[0] Just as you don't mix heavy spirits and sparkling white - it only
leads to bad hangovers.
[1] Some admins can't manage bogon lists, draw your own conclusions.
[2] http://www.cacti.net/
[3] http://www.ntop.org/ntop.html
[4] http://sourceforge.net/projects/fprobe/
[5] http://sourceforge.net/projects/nnfc/
[6] http://www.parnet.edu.au/NetFlow.html
--
David Jericho
Systems Administrator, AARNet
Phone: +61 7 3864 8379
Mobile: +61 4 2302 7185
More information about the General
mailing list