Network Monitoring
The network monitoring directory contains software which allows a
system administrator to monitor a network for the purposes of security,
billing, and analysis (both live and offline).
o antisniff
The Anti-Sniffer runs on a local ethernet segment and reports
whether machines are in promiscuous mode or not. It does this
through a variety of tests designed to tickle certain drivers,
operating systems, and hardware filtering.
o antiroute
Antiroute listens on ports used in UDP-based route tracking and
determines the IP address, source port and distance (in hops) of
the host from which the trace is being performed.
o argus
Argus is a fixed-model Real Time Flow Monitor designed to track and
report on the status and performance of all network transactions
seen in a data network traffic stream. Argus provides a common data
format for reporting flow metrics such as connectivity, capacity,
demand, loss, delay, and jitter on a per transaction basis.
o arpwatch
arpwatch and arpsnmp are tools that monitor ethernet or fddi
activity and maintain a database of ethernet/ip address pairings.
They also reports certain changes via email.
o bandmin
Bandmin is a tool that can monitor bandwidth usage of virtual
interfaces on systems using ipfwadm, ipchains, ipf, or ipfw. It
periodically checks interface counters, logs the results, and
generates HTML output for viewing.
o darkstat
darkstat is a network traffic analyzer. It's basically a packet
sniffer which runs as a background process on a cable/DSL router
and gathers all sorts of useless but interesting statistics.
o etherape
EtherApe is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays
network activity graphically. Hosts and links change in size with
traffic. Color coded protocols display. It supports Ethernet, FDDI,
Token Ring, ISDN, PPP and SLIP devices.
o flow-tools
flow-tools is a collection of tools that capture, process and
manage NetFlow exports from Cisco routers.
o icmpinfo
icmpinfo is a small tool that monitors and decode ICMP messages. It
can aid in debugging some network problems.
o IPA
IPA is a flexible general purpose accounting system. It supports
static and dynamic rules, limits, sublimits and thresholds. It
works with external accounting, database and statistics modules.
o ipac-ng
ipac is a package which is designed to gather, summarize and nicely
output the IP accounting data. ipac make summaries and graphs as
ascii text and/or images with graphs.
o ipacct
ipacct is a small Perl script which uses Darren Reed's IP Filter to
count traffic on a network and report it into an HTML file suitable
for your billing department.
o ipaudit
IPAUDIT listens to a network device in promiscuis mode, and records
of every 'connection', each conversation between two ip addresses.
A unique connection is determined by the ip addresses of the two
machines, the protocol used between them and the port numbers (if
they are communicating via udp or tcp).
o ipfm
IP Flow Meter is a bandwidth analysis tool, that measures how much
bandwidth specified hosts use on their Internet link.
o iplog
iplog is a TCP/IP traffic logger. Currently, it is capable of
logging TCP, UDP and ICMP traffic. iplog's capabilities include the
ability to detect TCP port scans, TCP null scans, FIN scans, UDP
and ICMP "smurf" attacks, bogus TCP flags (used by scanners to
detect the operating system in use), TCP SYN scans, TCP "Xmas"
scans, ICMP ping floods, UDP scans, and IP fragment attacks.
o ippl
ippl is a daemon which logs IP packets sent to a computer. It runs
in the background, and displays information about the incoming
packets. Criteria can be used to specify what packets should be
logged and what packets should be ignored.
o iptraf
IPTraf is a console-based network monitoring program for Linux that
displays information about IP traffic. This program can be used to
determine the type of traffic on your network, and what kind of
service is the most heavily used on what machines, among others.
o karpski
K.ARP.SKI (karpski) is an ethernet protocol analyzer / sniffer. Its
abilities as a sniffer or scanner are limited, but this sniffer is
much easier to use than other popular sniffers such as tcpdump. In
addition, there is a protocol definition file in which other
protocols can be added. Karpski may also be used to launch programs
against addresses on your local network and as a local network
intrusion tool.
o mrtg
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the
traffic load on network links. MRTG generates HTML pages containing
GIF images which provide a LIVE visual representation of this
traffic.
o Nagios
Nagios(R) is a host and service monitor designed to inform you of
network problems before your clients, end-users or managers do. It
has been designed to run under the Linux operating system, but
works fine under most *NIX variants as well. The monitoring daemon
runs intermittent checks on hosts and services you specify using
external "plugins" which return status information to Nagios. When
problems are encountered, the daemon can send notifications out to
administrative contacts in a variety of different ways (email,
instant message, SMS, etc.). Current status information, historical
logs, and reports can all be accessed via a web browser.
o NeTraMet
NeTraMet is an implementation of the Internet Accounting
Architecture (RFC 2063 and RFC 2064).
o NetSaint
NetSaint is a host/service/network monitoring program. CGI programs
are included to allow you to view the current status, history, etc
via a web interface if you so desire.
o netwatch
Netwatch allows a user (superuser) to monitor an Ethernet and
examine activity on the network.
o nistnet
The NIST Net network emulator is a general-purpose tool for
emulating performance dynamics in IP networks. The tool is designed
to allow controlled, reproducible experiments with network
performance sensitive/adaptive applications and control protocols
in a simple laboratory setting. By operating at the IP level, NIST
Net can emulate the critical end-to-end performance characteristics
imposed by various wide area network situations (e.g., congestion
loss) or by various underlying subnetwork technologies (e.g.,
asymmetric bandwidth situations of xDSL and cable modems).
o nocol
NOCOL/SNIPS (Network Operation Center On-Line) is a network
monitoring package that runs on Unix platforms and is capable of
monitoring network and system variables such as ICMP or RPC
reachability, RMON variables, nameservers, ethernet load, port
reachability, host performance, SNMP traps, modem line usage,
appletalk & novell routes/services, BGP peers, syslog files, etc.
o nomad
Nomad is a network mapping program designed to automatically
discover a local network, using SNMP to identify network devices
and work out how they are physically connected together. The
network is then presented as a topology diagram with simple
integrated monitoring. Changes in the network are reflected in the
diagram which continuously updates, and you can customise your own
views of the network map with various views and filters.
o ntop
ntop is a tool that shows the network usage, similar to what the
popular top Unix command does. ntop is based on pcapture and it has
been written in a portable way in order to virtually run on every
Unix platform.
o oproute
oproute is a generalised network performance analysis tool.
o perro
Perro is a set of three daemons that logs the IP/TCP, IP/UDP and IP
/ICMP packets that arrives to your Linux box. It also takes cares
and logs IP options, eluding the IP options sniffer attack.
o pfflowd
OpenBSD's PF stateful packet filter will count bytes and packets
for flows it tracks statefully. PF also contains a mechanism
(pfsync) which allows realtime reporting of state expiry. pfflowd
listens for these state expiry messages and converts them to
NetFlow datagrams.
o pingsting
pingsting is an application that monitors networks for ICMP Echo
Requests and attempts to determine what application generated the
ICMP packets.
/
o RRD Tool
If you know MRTG, you can think of RRDtool as a reimplementation of
MRTGs graphing and logging features. Magnitudes faster and more
flexible than you ever thought possible. RRD is the Acronym for
Round Robin Database. RRD is a system to store and display
time-series data (i.e. network bandwidth, machine-room temperature,
server load average). It stores the data in a very compact way that
will not expand over time, and it presents useful graphs by
processing the data to enforce a certain data density. It can be
used either via simple wrapper scripts (from shell or Perl) or via
frontends that poll network devices and put a friendly user
interface on it.
o scanlogd
scanlogd is a tool to detect and log port scans.
o Sentinel
The Sentinel project is designed to be a portable, accurate
implementation of all publicly known promiscuous detection
techniques. Sentinel currently supports 3 methods of remote
promiscuous detection: The DNS test, Etherping test, and ARP test.
Support for the ICMP Ping Latency test is under development.
o Softflowd
Softflowd is flow-based network traffic analyser capable of Cisco
NetFlow data export. Softflowd semi-statefully tracks traffic flows
recorded by listening on a network interface or by reading a packet
capture file. These flows may be reported via NetFlow to a
collecting host or summarised within softflowd itself.
o tcp_wrappers
The package provides tiny daemon wrapper programs that can be
installed without any changes to existing software or to existing
configuration files. The wrappers report the name of the client
host and of the requested service; the wrappers do not exchange
information with the client or server applications, and impose no
overhead on the actual conversation between the client and server
applications.
o tcpspy
tcpspy is an administrators' tool that logs information about
selected incoming and outgoing TCP/IP connections (username, local
and remote addresses, and executable filename). Connections are
selected for logging with rules, similar to the filter expressions
accepted by tcpdump and other libpcap-based applications (tcpspy
does not, however, use libpcap). tcpspy is currently available only
for the Linux operating system.
o trafshow
trafshow is a full-screen network traffic monitor.
o xinetd
xinetd is a secure and more fully-featured replacement for inetd.
(Note: This list of software and information available at Wiretapped is
not exhaustive. Users are encouraged to browse and search the archive
and read any available "-README.txt" files that are available)