Challenging but interesting task.

[rssrik]

Hi all,

I have a Switch, with 5 Servers Connected to it. One of the Switch port(uplink) is connected to the Gateway Router. I have enabled port mirroring for the Uplink port.

I have connected a Linux Server to the Mirrored Port. Now all the packets that are transferred between my 5 Servers and Router will hit my Linux Server.

The requirement is, I have generate a traffic report as following,

Source MAC (Server 1) to Dest MAC (Router) - 10 MB in 2 Hours
Source MAC (Router) to Dest MAC (Server1) - 100 MB in 2 Hours

.... likewise for all servers.

I need to Monitor traffic based on the Mac Address. Is there a tool in linux which can do this.

I have tried iptables, which can give the bytes transferred based on a rule. But iptable rules can be written only for Source Mac Address not for Destination Mac.

Anybody has got some clues .. please help out !

Thanks
rssrik

[smolloy]

Have you tried wireshark? It might be what you're looking for.

[rssrik]

Thanks for replying ,

Wireshark Captures Packets. The traffic is quite heavy, so that I cannot afford to capture all packets. Instead I am looking for some kind of a counter which increments the number of bytes received based on Mac Address.

./rssrik

[HROAdmin26]

The traffic is quite heavy, so that I cannot afford to capture all packets.

"Quite heavy"? More than 100Mbit link through your router? A P2-3 machine should have no problem collecting everything on a 10MB/sec link.

There are a myriad of places to pull stats. If you are not looking to write your own, you may want to consider a larger tool that gives you options down the road. An IDS like Snort may be something to consider.

[Lazydog]

I have tried iptables, which can give the bytes transferred based on a rule. But iptable rules can be written only for Source Mac Address not for Destination Mac.

While I haven't written any rules for MAC only you should still be able to write rules on Destination MAC as long as you know what it is going to be.

Question I have is why MAC address? Why not IP?

[rssrik]

Robert ji, thanks

The Router that I have explained does IP Forwarding for the Network behind it. So the packets wont have the IP Address the Router. And there are many clients (400-500) which makes it impossible to write rules based on IP Address. Moreover I dont have access to the Router.

./rssrik

[rssrik]

it seems matching packets with -m mac --mac-source xxxxxxxx is possible, how to do for destination mac ???

./rssrik

[HROAdmin26]

Why you can't filter on the destination MAC can be found all around the web - in short, iptables is operating on the IP layer and you don't *know* the destination MAC => Example

You may want to look at ebtables:

# Usage analogous to iptables.
# Ethernet filtering.
# MAC NAT: ability to alter the MAC Ethernet source and destination address. This can be useful in some very strange setups (a real-life example is available).

[rssrik]

Thanks,

I have already started to look at ebtables. But wonder whether iptables/ebtables is the only way to do traffic analysis. Isn't there any other tool, which could do traffic analysis with mac address.

Thanks again,
./rssrik

[HROAdmin26]

If you are not looking to write your own, you may want to consider a larger tool that gives you options down the road. An IDS like Snort may be something to consider.

Linux App Finder > Network Monitoring

So few options...