Monitoring my home netowrk

"Plebism" hath wroth:

What do you want to monitor? Traffic? content? URL's? bandwidth use? Statistics?

Nope. That's because most of your devices are plugged into the ethernet switch in your WRT54G. A switch moves traffic only to the port where the target MAC address is known to be located. The other ports never see the traffic. If you plug a sniffer into one port on a switch, all you see is traffic to and from that port. Exception is that broadcast packets and packets with no specific destination MAC address, go to all the ports.

On better (managed) ethernet switches, there is usually a monitor port that does have all the traffic visible. Using alternative firmware, there is also a way to convince the WRT54G to turn one of the ports on the WRT54G into a monitor port.

However, if all you are interested in monitoring is traffic going THROUGH the WRT54G router, and don't care about client to client traffic, then you can use the any of the syslogd, rlow, or SNMP monitoring tools to sniff the WRT54G. Some likely culprits are:

To which version? My Linksysy wrt54g Bought in July 2004) came with firmware ver 2 and was upgraded to firmware version v 4.21.1. That was what I was guided to do by tech support after he asked me what was the ver that the unit came with. I saw version 6 or even 7. I asked why I couldn't upgrade to that but he wasn't helpful with his answers. He just said choose the download given for the v 2.

BTW, can I ask what anti virus software is the best poduct out there?

Is any free anti virus worth using? I know someone who doesn't want to spend money on these things ..

mimi hath wroth:

Please learn to edit quoted text. I tend to be long winded, tedious, detailed, and really hate to read my own stuff, twice.

Note the word "replacement" firmware. That does not mean upgraded firmware. The firmware for the WRT54G is open source, which means a horde of programmists have modified the code, fixed things, and added features. I use DD-WRT on most of my Linksys and Buffalo routers. See:

I'm partial to using SNMP for monitoring due to the huge number of tools available for the purpose. Here is someones web page showing WRT54G traffic on their home network:

You also have apparently mixed the software versions with the hardware mutations for the WRT54G. v6 and v7 are hardware revisions. The other numbers are firmware versions. See:

for differences. I consider WRT54G v5 and v6 to be fairly close to useless.

For what operating system? Since you're obviously embarassed by your selection, I'll assume you're a Windoze XP or Vista user. Mac and Unix users tend to proudly announce themselves, so it's a fair deduction. For Windoze, I use Grisoft AVG for both anti-virus and anti-rootkit. It is NOT the best for catching every last lousy virus and worm out there. It's primary benifit is that it is does NOT take over your computer or render it unstable, slow, or clumsy to use. I tried NOD32, which looked good for me, but my customers were completely lost. For anti-spyware, I use Windoze Defender.

Yes. Free AVG is worth using if you're impoverished.

AOL has a free anti-virus (you don't have to be a member) if you don't mind some ads. It seems to work well for my clueless customers.

There are others. You really should read the reviews and try the demos. Then decide for yourself.

Me too. This whole traffic monitoring thing is getting to be important with our satellite connection and increasingly critical FAP issues.

What I need to see is where AND how much traffic goes through the router. That is, who is downloading and how much at any given time. Uploading is optional. This way, I can police the system and see if someone is using too much of the bandwidth for themselves.

Basically, we need a manual fair access system. We have up to 10 users online at a time. Automatic would be nicer, but manual control through monitoring/logs is good enough. If the logs show abuse, I can send the "boys" to their house and impress upon them the value of sharing fairly...

I've installed PRTG traffic grapher and taken a look at it, but need to study SMTP to learn how to run it and if it will work for us. What do you think of it for my purposes?

Wallwatcher looks somewhat promising. RFLOW collector is one I have to check out for sure. Cryptc download setup there- outta time.

Any comments/specific suggestions? Can you tell me which, if any could give me traffic thruput per mac address or similar - for 10 users?

Steve

seaweedsteve hath wroth:

Deja Vu. I've been there before.

Sure. You'll need to seperate out the traffic by LAN side IP addresses (or MAC address) and then optionally classify the traffic by type (IP socket number). Ummm... what SMTP device are you monitoring?

That's exactly what I'm trying to avoid. I'm getting really tired of playing enforcer. What I've found to be effective is posting the general in/out traffic statistics by IP address so that all the neighbors and users can see what's happening. Peer pressure is more effective than physical violence.

Marginal. MRTG and PRTG are designed to measure only a few things at a time. What you want are at least 10 IP address, each broken out by perhaps 20 assorted IP services. That's too much for MRTG or PRTG. It's perfectly suitable for total traffic in/out by user, but not by service. If you had a Cisco router, Netflow based data collection would be a no brainer, but probably not for whatever you have. One thing for sure, you're going to need a server that runs for 24 hours a day. Very likely Linux based if you want high uptime. I've been using SBC (single board computah) Linux boxes with 2GByte CFflash cards and no hard disk.

See RRDtool:

For an example, see:

Scroll down to "Network Services Demand". Also:

Rflow is Netflow for DD-WRT. Rflow works and I use it for troubleshooting. I'm not sure if running it 24 hours per day is a good way to go. There's no cumulative logging, which means that a reboot wipes all your collected data. Find something that saves collected data.

Sure. Tell me what hardware you're monitoring and what you plan to use to monitor the traffic (hardware, OS, etc).

I suggest you forget about monitoring by service for now and just collect traffic statistics by IP or MAC address using MRTG and PRTG. That's easy enough to do. If you're a masochist, you can even do it on Windoze 95/98/ME. See:

Start with just the router total traffic in/out by interface (wired, wireless, internet). Break out the traffic by service later.

You might also want to give yourself a tour of your SNMP stack. I use GetIF 2.3.1:

There's one trick to using GetIF. If you add MIB files to the MIB directory, first erase the file: c:\\program files\\getif 2.3.1\\MIBS\\.index Getif will rebuild it on startup. Otherwise, your added MIB won't be recognized. If the MIB file is garbage, you'll find an error report in: c:\\program files\\getif 2.3.1\\MIBS\\Getif.log

If you're a command line junkie like me, try SNMPUTIL.EXE

Try: snmputil walk 192.168.1.1 public .1.3.6.1 Replace 192.168.1.1 with your router's IP address and "public" with your SNMP read-only community name (password).

List of connected IP addresses: snmputil walk 192.168.1.1 public .1.3.6.1.2.1.3.1.1.3.1.1 which returns:

Variable = at.atTable.atEntry.atNetAddress.1.1.63.249.85.1 Value = IpAddress 63.249.85.1

Variable = at.atTable.atEntry.atNetAddress.1.1.192.168.1.11 Value = IpAddress 192.168.1.11

Variable = at.atTable.atEntry.atNetAddress.1.1.192.168.1.51 Value = IpAddress 192.168.1.51

Variable = at.atTable.atEntry.atNetAddress.1.1.192.168.1.113 Value = IpAddress 192.168.1.113

Corresponding MAC addresses: snmputil walk 192.168.1.1 public .1.3.6.1.2.1.3.1.1.2.1.1 which returns: Variable = at.atTable.atEntry.atPhysAddress.1.1.63.249.85.1 Value = String

Variable = at.atTable.atEntry.atPhysAddress.1.1.192.168.1.11 Value = String

Variable = at.atTable.atEntry.atPhysAddress.1.1.192.168.1.51 Value = String

Variable = at.atTable.atEntry.atPhysAddress.1.1.192.168.1.113 Value = String

That should give you a clue what can be done. Give yourself a tour from the command line or with any MIB browser. Get used to reading (and finding) MIB files so you're not dealing with numeric OID's. Try the various tools.

Lots more stuff to try:

You mean SNMP....

Yes and no. I need to know who is using how much. I don't think I need to know the type of use.

Agreed ! Good idea.

That answers my question, though my conclusion is different from yours. I don't think I want the breakdown by IP service, just by user/ IP address. Actually, I'd prefer by MAC so we can keep DHCP going, but I could work around it by assigning everybody an address, I suppose.

If you had a Cisco router, Netflow based data collection

We have a DD-WRT device.

Yep. Your single board Linux solution sounds elegant. I'll probably just use a minimalized P3 laptop to sit in the gear box with the router and sat modem. Not much room there and kinda hot though. I'll sacrifice uptime as I'm not going to learn Linux this year. .

I'm going to stick with Windows.

OK. As I said above, we have DD-WRT, so it's a natural, but...no cumulative logging. Will it give me traffic by user? If so, then would there be a work-around?

I know I can check these all out, but I'm trying to sort through to find which one is worth learning...

DD-WRT (Buffalo HP) will be monitored by a P3, XPpro box conected by cable to the router.

Back full circle!

Well, I do need it broken down by user right from the start. And I don't really care about the wired vs wireless. Point being, we have limited bandwidth and a FAP in place. Who is using how much?

This looks like a great way to learn about snmp. I'll check it out.

No, stop. You're hurting me! I don't like this! Seriously, I've been avoiding command-line (as much as possible) since the Apple II and hope to keep it that way.

Great. This MIB vs OID thing you mention is exactly what I need to sort out, besides, of course which program will do the job...

So much for getting any cement work done this week.

Steve

One more thing. Know anything about Tomato firmware? It's seems to have better monitoring, though I don't know if it's going to give me per client breakdowns...

I certainly don't use 90% of the extra features in DD-WRT.

Steve

Well, I got 2 out of 4 letters right. That makes me only half wrong.

Okay. It was an accident.

I realized that as I was re-reading it just before this current post.

How easy/difficult is it to load dd-wrt firmware on my 54G?

I saw those by accident and obviously didn't realize that the links were the firmware for certain hardware versions.

I use Norton. I am asking for someone else , who is afarid of coputer work. A relative that I want tell not to ask me for any computer help.

(I accidentally deleted when copying..)

Does Norton's take over?

Thanks.

I assume that the Grisoft version you use is not the free version, right?

Neighbors? But how the neighbors knows who represent that IP or MAC address unless the person's name was attached to it?

mimi hath wroth:

Easy. This thread is about sharing and monitoring a shared satellite internet system. Such systems are normally run by a dicatatorial and fascist administrator, such as myself. Usually, everyone knows everyone else on such systems. Such admins like to know who's using the system. Therefore, they have lists of MAC addresses of with corresponding device and users names with phone numbers to call. For open systems, a signup page is sometimes used. If I find a new MAC address appearing on my system, I get very curious as to who and where it's coming from. Usually, I just block the MAC address and wait for the phone to ring. No need to sniff the traffic or play direction finder, when I can get them to call me.

mimi hath wroth:

It varies by hardware mutation. The V5 and V6 hardware mutations are a pain in the posterior. I consider these versions to be marginal anyway and not worth using. For the others, I use the TFTP method as detailed at:

It takes a bit of trial and error to get the timing right (when to start the upload after turning on the power), but it's not too horrible. From that point on, updates are done from a web interface. The usual beginners goof is to install the wrong version for the specific model router.

To the best of my limited knowledge, Peter Norton has not written an operating system.

Yes.

Wrong. My customers and I use both the free and commercial versions.

For those that buy, I use the Anti-Malware version, which is the anti-virus and anti-spyware bundle. $45 for 2 years.

Which is better than the Govt. Hmm maybe you should stand for election...... gd&r

Think in the context of the topic please. We were talking about AV.

I am no buying Norton anymore then.

Found this:

Some of it's features:

Auto network discovery and layout Discovers any type or brand of device Device, Link monitoring, and notifications Includes SVG icons for devices, and supports custom icons and backgrounds Easy installation and usage Allows you to draw your own maps and add custom devices Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it Individual Link usage monitoring and graphs Direct access to remote control tools for device management Supports remote Dude server and local client Runs in Linux Wine environment, MacOS Darwine, and Windows Best price/value ratio compared to other products (free of charge)

Steve

Useful, though not sure about logging, which I need.

Seems to be more of a management tool than a traffic monitoring tool. As is it doesn't run as a service in Windows either.

seaweedsteve hath wroth:

The price is right so I decided to try v3.0beta6. (Never waste energy resisting temptation.) It found all of the devices on my network. However, it also went through the gateway and started probing the /24 IP block on the WAN side of my router, listing about 100 assorted customers. Sigh. SNMP taffic monitoring looks ok. AVG email scanner pops up every time it probes port 110 the 100 assorted customers. It also declares anything with an open POP3 port to be a mail server. Sigh. Time to do some deletions before my ISP gets irate.

Is shows a short term traffic history graph for each branch that shows traffic speeds (from SNMP). Your DD-WRT based router should show those if you have SNMP enabled. Just drag the mouse over the indicated speeds and the graph will appear. That's nice but not what you need as it's not broken down by client.

It found some LRP/LPD printers connected directly to the internet. Resisting the temptation to try printing something...

Maybe I should read the docs....(but that's no fun).

Have you by any chance tried "Darkstat" , both my routers are down at the moment and I am stuck with a USB modem so can't test it on my network.