Network monitoring for fun and profit

In network security, there are a few important tasks you just can't ignore. They include things such as perimeter security (firewalls and proxies), disaster recovery (backups and redundant systems), and monitoring (packet analysis and system logs). In the area of monitoring, there are a few tools that you might consider evaluating for use in your own network.

  • Nagios: One example is Nagios, a highly configurable, flexible network resource monitoring tool. It's open source (thus available for free), highly extensible, and very customizable to your needs. Unless otherwise noted, all of the following are open source software (and thus available for free).
  • Snort: Another is Snort, "the de facto standard for intrustion detection/prevention." It is, in essence, exactly as advertised.
  • tcpdump: Don't forget venerable standards such as tcpdump. Combined with a scripting language that provides powerful text filtering abstractions such as Perl, Python, or Ruby, or even with something a bit more basic like grep+sed+awk, it's the expert's packet analysis toolkit.
  • lsof: For more localized use, lsof can be an incredibly flexible and powerful tool. Again, you'll need some text filtering to really make use of it.
  • syslog: It doesn't get much more basic and ubiquitous than syslog. If you have to maintain security on any UNIX or UNIX-like system -- such as a Linux distribution, FreeBSD, NetBSD, OpenBSD, OpenSolaris, or Darwin, for instance -- you should learn how to put syslog's facilities to good use (and, once again, how to effectively automate text filtering).
  • event log: There's also event log on Windows. It's not open source, but it's part of the system. You need to know something about it if you're going to try to maintain security on Windows systems.
  • EventSentry: Tools like EventSentry can be of incredible benefit to the Windows network administrator. For single-system monitoring, you might be able to get by with nothing more than the free trial version, which isn't time-limited but does strip away many of the more powerful features of the full version. To monitor an entire network, you'll want to invest in the complete package -- or get something else. It's not open source software, which means licensing issues must be dealt with.
  • Eventlog to Syslog Utility: For "something else," there's always the open source Purdue University Eventlog to Syslog Utility, AKA "evtsys." It's a simple tool that you run on Windows systems to automatically read and reformat events in the event log, then send them to a UNIX system to be handled by syslog. It's an excellent tool and makes the life of the busy netadmin much more easily managed by collecting all the necessary log events in one convenient place on the network.
  • glTail.rb:My inspiration for writing this article, however, was one I've only just discovered today. I'm not 100 percent certain it's all that useful in practice, yet, but it sure as heck is fun to watch it work. Get a load of glTail.rb, a "realtime logfile visualization." It looks a lot better than similarly graphical (though not very similarly functioning) tools like EtherApe ever did. Check out the "xvid movie" link there -- it's an AVI video, so even Ubuntu users who haven't figured out how to get WMV files working in MPlayer shouldn't have any trouble with it.It's mesmerizing.