Find the answer to your Linux question:
Results 1 to 10 of 10
Hi all, I have a Switch, with 5 Servers Connected to it. One of the Switch port(uplink) is connected to the Gateway Router. I have enabled port mirroring for the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2007
    Posts
    11

    Challenging but interesting task.


    Hi all,

    I have a Switch, with 5 Servers Connected to it. One of the Switch port(uplink) is connected to the Gateway Router. I have enabled port mirroring for the Uplink port.

    I have connected a Linux Server to the Mirrored Port. Now all the packets that are transferred between my 5 Servers and Router will hit my Linux Server.

    The requirement is, I have generate a traffic report as following,

    Source MAC (Server 1) to Dest MAC (Router) - 10 MB in 2 Hours
    Source MAC (Router) to Dest MAC (Server1) - 100 MB in 2 Hours

    .... likewise for all servers.

    I need to Monitor traffic based on the Mac Address. Is there a tool in linux which can do this.

    I have tried iptables, which can give the bytes transferred based on a rule. But iptable rules can be written only for Source Mac Address not for Destination Mac.

    Anybody has got some clues .. please help out !

    Thanks
    rssrik

  2. #2
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Have you tried wireshark? It might be what you're looking for.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #3
    Just Joined!
    Join Date
    Jun 2007
    Posts
    11
    Thanks for replying ,

    Wireshark Captures Packets. The traffic is quite heavy, so that I cannot afford to capture all packets. Instead I am looking for some kind of a counter which increments the number of bytes received based on Mac Address.

    ./rssrik

  4. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,756
    The traffic is quite heavy, so that I cannot afford to capture all packets.
    "Quite heavy"? More than 100Mbit link through your router? A P2-3 machine should have no problem collecting everything on a 10MB/sec link.

    There are a myriad of places to pull stats. If you are not looking to write your own, you may want to consider a larger tool that gives you options down the road. An IDS like Snort may be something to consider.

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by rssrik View Post
    I have tried iptables, which can give the bytes transferred based on a rule. But iptable rules can be written only for Source Mac Address not for Destination Mac.
    While I haven't written any rules for MAC only you should still be able to write rules on Destination MAC as long as you know what it is going to be.

    Question I have is why MAC address? Why not IP?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Jun 2007
    Posts
    11
    Robert ji, thanks

    The Router that I have explained does IP Forwarding for the Network behind it. So the packets wont have the IP Address the Router. And there are many clients (400-500) which makes it impossible to write rules based on IP Address. Moreover I dont have access to the Router.

    ./rssrik

  7. #7
    Just Joined!
    Join Date
    Jun 2007
    Posts
    11
    it seems matching packets with -m mac --mac-source xxxxxxxx is possible, how to do for destination mac ???

    ./rssrik

  8. #8
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,756
    Why you can't filter on the destination MAC can be found all around the web - in short, iptables is operating on the IP layer and you don't *know* the destination MAC => Example

    You may want to look at ebtables:

    # Usage analogous to iptables.
    # Ethernet filtering.
    # MAC NAT: ability to alter the MAC Ethernet source and destination address. This can be useful in some very strange setups (a real-life example is available).

  9. #9
    Just Joined!
    Join Date
    Jun 2007
    Posts
    11
    Thanks,

    I have already started to look at ebtables. But wonder whether iptables/ebtables is the only way to do traffic analysis. Isn't there any other tool, which could do traffic analysis with mac address.

    Thanks again,
    ./rssrik

  10. #10
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,756
    If you are not looking to write your own, you may want to consider a larger tool that gives you options down the road. An IDS like Snort may be something to consider.

    Linux App Finder > Network Monitoring


    So few options...


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •