Network monitors are invaluable tools to administrators but can be
costly. However, the open source community has a free solution,
EtherApe. Learn how to install, configure, and use this monitoring tool
on your network.
The EtherApe network monitor is a midrange option for monitoring your network’s data traffic. As an open source network monitor, EtherApe offers a dynamic graphical interface; features IP and TCP modes; supports Ethernet, FDDI, PPP, and slip devices; filters traffic; and reads traffic from both a tcpdump file and live from the network.
In this Daily Drill Down, I will show you how to get EtherApe up and running and how to customize it to fit your needs.
Getting and installing
EtherApe is installed within the Linux operating system and requires:
- · The Libpcap packet capture library, which is available from the Lawrence Berkeley National Laboratory.
- · GTK+, which is available from the GTK+ site. (You'll need version 1.2 or above.)
- · Libglade, which is available from the GNOME site.
- · GNOME, which is also available from the GNOME site. (You'll need version 1.0 or above.)
There are two forms of installation. The first way is to install from the source code, which requires the source tarball file and is compiled and built by root using the following commands:
mv eterape-8.0.2.tar.gz /usr/local/src
cd /usr/local/src
tar xvzf etherape-0.8.2.tar.gz
cd etherape-0.8.2
./configure
make
make install
The second installation method, from rpm, requires the RPM file and is installed by root using the following command:
rpm -ivh etherape-0.8.2.i386.rpm
Once you've installed the application, run EtherApe by typing etherape at the command prompt.
Running EtherApe
When you open EtherApe, you'll see a window much like the one shown in Figure A.
| Figure A |
 |
| EtherApe can track many types of network traffic. |
When you start EtherApe, you may or may not see traffic depending on whether there is traffic actively passing through your network. In my case, the primary traffic displayed is WWW, SSH, and SMTP, because I host Web and e-mail servers, and I use secure shell for remote administration. Also, you'll notice that the display immediately becomes dynamic. As traffic comes in, the amount of traffic is represented by the size of the lines representing the connection. If you look at Figure A, you will notice that the WWW connection (shown in red) is approximately twice the size of the SSH connection (shown in light blue). This display tells you not only the type and relative size of traffic, but also the source of the traffic. Figure A lists both the destination (192.168.1.3) and the source (192.168.1.1 and 192.168.1.2) addresses of the packets sent. If you need to know more about the traffic passing on your network, you should open the Protocols window.
From the View drop-down menu, select Protocols to open the Protocols window (Figure B).
| Figure B |
 |
| The Protocol window keeps a running total of each type of packet that traverses your network. |
Protocols window
The Protocols window is a great tool to use for troubleshooting your network. Suppose your network becomes extremely slow, and you have no idea why. You can use EtherApe to check on the traffic that's moving through your network. When you fire up EtherApe, you see a Web of traffic. You open the Protocols window and confirm that WWW is racking up an enormous amount of traffic. When you return to the Main window, you see that the vast amount of WWW traffic is hitting one of your backup Web servers and that traffic is coming from one specific domain. You can end this problem by blocking the domain from entering your internal network.
Blocking the offensive address is as simple as adding the suspect address to an input IP Tables chain like this.
Should your network not employ IP Tables, but instead it uses a third-party firewall solution, such as a Cisco PIX firewall or Access Lists, add the suspect address to the incoming filter rule set or Access List to block that unwanted traffic from clogging up your network. After it's blocked, you should see a drastic drop in the traffic reported by EtherApe.
The Protocols window is also a good way to optimize your network. Take a look at Figure C. It shows an EtherApe session that has been running for over two hours. As you can see, the WWW protocol has collected the majority of traffic (7.275 MB worth) on my network. Should this be a typical reading on my network, I would know to optimize my network for WWW traffic.
| Figure C |
 |
| The top protocol listed is the one with the most accumulated traffic. |
Configuration of EtherApe
To configure EtherApe, click the Stop button on the main window and then click the Pref (preferences) button to open the Configuration window (Figure D).
| Figure D |
 |
| Be sure to save after you make changes. |
The first tab on the EtherApe Configuration window, the Diagram tab, can be used to configure some of the monitor’s protocol specifics. With the Protocol Stack Level configuration, you can specify the level of packet you want to monitor. There are five levels of the stack to watch: the Topmost Recognized Protocol (Level 1, physical medium), Level 2 (eth_II), Level 3 (IP), Level 4 (TCP and UDP), and Level 5 (HTTP). Using the Topmost level gives you more specific information about the packets traversing your network. For example, when viewing my network from Level 5, SNMP-TRAP is unknown; when viewing at Level 2, the only protocols visible are ARP and IP; when viewing at Level 4, SMTP is unknown. I tend to view at the Topmost level, because I get a better picture of the packets hitting my network hardware.
Node Size Variable is another handy configuration. Node Size allows you to dictate the direction in which EtherApe is monitoring. There are two types of traffic, instant and accumulative, and each type has three different directional patterns (in+out, inbound, and outbound).
On this same tab, you can alter the Diagram Refresh Rate. This rate count is in milliseconds, so don’t let the default 800 fool you. One thing I noticed with this particular configuration is the faster the refresh rate, the harder it is to follow the traffic. By setting the Diagram Refresh Rate at the fastest possible setting (50 milliseconds), the monitor became useless. Because of the high refresh rate, the size of the traffic and the host addresses were moving around so quickly, it looked as if I were playing an old Atari video game. However, at a much slower rate (2,000 milliseconds, for example), too much traffic is missed. On a larger network, I find it much easier to work somewhere between 500 and 700 milliseconds.
Also on the Diagram tab is the Diagram Node Timeout option, which dictates how long a node will remain in the Diagram without activity. The default setting is 6,000 milliseconds. With a multinode network, it would be wise to set this number to a lower number to make the Diagram more easily readable. For example, with a four-node network, the number of clients/servers and amount of traffic might be overwhelming. At this level of the network, there will be too many destination and source addresses shown on the screen at one time, which will prevent you from actually seeing the traffic. By allowing nodes to drop off the display (after a given amount of inactivity), the network traffic will be much more easily read.
Filters
As with all network monitors, the most important aspect of EtherApe is the filters. In a network monitor, a filter utility allows you to monitor the traffic patterns at a granular level. For example, suppose you have a large network that is bogged down because of excessive Domain traffic. Because of your network's size, you are unable to figure out where the bottleneck iscoming from. Specifying which machines you want EtherApe to monitor can help you to more quickly troubleshoot the problem.
Say your large network uses an internal IP scheme of 192.168.x.x and is broken down into departments. Each department has its own smaller network and is defined by the third quad of the IP address (x.x.Y.x, where Y is the defining quad). To configure EtherApe to watch only one particular group of addresses, you would first open the Preferences window and select the Capture tab. The top left drop-down list (labeled Capture Filter) is where you will enter the filter syntax, which for EtherApe is src net IP_ADDRESS dst net IP_ADDRESS (where IP_ADDRESS is the actual IP address of the machine, or machines, you wish to monitor). So if you want to monitor the data processing department whose IP addresses use the range 192.168.1, you would enter src net 192.168.1 dst net 192.168.1 to create this filter. Notice that there is no trailing dot at the end of the unfinished dotted quad address. The unfinished addresses tell EtherApe that it must watch a range of addresses and not a single address. You can enter a single address, or you can enter either a source (src) or destination (dst) only.
Once you enter the filter, you will save and then click OK. The filter will then begin running. One very nice touch is that as you create new filters, they will all appear in the Capture Filter drop-down list. This allows you to switch between filters quickly, without having to reenter them.
Reading from files and remote networks
EtherApe’s ability to read from a tcpdump file is good, because it allows an administrator to capture network traffic to a file and analyze that traffic either off-line or at a more convenient time.
To take advantage of this feature, the tcpdump command—which will generate the file for EtherApe to read—must be employed with the -n and -w switches. The -n switch tells tcpdump not to resolve IP addresses, and the -w switch instructs tcpdump to write packets to a specified file instead of stdout. First, you have to capture the network traffic by dumping it to a file. To dump network traffic to a file, open a terminal window, su to root, and run the command /usr/sbin/tcpdump -n -w dump_file. Instead of getting your Bash prompt returned, you will see tcpdump: listening on eth0. Once you feel you have sufficient traffic saved to your file (running this command for two to five minutes will provide you with more than enough traffic), press [Ctrl]C, and the Bash prompt will return. Next, you'll open EtherApe and have it read the dump file. From the Bash prompt, enter the command etherape -r dump_file, and EtherApe will begin displaying the traffic listed in the file as if it were being captured in real time.
Another really handy little trick takes advantage of secure shell. You can pipe the output of a tcpdump run through an ssh session. This allows you to actually monitor a remote network with EtherApe. To do this, you must have root permissions on the remote machine and must run a command similar to this.
After you issue the command to monitor a remote network, you will be asked for the root user password. Once the root password is entered, EtherApe will open displaying the remote network traffic.
Caution
Please remember that anytime you transmit root information across a network, you run the risk of compromising the security of your network by submitting your root password across network traffic. If you choose to use EtherApe to remotely monitor a network, it would be best to use the Sudo application on the tcpdump command to allow specified nonroot users access to a root-only application. For more information on Sudo, see “Limiting root access with sudo, part 1.”
No comments:
Post a Comment