Network Monitoring The network monitoring directory contains software which allows a system administrator to monitor a network for the purposes of security, billing, and analysis (both live and offline). o antisniff The Anti-Sniffer runs on a local ethernet segment and reports whether machines are in promiscuous mode or not. It does this through a variety of tests designed to tickle certain drivers, operating systems, and hardware filtering. o antiroute Antiroute listens on ports used in UDP-based route tracking and determines the IP address, source port and distance (in hops) of the host from which the trace is being performed. o argus Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. o arpwatch arpwatch and arpsnmp are tools that monitor ethernet or fddi activity and maintain a database of ethernet/ip address pairings. They also reports certain changes via email. o bandmin Bandmin is a tool that can monitor bandwidth usage of virtual interfaces on systems using ipfwadm, ipchains, ipf, or ipfw. It periodically checks interface counters, logs the results, and generates HTML output for viewing. o darkstat darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router and gathers all sorts of useless but interesting statistics. o etherape EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. o flow-tools flow-tools is a collection of tools that capture, process and manage NetFlow exports from Cisco routers. o icmpinfo icmpinfo is a small tool that monitors and decode ICMP messages. It can aid in debugging some network problems. o IPA IPA is a flexible general purpose accounting system. It supports static and dynamic rules, limits, sublimits and thresholds. It works with external accounting, database and statistics modules. o ipac-ng ipac is a package which is designed to gather, summarize and nicely output the IP accounting data. ipac make summaries and graphs as ascii text and/or images with graphs. o ipacct ipacct is a small Perl script which uses Darren Reed's IP Filter to count traffic on a network and report it into an HTML file suitable for your billing department. o ipaudit IPAUDIT listens to a network device in promiscuis mode, and records of every 'connection', each conversation between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them and the port numbers (if they are communicating via udp or tcp). o ipfm IP Flow Meter is a bandwidth analysis tool, that measures how much bandwidth specified hosts use on their Internet link. o iplog iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. iplog's capabilities include the ability to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags (used by scanners to detect the operating system in use), TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. o ippl ippl is a daemon which logs IP packets sent to a computer. It runs in the background, and displays information about the incoming packets. Criteria can be used to specify what packets should be logged and what packets should be ignored. o iptraf IPTraf is a console-based network monitoring program for Linux that displays information about IP traffic. This program can be used to determine the type of traffic on your network, and what kind of service is the most heavily used on what machines, among others. o karpski K.ARP.SKI (karpski) is an ethernet protocol analyzer / sniffer. Its abilities as a sniffer or scanner are limited, but this sniffer is much easier to use than other popular sniffers such as tcpdump. In addition, there is a protocol definition file in which other protocols can be added. Karpski may also be used to launch programs against addresses on your local network and as a local network intrusion tool. o mrtg The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic. o Nagios Nagios(R) is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser. o NeTraMet NeTraMet is an implementation of the Internet Accounting Architecture (RFC 2063 and RFC 2064). o NetSaint NetSaint is a host/service/network monitoring program. CGI programs are included to allow you to view the current status, history, etc via a web interface if you so desire. o netwatch Netwatch allows a user (superuser) to monitor an Ethernet and examine activity on the network. o nistnet The NIST Net network emulator is a general-purpose tool for emulating performance dynamics in IP networks. The tool is designed to allow controlled, reproducible experiments with network performance sensitive/adaptive applications and control protocols in a simple laboratory setting. By operating at the IP level, NIST Net can emulate the critical end-to-end performance characteristics imposed by various wide area network situations (e.g., congestion loss) or by various underlying subnetwork technologies (e.g., asymmetric bandwidth situations of xDSL and cable modems). o nocol NOCOL/SNIPS (Network Operation Center On-Line) is a network monitoring package that runs on Unix platforms and is capable of monitoring network and system variables such as ICMP or RPC reachability, RMON variables, nameservers, ethernet load, port reachability, host performance, SNMP traps, modem line usage, appletalk & novell routes/services, BGP peers, syslog files, etc. o nomad Nomad is a network mapping program designed to automatically discover a local network, using SNMP to identify network devices and work out how they are physically connected together. The network is then presented as a topology diagram with simple integrated monitoring. Changes in the network are reflected in the diagram which continuously updates, and you can customise your own views of the network map with various views and filters. o ntop ntop is a tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on pcapture and it has been written in a portable way in order to virtually run on every Unix platform. o oproute oproute is a generalised network performance analysis tool. o perro Perro is a set of three daemons that logs the IP/TCP, IP/UDP and IP /ICMP packets that arrives to your Linux box. It also takes cares and logs IP options, eluding the IP options sniffer attack. o pfflowd OpenBSD's PF stateful packet filter will count bytes and packets for flows it tracks statefully. PF also contains a mechanism (pfsync) which allows realtime reporting of state expiry. pfflowd listens for these state expiry messages and converts them to NetFlow datagrams. o pingsting pingsting is an application that monitors networks for ICMP Echo Requests and attempts to determine what application generated the ICMP packets. / o RRD Tool If you know MRTG, you can think of RRDtool as a reimplementation of MRTGs graphing and logging features. Magnitudes faster and more flexible than you ever thought possible. RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average). It stores the data in a very compact way that will not expand over time, and it presents useful graphs by processing the data to enforce a certain data density. It can be used either via simple wrapper scripts (from shell or Perl) or via frontends that poll network devices and put a friendly user interface on it. o scanlogd scanlogd is a tool to detect and log port scans. o Sentinel The Sentinel project is designed to be a portable, accurate implementation of all publicly known promiscuous detection techniques. Sentinel currently supports 3 methods of remote promiscuous detection: The DNS test, Etherping test, and ARP test. Support for the ICMP Ping Latency test is under development. o Softflowd Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow to a collecting host or summarised within softflowd itself. o tcp_wrappers The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications. o tcpspy tcpspy is an administrators' tool that logs information about selected incoming and outgoing TCP/IP connections (username, local and remote addresses, and executable filename). Connections are selected for logging with rules, similar to the filter expressions accepted by tcpdump and other libpcap-based applications (tcpspy does not, however, use libpcap). tcpspy is currently available only for the Linux operating system. o trafshow trafshow is a full-screen network traffic monitor. o xinetd xinetd is a secure and more fully-featured replacement for inetd. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available)