Wireshark-users: Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record wh

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Mon, 23 Apr 2012 14:25:13 +1000
As Seth has said, this is pretty much a perfect match for Netflow or IPFIX (which is more or less the "New" version of Netflow). You want a netflow probe to convert seen packet data to netflow records. And then a collector to grab the netflow records and save them to some form of database. The collector will normally have a means of displaying the data.

Many high end switches and routers have probe capability, so depending on your hardware, you might already have this.

If not, the following open-source software may be useful

ntop,  has both a probe and a collector that can display the collected data in various formats. It has GUI to enable you to drive it.
fprobe is able to capture packets (using libpcap like wirehark) and create netflow records. 
flow-tools is a set of tools that can capture netflow and process it to produce reports similar to what you require. (It is CLI only)

Regards, Martin

MartinVisser99@xxxxxxxxx


On 23 April 2012 00:59, Seth Hall <seth@xxxxxxxx> wrote:

On Apr 20, 2012, at 11:45 AM, Brian Excarnate wrote:

> So my first question is:  Is there some other tool that is a better choice, and if so which?


You could use something that generates netflow records and a netflow collector or Argus.  You could also give Bro-IDS a try (I'm one of the developers).  The output you're looking for can be found in our conn logs.  You can download a binary package from our website too:
       http://www.bro-ids.org/download/#binarypackages

If you're just interested in getting the conn logs, you should be to run (with the appropriate interface):
       sudo bro -i eth0

It will start creating logs in your current working directory.

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe