Network Activities

On Sun, 22 Feb 2004 15:43:17 -0500, Simon Koh wrote:

> Hi,
>
> Could someone tell me what tools should I use to detect network
> activities? I need to know if there is anyone running Kazaa, MSN
> Messenger, Yahoo, AOL....
>
> Is there a way to block those activities??

Since this is comp.os.linux.networking, the answer is simple: IPTABLES.

Kazaa: 1214/tcp
MSN Messenger: 6891-6901/tcp 1863/tcp+udp
Yahoo: 5100, 5050, 11999/tcp
AOL: 5190/tcp

Of course, Kazaa is now considerably more port-agile, Yahoo can use port
80, and in general users can squirm through any blockade with the modern
softwares available today.

Install and learn how to use TCPDUMP

On 2004-02-22, Ernie Sams <(E-Mail Removed)> wrote:
> On Sun, 22 Feb 2004 15:43:17 -0500, Simon Koh wrote:
>
> Of course, Kazaa is now considerably more port-agile, Yahoo can use port
> 80, and in general users can squirm through any blockade with the modern
> softwares available today.
>
> Install and learn how to use TCPDUMP
>
however tcpdump (or better still ethereal[1]) will not help you block things,
only decide on which ports to block and so on. If you are worried about
MSN/Yahoo and so on, probably easier still to block no the local port but the
remote IP block; use 'whois' and 'dig' to work out which IP blocks MSN/Yahoo
go and try to connect to and block those; alternatively look for the DNS
lookup they do and tweak your caching DNS server to return 127.0.0.1 instead.

There are other ways to block people other than by port.

A better approach to limiting P2P traffic is IPP2P[1], this will identify P2P
packets and then if all you want to do is block them you do so; if you want
to be fancy and make the best use of your bandwidth play with Quality of
Service (QoS)[3] and use the CONNMARK filter to put all P2P traffic in a low
priority band so it does not affect more important traffic.

have fun

Alex

[1] http://www.ethereal.com/
[2] http://rnvs.informatik.uni-leipzig.d.../index_en.html
[3] http://www.lartc.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Koh <(E-Mail Removed)> wrote:
> On Sun, 22 Feb 2004 01:04:43 -0800, Ernie Sams wrote:

> > On Sun, 22 Feb 2004 15:43:17 -0500, Simon Koh wrote:
[..]
> >> Could someone tell me what tools should I use to detect network
> >> activities? I need to know if there is anyone running Kazaa, MSN
> >> Messenger, Yahoo, AOL....

[..]

> > Install and learn how to use TCPDUMP

> Is there a way (tools) to find out if there is anyone using those services
> at first? I can't tell how many of those are currently running. Please
> enlighten.

Yep, as already written, you can use 'tcpdump' for swiftly
checking, 'ethereal' if you want a GUI, or even 'ntop' for nice web
based stats.

- --
Michael Heiming (GPG-Key ID: 0xEDD27B94)

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAOI4tAkPEju3Se5QRAo8nAKCKKz4YaaF0R8UxOeJSC0 wde70iHQCeJe8w
/CzNj2udYKemjETGWZt/nFk=
=ZUQu
-----END PGP SIGNATURE-----

So anyway, it was like, 07:27 CET Feb 23 2004, you know? Oh, and, yeah,
Simon Koh was all like, "Dude,

> I installed Ethereal successfully. When I run from root, it only
> allows me to capture the traffic of workstation that I am using, not
> able to capture the rest of the workstation in Network. Am I missing
> something?

A tap or a hub, probably.

If your workstation is on a switched network, you'll not be able to
catch much of anything that's not directly adressed to you even if you
put your nic in promiscuous(sp?) mode.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
18:24:25 up 1 day, 1:00, 6 users, load average: 2.09, 2.14, 2.13
$ cat /dev/bollocks "echo y | format c:" Registered Linux user #261729
extend extensible methodologies

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Koh <(E-Mail Removed)> wrote:
> On Sun, 22 Feb 2004 18:25:40 +0100, Johan Lindquist wrote:
[..]

> > If your workstation is on a switched network, you'll not be able to
> > catch much of anything that's not directly adressed to you even if you
> > put your nic in promiscuous(sp?) mode.

> I am in a 3Com Switch Network, this days no one runs Hub or tap. Does it
> mean that I can't listen to other workstations? I need to find out what is
> happening in the network and I can't afford to go around install Ethereal
> on each machines (about 500) to find out what they are doing. Thanks.

Ops, assumed the whole time, you were sitting on the router/gatway...

- --
Michael Heiming (GPG-Key ID: 0xEDD27B94)

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAOOmmAkPEju3Se5QRAuHtAJ0TvlqqF/3QxdA7maM0DM/sdlEtZwCgvtEq
u5sSPczIZA+inxU+kqv8QFs=
=tBjt
-----END PGP SIGNATURE-----

So anyway, it was like, 07:47 CET Feb 23 2004, you know? Oh, and, yeah,
Simon Koh was all like, "Dude,
> On Sun, 22 Feb 2004 18:25:40 +0100, Johan Lindquist wrote:
>> So anyway, it was like, 07:27 CET Feb 23 2004, you know? Oh, and, yeah,
>> Simon Koh was all like, "Dude,

>>> I installed Ethereal successfully. When I run from root, it only
>>> allows me to capture the traffic of workstation that I am using,
>>> not able to capture the rest of the workstation in Network. Am I
>>> missing something?
>>
>> A tap or a hub, probably.
>>
>> If your workstation is on a switched network, you'll not be able to
>> catch much of anything that's not directly adressed to you even if
>> you put your nic in promiscuous(sp?) mode.
>
> I am in a 3Com Switch Network, this days no one runs Hub or tap.

Right, hence my guess.

> Does it mean that I can't listen to other workstations?

Not from just any random port on a switch. You'll need hardware which
can for example be set to repeat all traffic on a dedicated port, or
you'll have to find a point where it would make sense to install some
sort of tap. The latter is probably not what you want in this case.

> I need to find out what is happening in the network and I can't
> afford to go around install Ethereal on each machines (about 500) to
> find out what they are doing.

If you want to monitor your network, and it's the size you indicate,
I think you should definitely look into getting managed switches.
For that size, the added cost can be quite easily motivated just by
counting the hours it'd take to find the origin of a broadcast storm.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
18:47:45 up 1 day, 1:23, 6 users, load average: 2.23, 2.18, 2.16
$ cat /dev/bollocks "echo y | format c:" Registered Linux user #261729
scale cross-media schemas

Johan Lindquist wrote:

>>>> I installed Ethereal successfully. When I run from root, it only
>>>> allows me to capture the traffic of workstation that I am using,
>>>> not able to capture the rest of the workstation in Network. Am I
>>>> missing something?
<snip>
>
>> I need to find out what is happening in the network and I can't
>> afford to go around install Ethereal on each machines (about 500) to
>> find out what they are doing.
>
> If you want to monitor your network, and it's the size you indicate,
> I think you should definitely look into getting managed switches.
> For that size, the added cost can be quite easily motivated just by
> counting the hours it'd take to find the origin of a broadcast storm.
>

Just a thought (I'm still learning): if he has such a big network, couldn't
his connection to the internet be (already) centered into an specific
gateway? In this case, if he is willing to control internet flow, depending
on the "shape" of the network, can't he install the software there (the
firewall/gateway node)?

Hi,

Could someone tell me what tools should I use to detect network
activities? I need to know if there is anyone running Kazaa, MSN
Messenger, Yahoo, AOL....

Is there a way to block those activities??

Rds,
Simon

So anyway, it was like, 19:15 CET Feb 22 2004, you know? Oh, and, yeah,
Paulo R. Dallan was all like, "Dude,
> Johan Lindquist wrote:

>>> I need to find out what is happening in the network and I can't
>>> afford to go around install Ethereal on each machines (about 500)
>>> to find out what they are doing.
>>
>> If you want to monitor your network, and it's the size you
>> indicate, I think you should definitely look into getting managed
>> switches. For that size, the added cost can be quite easily
>> motivated just by counting the hours it'd take to find the origin
>> of a broadcast storm.
>>
>
> Just a thought (I'm still learning): if he has such a big network,
> couldn't his connection to the internet be (already) centered into
> an specific gateway?

It most likely is, yes. I got in on this thread alittle late, I guess.

> In this case, if he is willing to control internet flow, depending
> on the "shape" of the network, can't he install the software there
> (the firewall/gateway node)?

Yes, if the goal is to disallow certain services from being used over
an internet connection, the best approach would of course be to just
put a firewall on the router.

If this isn't already done, or if the firewall isn't stopping things
like kazaa already, one would have to ask if the person responsible
for maintaining this 500-node network is really the right person for
the job.

Proper strategy for implementing a firewall isn't "which services do I
need to block", it's "which services do I need to allow".

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
22:28:24 up 1 day, 5:04, 6 users, load average: 2.01, 2.03, 2.00
$ cat /dev/bollocks "echo y | format c:" Registered Linux user #261729
target cross-platform e-services

On Mon, 23 Feb 2004 01:47:19 -0500, Simon Koh is alleged to have said:

> I am in a 3Com Switch Network, this days no one runs Hub or tap. Does it
> mean that I can't listen to other workstations? I need to find out what is
> happening in the network and I can't afford to go around install Ethereal
> on each machines (about 500) to find out what they are doing. Thanks.

Now I'm confused as to the rationale of what you are doing. Why do you
care what exactly is going on in the entire network? If you are using a
mesh switch topology, then all you really care about is total traffic and
the contribution from each computer -- MRTG can provide that information
without breathing hard.

If you are worried about illegal or questionable activity at the interface
point to the Internet cloud, then you have the perfect place to put a
traffic monitor, assuming you don't just use the port counter information
already present in your router -- and MRTG can be used here, too, to
record the counts.

If some puff-ball is saying "I don't want the computers used for non-work
activities" then I suggest HE walk around to implement the policy. You
are going to have an interesting time monitoring what 500 computers
are doing eight hours a day...and I'm not sure that I would want to work
for such an input-oriented company anyway. The goal is to MAKE MONEY, and
that means that every employee has to generate revenue, or assist others
to generate revenue. (What do you think YOUR job is?) Electronic
witch-hunts don't accomplish that -- in fact, such witch-hunts tend to
DEPRESS productivity.

If it's such an issue, 500 CCTV cameras into a multiplexing console would
do a better job.

Now, if the goal is to keep workers productive, that's what management
oversight is all about. The managers should be out on the floor or the
cube farm or whatever keeping track of who is accomplishing what.

--
Opinions in this posting not necessarily opinion of employer. Are
personal notes, posted using my computer, my account. Not legal opinion
or advice. Void where prohibited. For entertainment only. Your mileage
may vary. Not appropriate for children.