Firewall analyzer?
Message
Firewall analyzer?
Is there any good utility to analyze traffic going through a firewall and present it in a meaningful way? I've looked and I must be searching for the wrong stuff because I can't find any. It'd be nice to have a graph of some kind describing the traffic and be able to look at summaries for traffic by IP.
I don't know much about "nice graphical" ways of measuring firewall traffic, but I can point you towards a couple utilities:
-Wireshark (Ethereal): Packet sniffer, lets you record all the packets going by on the network and analyze the traffic a bit. It can do some pretty good sorts and searches, but it's not that graphical. You can definitely look at traffic by IP, though, but recording packets like that fills up disk space fast.
-Snort: IDS, probably overkill for what you want, and it has a graph generator called snortplot. I haven't used snortplot myself, but I'm guessing it works. It's not as easy as install & run, but it's not difficult either.
-You can also look around for some log parsers, they might be able to meet your requirements.
Hoped these helped a bit. What kind of firewall do you have, and what is the purpose of these statistics?
-Wireshark (Ethereal): Packet sniffer, lets you record all the packets going by on the network and analyze the traffic a bit. It can do some pretty good sorts and searches, but it's not that graphical. You can definitely look at traffic by IP, though, but recording packets like that fills up disk space fast.
-Snort: IDS, probably overkill for what you want, and it has a graph generator called snortplot. I haven't used snortplot myself, but I'm guessing it works. It's not as easy as install & run, but it's not difficult either.
-You can also look around for some log parsers, they might be able to meet your requirements.
Hoped these helped a bit. What kind of firewall do you have, and what is the purpose of these statistics?
Adopt an unanswered post
TJGames.org
The folly of mistaking a torrent of verbiage for a spring of capital truths, and oneself for an oracle, is inborn in us. -Valery
TJGames.org
The folly of mistaking a torrent of verbiage for a spring of capital truths, and oneself for an oracle, is inborn in us. -Valery
We mostly want to see who has been connecting the most and to what and we'd also like to see what kind of bandwith usage we're using (looks like ntop might do that). We're using Shorewall to configure iptables mostly for forwarding to our servers and VPN purposes.azuriel wrote:I don't know much about "nice graphical" ways of measuring firewall traffic, but I can point you towards a couple utilities:
-Wireshark (Ethereal): Packet sniffer, lets you record all the packets going by on the network and analyze the traffic a bit. It can do some pretty good sorts and searches, but it's not that graphical. You can definitely look at traffic by IP, though, but recording packets like that fills up disk space fast.
-Snort: IDS, probably overkill for what you want, and it has a graph generator called snortplot. I haven't used snortplot myself, but I'm guessing it works. It's not as easy as install & run, but it's not difficult either.
-You can also look around for some log parsers, they might be able to meet your requirements.
Hoped these helped a bit. What kind of firewall do you have, and what is the purpose of these statistics?
A quick google search for "iptables graph" turned up this article, Making Graphs with PostgreSQL & R. It's basically dumping the syslog entries that iptables generates into a database with some parsing tricks, and then using that to generate graphs. If you've got some experience working in higher level scripting languages and with databases, you can probably figure out how to do this using the article as a starting point. It shouldn't be too hard to adapt it to say, PHP or Python and MySQL.
I'm pretty sure you could do this with snort if you wanted, but it's almost certainty extra overhead assuming that you can do it with just iptables. The general idea would be making snort detect up and log all packets and dump it in snort's nice and fast binary log format, then using barnyard to put the log into a database, and THEN hopefully snortplot does what you want.
I'm pretty sure you could do this with snort if you wanted, but it's almost certainty extra overhead assuming that you can do it with just iptables. The general idea would be making snort detect up and log all packets and dump it in snort's nice and fast binary log format, then using barnyard to put the log into a database, and THEN hopefully snortplot does what you want.
Adopt an unanswered post
TJGames.org
The folly of mistaking a torrent of verbiage for a spring of capital truths, and oneself for an oracle, is inborn in us. -Valery
TJGames.org
The folly of mistaking a torrent of verbiage for a spring of capital truths, and oneself for an oracle, is inborn in us. -Valery