You like tcpdump and Wireshark just fine, but they're not easy to read, and don't give you nice visual snapshots of network activity. Isn't there some program that will monitor and collect network traffic data, and aggregate statistics, and make nice colorful charts so you can see at a glance what your network is doing? Such as established connections, protocols used, and traffic statistics? And that is quick and easy to set up?
You want ntop, which is a hybrid packet analyzer that monitors network protocols, and creates nice HTML charts and graphs. Debian users should install it this way:
# aptitude install ntop rrdtool graphvizFedora users will have to dig up an RPM (try http://rpm.pbone.net/),or build it from sources. You must have libpcap and GDBM installed, and some sort of HTTP server. (Lighttpd is an excellent lightweight HTTP server.) You should also install:
After installing ntop, start it with this command:
# /etc/init.d/ntop startIt will ask you for a password for the admin user. Then, open a web browser to http://localhost:3000. Give it a few minutes to collect some data, and you can help it along by checking email and web surfing. The pages will automatically refresh.
Everything is configurable via the web interface. You should visit Admin → Configure → Startup Options first to configure what you want monitored, such as the local machine only, the local subnet, or multiple subnets. Disable promiscuous mode. There are other configuration tabs that let you set up ntop pretty much any way you like.
Figure 19-3 and Figure 19-4 give you an idea of what ntop looks like in action, allowing you to find out at glance who is engaged in monkey business.
ntop doesn't have the power and customizability of heavier-duty network monitors, but it's great when you want something up and running quickly, and to generate some snapshots of network activity. The IP Local tab is especially interesting; this can help you find sneaky wireless access points, and lets you see at a glance which ports have been used. This can be an eye-opening; for example, if you're seeing activity on port 110 (POP3) when you expect only port 995 (POP3s), you know you have an unsecured mail client running. Or, if you're seeing port 25 (SMTP) traffic when you're not running a mailserver, or it's on the wrong hosts, you might have some compromised PCs spewing forth spam. You'll see bandwidth usage at a glance, for homing in on bandwidth hogs, and a whole lot of other helpful data.
ntop home page: http://www.ntop.org/