Network

    Ever wonder what kind of traffic is flying around on your network? Which machines or what protocols are using the most bandwidth? What your network throughput is? There is a very simple way to find out and all it involves is an old PC that you are not using, a simple hub, and an hour or two of your time.

    We've all been there: Users are complaining about a slow network and you have no idea where to begin looking for the cause. Perhaps there is an infected machine on the network that is making multiple connections to an outside address. Maybe you have a user that you suspect is sucking up bandwidth by downloading movies or listening to streaming audio.  The best way to obtain a good picture of what's going on is to install some type of device that can see all the traffic to and from all of the machines on your network and then present that information in an easy to understand format.

    One of the best tools for doing this is an application called “ntop”. Ntop is an open source tool that will show you all of the traffic on your network, broken down by IP address, protocol, throughput, etc. All of the data collected by the application is presented in an easy to use web interface. Although ntop has been ported to Windows I will explain how to get this application up and running using Linux. The main advantage of using Linux is that ntop itself can be quite resource intensive (depending upon the size of your network) and Linux allows us to install the bare minimum of an operating system therefore allowing most of the hardware resources to be available to the application.

    The first step is to procure a donor machine. This doesn't have to be anything fancy, an old PIII with 512Mb of ram and a 20Gb hard drive will suffice. You will also need a hub (NOT a switch!) so that you can plug your new ntop box into a network segment where it can see all of the traffic. Lastly you'll need a copy of my favorite Linux distribution, Debian.     

    Begin by downloading and burning a copy of Debian. I recommend getting the network install image, it's very small, and you only need a very few basic packages anyway. Go here: Debian and download the appropriate “netinst” image (i386 for most of you). Make sure you burn this as an ISO “image” and then boot your selected PC to this CD. Go ahead and install Debian, making sure that you are plugged into the network and the internet is accessible. Debian has a reputation for being difficult to install but you can safely accept the defaults most of the way through, with the following exceptions:

1.    If your PC grabs a DHCP address, use the tab key to choose “back”, then choose “configure network manually”, and then assign an appropriate static IP.
2.    When you get to the “Software selection” screen, unselect everything (trust me). This is done by using the space bar to toggle your selection and the “down” arrow key to move through the menu. Once you have deselected all options, use the “tab” key to choose continue and hit “enter”.

After it installs grub, it will spit the CD out at you and you simply hit “enter” to continue and boot into your new Debian system.

    At this point, you should be staring at a login prompt (yes, it's all text based, no “point and click” here). Simply type “root”, hit “enter”, and then the password you chose for root when you installed the OS. Now, we're going to do some basic setup:

1.    Type “nano -w /etc/apt/sources.list” (without the quotation marks). This will open a file up in an editor.
2.    Using your arrow keys to move around, put a “#” sign in front of the line that starts with “deb cdrom” (this is called a “comment” and it means the line will be ignored). Then move the cursor to the end of the first line that starts with “deb http” and add “contrib” and “non-free”. It should look like this:
“deb http://ftp.debian.org/debian/ etch main contrib non-free”
3.    Do the same for the remaining 3 lines.
4.    Hit “ctrl O” (the ctrl button and the letter “o” at the same time), “enter”, and then “ctrl X”.
5.    Type the command “apt-get update”.
6.    Type the command “apt-get install openssh-server” (just hit enter when it asks you if you want to continue).

    From here on, we can have some fun and finish the install remotely from our desktop by simply cutting and pasting commands into a terminal window connected to the Debian box. This ntop server is designed to be headless anyway, so there is no need to have a monitor and keyboard connected during normal operation.

    Linux users can simply open a terminal and connect to the Debian box using SSH. Windows users will need to download a small program that will allow terminal connections to a Linux box. This program, called “putty”, allows a Windows box to use SSH (the secure shell protocol) and can be found here: putty (just grab “putty.exe" and save it to your desktop). Open up putty, punch in the IP address of your Debian box, log in as “root”, and then cut and paste the following commands into the terminal window (one line at a time, hitting enter after each line):

    apt-get install ntop graphviz gsfonts-x11
    ntop –set-admin-password
    reboot

    That's it, now you have a working network management box! There are a few basic parameters you will want to set, so open up your web browser and point it to:

    http://IP_address_of_ntop_box:3000

    You should see the ntop summary page. We should set up a secure means of talking to this box, so choose “admin > configure > startup options” from the menu at the top of the page and enter the user name (admin) and the password you just created for the ntop admin. Change the “HTTP Server” value to 0 and the “HTTPS Server” value to 3000, then click “save preferences” (bottom of page). Next, choose “admin > configure > preferences” and in the blank boxes at the bottom of the table, enter “dot.path” in the first box and “/usr/bin/dot” in the second box, then click the “add” button. Reboot the ntop box one more time and make sure that you can access it using https, not http. (As a side note, the previous 2 reboots are not necessary; normally I would just restart the ntop service via the command line but I'm trying to keep this simple. I should also advise the Windows users that you do NOT need to log in to the box to make it work, in fact it's a bad idea to remain logged in as root.)

    In order to see more than just traffic to the ntop box itself, you must plug it into a network segment that carries all the traffic for your network. This is where the hub comes in: Pick a spot on the back bone of your network, plug the hub in there, and connect the ntop server to the hub. For example, you can place the hub between your firewall and the core switch to see all the traffic in and out of your network. Of course you can always mirror a port on the core switch to the port that your external connection plugs into (if you have a managed switch in place).

    I would strongly recommend one last security related configuration; it is a very bad idea to allow root logins via SSH. While allowing this makes the above install very easy, now that the box is up and running it's time to change this parameter. Log into the ntop box via a terminal (as root) and follow these instructions:

1.    Enter the command “nano -w /etc/ssh/sshd_config”, this will open up a file in an editor. Using the same method you used earlier to edit the “apt” file, look for the line that reads “PermitRootLogin Yes”, change “yes” to “no”, and save your changes.
2.    Enter the command “/etc/init.d/ssh restart”.

(After you have completed the above configuration the login procedure via SSH changes a little bit: you will no longer be able to log in directly as “root”. You must log in as the regular user that you created when you initially installed Debian and then issue the command “su” to change to the root user)

    As always, if you have any questions, comments, problems, or monetary contributions, please direct them to me at thughes@fwpm.com.

RESOURCES:
Debian: http://www.debian.org/

ntop: http://www.ntop.org/

putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Burning CD images: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

Todd Hughes is a Network Security Analyst and long time Linux fan in the Upstate New York area. Send your Questions, comments or feedback to: thughes@fwpm.com.

Copyright  Todd Hughes  2007. Printed by permission.

 

{mos_fb_discuss:131}