Linux – Network Tap Server


I just finished up my most recent project to implement a monitoring server on a Network “Tap” or Span Port. The need arose to be able to capture and filter data on segments of the Network in real-time. We needed a way to take a look at a specific VLAN and see what kind of traffic was going across it. This could have been accomplished with SolarWinds Netflow, but it was going to require a significant amount of adjustments to our current configuration to view all ports. Essentially, SolarWinds does a great job of telling you what you want to know about traffic. The problem is, that even though we have 5000+ ports defined in SolarWinds all traffic outside of that is lumped together as “Unmonitored Traffic”. If I knew what port or ports that we were targeting it would be easily setup to watch for traffic on those ports. However the problem was that we wanted to find out what we didn’t know. That is we want to find out what kind of traffic was going across the network we didn’t know about. (We don’t know what we don’t know.) So I developed Linux based Network Monitoring system that would be able to collect, store and report what we needed.

This was achieved utilizing several OpenSource tools on a Ubuntu 12.04 Linux Server/Desktop running on 6 year old HP DL380 G2. First and primary was EtherApe, this tool allows for real-time graphical representation of network traffic.  This can be extremely powerful tool when attempting to catch things occurring in real time. Second was TCPDump, which allows for long term collection of packet data to be analyzed after the event occurs.  Also worth noting and along the same lines as TCPdump is WireShark, however I have encountered too many times where WireShark will run for 48 hours then error out. TCPDump on the other hand I have seen run for a week without issue.  Also within the same category is IPTraf, and can provide a lot of good traffic details through CLI / SSH session. Lastly, the  Security guys asked if I would include PBnJ to help with the efforts of locking down systems within the network. PBnJ utilized NMAP, mySQL and some other tools to collect, store and compare targeted systems/IP ranges of open ports and vulnerabilities.

I was pleasantly surprised at how quickly I was able to put these tools together and implement them in my Proof of Concept Lab. There were few tweaks that were needed from out of the box installs of each application, but for the most part I was able to “apt-get  install” the tools and start using them right off the bat.

Once in production we found a good amount of unexpected traffic. I would highly recommend any network infrastructure team putting this type of server in place on their network.  This allows a window into the network traffic without having to load wireshark on each node that you are troubleshooting.  As I continue to configure and tweak the settings on these Apps, I will post them, so it might help save others time and trouble.

Good Luck!


~ by Josh on August 12, 2013.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: