Unknown internet usage - how to monitor?

Discussion in 'Networking, Telephony & Internet' started by Copycat, Jun 7, 2007.

  1. Copycat

    Copycat Member

    Joined:
    Oct 16, 2002
    Messages:
    101
    Location:
    Australia, Melborune
    Hi all, I just have a bit of an issue with rogue internet usage on our office LAN that I was hoping someone could help me with.

    Currently we're connected with Nextep (through Netspace) on the 20gb a month plan and have never used anywhere near the total quota. Last month however, we had an addition 7gb of downloads/uploads and at 10 cents per megabyte, it wasn't a cheap operation. After checking the Netspace usage logs, i've found that on some days, 4gb of data has been transfered either in or out from our LAN. Unfortunately these data usage logs don't include any particular details such as whether the data was downloaded or uploaded.

    I've sent around an email to everyone asking if they know anything about large files being uploaded or downloaded which came up with no results. I'm completely guzumped at what could be causing this dataflow.

    So I was wondering what would be the best way of monitoring internet traffic coming in and going out of our LAN. At the moment, our Netcomm ADSL router is connected to a Cyberguard VPN firewall which acts as our front end firewall. Currently, no proxy server is configured and because I have only recently taken up the position of Admin, I'm unaware of the Cyberguard firewalls features in terms of proxy servers, monitoring etc.

    Are there any methods of internet data flow monitoring that anyone can recommend?

    Thanks for your help in advance.


    Paul


    (Apologies if this is the wrong forum to be posting in. Please move if this is the case)
     
  2. Simwah

    Simwah Member

    Joined:
    Aug 6, 2005
    Messages:
    1,998
    Location:
    Brisbane
    I'd say a proxy / transparent proxy would be the way to go.
     
  3. mrturkey

    mrturkey Member

    Joined:
    Jun 27, 2001
    Messages:
    462
    Location:
    Wodonga, VIC
    IPCOP with Sarg will do the trick :)
     
  4. mrturkey

    mrturkey Member

    Joined:
    Jun 27, 2001
    Messages:
    462
    Location:
    Wodonga, VIC
    nmap with logging is good for non proxy traffic
     
  5. beardedgeek

    beardedgeek Member

    Joined:
    Dec 9, 2003
    Messages:
    405
    well first step would be to firewall off and log any non web and email traffic, p2p programs while being able to work through port 80 etc if setup properly will first try to get through on the normal ports till they are re-configured when the user figures it out.

    and yea get a proxy in there, something like clarkconnect for a smaller operation is great , totally turn key no specific linux knowladge required
     
  6. j3ll0

    j3ll0 Member

    Joined:
    Jul 13, 2005
    Messages:
    4,686
    Span the port that your internet connection comes in on.

    If you're a Windows guy, this is probably the easiest way to get NTOP going.

    If you're an *nix guy, use your package manager of choice and install NTOP.

    Watch and wait and see what's going on!
     
  7. security

    security Member

    Joined:
    Jan 8, 2003
    Messages:
    704
    Location:
    Top of a mountain, NSW
  8. CordlezToaster

    CordlezToaster Member

    Joined:
    Nov 3, 2006
    Messages:
    4,062
    Location:
    Melbourne
    Sonar, From Bluereef
     
  9. OP
    OP
    Copycat

    Copycat Member

    Joined:
    Oct 16, 2002
    Messages:
    101
    Location:
    Australia, Melborune
    Hey guys, Thanks for replying with all your recommendations. I find that I cant really utilize these programs because we dont have an internet gateway server on our lan... Just a file server and a VPN appliance connected straight to the net. I've since found out that the VPN router has SNMP features built in so I might give this a go in the next couple of days.... Anyway, exams are over now so I finally have time to study up.

    Is there any way to not only monitor the local LAN connection, but the whole office LAN with the above utilities? I began reading about non-promiscuous mode but I didn't really catch on to the idea.

    What exactly do you mean by span the internet connection port? Port 80 or all protocol ports?


    Thanks
     
    Last edited: Jun 14, 2007
  10. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Tell us what model cyberguard you have.

    Unfortunately next to no routers have comprehensive traffic reporting. You can have something pulling snmp stats from your router using something like PRTG. This probably won't give you totals but it should give you a graph showing times of day and amount of throughput.

    If you want to know who's doing what you need to put a box between your LAN and your cyberguard (this is similar to spanning a port that someone mentioned earlier, you can't do this because you obviously don't have enterprise grade switches).

    How this works is you change LAN1 of this box to your cybergards IP address, LAN2 to something else, eg 192.168.10.100 and make your cyberguards LAN IP 192.168.10.1. You will have to run anything on this box that the cyberguard provided for the network such as DHCP.

    The box ideally needs to run some preconfigured linux distro on which NAT can be disabled as you don't want another firewall, just something to watch the traffic. This is about the only way you're going to get totals per LAN IP, thus narrowing down who the user/machine is.
     
  11. j3ll0

    j3ll0 Member

    Joined:
    Jul 13, 2005
    Messages:
    4,686
    Sorry, my language was a bit Cisco-ised.

    I'm not referring to IP ports at all. I'm referring to the physical interfaces on your switch.

    Most switches allow you to 'span' or 'monitor' a specific port. The two ports we are talking about is a 'source port' and a 'destination port'. More correctly, you would span a source port to a destination port.

    When you span ports, you configure your switch to copy every frame that traverses the source port to the destination port. This allows you to passively\non-obtrusively observe the activity across that physical port.

    You are interested in monitoring your internet traffic, so you would want to observe the activity as close to your router as possible. If that is the internal interface of the firewall plugging into your switch, that's the source port you want to span.

    Set the destination port as the port that your PC plugs into, fire up NTOP and observe.

    This is a cisco page that has graphics to explain it a bit better. On your switch it may be called Monitor mode or something like that.

    Good luck.
     
  12. OP
    OP
    Copycat

    Copycat Member

    Joined:
    Oct 16, 2002
    Messages:
    101
    Location:
    Australia, Melborune
    Well after physical inspection, we are using the Cyberguard SG560 network appliance which does include SNMP capabilities. What would be the best method or software to use in order to visualize data flow from the SNMP port? At the moment in the router configuration, in order to enable SNMP services, I first need to enable 'Central Management'.

    Now I'm assuming that I need to setup a computer/appliance to grab this SNMP data from port 161.... Or maybe there is a way to install an application to monitor the SNMP data from a workstation connected to the LAN.

    Thanks for your continued support guys.
     
    Last edited: Jun 15, 2007
  13. Draemad

    Draemad Member

    Joined:
    Jun 5, 2002
    Messages:
    1,300
    Location:
    Melbourne
    to remotely monitor traffic via snmp you could use something like MRTG. This will only give you a graph of traffic over time averaged however. This will not show you source or destination ip however so you won't be able to track down which workstation is sending/receiving the traffic. Your best bet is to add an INLINE device and run something that can examine the traffic and tell you what is going on. NTOP, Squid with SARG, Snort, MS ISA, etc will all alow you to do this as well as give you some control over what comes in and out of your network. You should also diagram your network so you know clearly what is where. It may also help us to help you if we had a simple diagram of your network.
     
  14. fad

    fad Member

    Joined:
    Jun 26, 2001
    Messages:
    2,218
    Location:
    City, Canberra, Australia
    Feed it through a linux box and install ntop. I can tell you ips protocols and bandwidth.
     
  15. Bangers

    Bangers Member

    Joined:
    Dec 25, 2001
    Messages:
    7,254
    Location:
    Silicon Valley
    This shouldn't be in Enterprise Computing, but oh well. Cheap and nasty fix, feed it through a unix box and do the basics. Change default routes on the DHCP Server to unix box, and the default route of that to the Cyberguard.

    You'll find someone discovered BitTorrent. Have you checked on the cyberguard you at least have decent rules? Only allow tcp/80/443 out, stateful and block everything else.
     
  16. OP
    OP
    Copycat

    Copycat Member

    Joined:
    Oct 16, 2002
    Messages:
    101
    Location:
    Australia, Melborune
    Yes we do have various port rules setup on the router. Has anyone ever had any experience with a Cyberguard network appliance and if so, how have you implemented SNMP? With a separate box between the internet connection and the LAN extracting data or using a application installed on a workstation on your LAN extracting data.

    I only ask as I'd really like to leave the network architecture untouched for now... although if there are no other options I might have to install a box between the cyberguard and net connection.

    Thanks

    Paul
     
  17. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Uh yeah.. did you read my post?

    Go download PRTG and have a play..

    The SNMP probe will offer you a bunch of interfaces from the Cyberguard, check out http://192.168.x.x/cgi-bin/cgix/diags (insert your routers IP) to find out what interface is what. You want to add your WAN interface and maybe your LAN one too.
     
  18. Sinix

    Sinix Member

    Joined:
    Jun 3, 2002
    Messages:
    252
    Location:
    Sydney
    Possible solution...
    You need:
    1x Spare PC / Laptop (nothing fancy)
    1x 4 port Hub (not a switch)

    Connect the hub between your router / gateway & main LAN. Connect the spare PC / laptop to the hub and run http://www.webspy.com

    Not as good as a proxy server but it will do the job.
     
  19. Grunner

    Grunner Member

    Joined:
    Mar 7, 2005
    Messages:
    123
    Location:
    Ringwood, VIC
    TOTALLY AGREE! We have been an extremely happy Sonar user for 4.5 years! :thumbup:
     
  20. pipsqeek

    pipsqeek Member

    Joined:
    Aug 14, 2002
    Messages:
    686
    Location:
    Sydney
    I'd get IPCop or something similar working as a proxy, and get things like cacti working too, so you can graph and report usage.

    pipsqeek
     

Share This Page