Wireshark mailing list archives

Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else

From: Martin Visser <martinvisser99 () gmail com>
Date: Mon, 23 Apr 2012 14:25:13 +1000

As Seth has said, this is pretty much a perfect match for Netflow or IPFIX
(which is more or less the "New" version of Netflow). You want a netflow
probe to convert seen packet data to netflow records. And then a collector
to grab the netflow records and save them to some form of database. The
collector will normally have a means of displaying the data.

Many high end switches and routers have probe capability, so depending on
your hardware, you might already have this.

If not, the following open-source software may be useful

ntop,  has both a probe and a collector that can display the collected data
in various formats. It has GUI to enable you to drive it.
fprobe is able to capture packets (using libpcap like wirehark) and create
netflow records.
flow-tools is a set of tools that can capture netflow and process it to
produce reports similar to what you require. (It is CLI only)

Regards, Martin

MartinVisser99 () gmail com


On 23 April 2012 00:59, Seth Hall <seth () icir org> wrote:


On Apr 20, 2012, at 11:45 AM, Brian Excarnate wrote:

So my first question is:  Is there some other tool that is a better

choice, and if so which?


You could use something that generates netflow records and a netflow
collector or Argus.  You could also give Bro-IDS a try (I'm one of the
developers).  The output you're looking for can be found in our conn logs.
 You can download a binary package from our website too:
       http://www.bro-ids.org/download/#binarypackages

If you're just interested in getting the conn logs, you should be to run
(with the appropriate interface):
       sudo bro -i eth0

It will start creating logs in your current working directory.

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Want to monitor a port, count bytes transferred, record who transferred, nothing else Brian Excarnate (Apr 20)
- Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Seth Hall (Apr 22)
  - Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Martin Visser (Apr 22)
    - Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Seth Hall (Apr 23)