Hey to all, best wishes for the new year to everybody.
@Pippo did you find a solution to your problem?
I just found this topic as I'm in search also for a way to monitor all the traffic for my home network.
I also found the TEE topic you posted in an earlier post what I did and work for every device in the network even for Wi-Fi connected devices ( ex. mobile phones )
was to put in the <TEST_DEVICE_IP_ADDRESS> the ip of my router.
so let's say for example my router has an ip of 192.168.1.1 and the dedicated wireshark device has an ip of 192.168.1.30 then the command would be.
iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.1.1 -j TEE --gateway 192.168.1.30
iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.1.1 -j TEE --gateway 192.168.1.30
Then only think you have to do is to open wireshark and start to monitor based on the device you like with the above command. ex. a network device with ip 192.168.1.55
(ip.src == 192.168.1.55) || (ip.dst == 192.168.1.55)
Now I also have questions regarding this matter.
First of all, which command should I run in order to save those two iptables commands and survive after a reboot?
I tried iptables-save but after a reboot I must again run those commands in order to be able to capture with wireshark.
Is there a better way to do this?
For example.
I read about softflowd /nfsen combination but I cannot understand how to set it up.
Basically what I'm trying to figure out is, if there is a way to be able to monitor all the traffic of my WAN.
and to be able to access it from a web interface with nice graphs, also it would be awesome if from there I could do a check/block of the ip that I don't like.
To be honest, I can't understand how a package that will give a fully customizable fw3/iptables ui in luci with all the info that we need from the router without the need of seperate packages/wireshark app etc does not exist already.
Hi all. Is there any way to implement monitoring using a flow daemon and a subsample of packets? I have very high bandwidth and don't want to dedicate much CPU, so I'd like to sample randomly say 1% of packets and still analyze the flows so that I can go back and look at patterns like when bandwidth is used, how much, what the dscp tags were, etc. It's fine if I miss some small flows entirely.
I mean I want to send randomly only 2/100 packets to softflowd. I have gigabit fiber so I imagine sending all packets to softflowd would be intensive. Certainly running ntopng on my router dropped my speed to about 200Mbps so if I have an issue I engage it but can't run it all the time. perhaps softflowd is less intensive though?
Gotcha! now I understand. Don't really have a device that's always on and particularly capable so maybe I'll double-purpose the new espressobin which I'm setting up as the hot-spare router for when I break the main router or the power goes out and I need something that can last multiple hours on UPS.
A while ago I tried Tee on my glinet ar150 modified with a second usb WiFi adapter using relayd.
Don’t remember the settings I used but was kind on faulty like wireshark wasn’t picking up all the packets ! I didn’t investigate more think I assumed it was about not enough computing power of the device. Maybe I was trying to forward br-lan traffic to Ethernet cable, while second antenna was in wireless-client mode or was the built-in one I don’t remember. Need to say that the second adapter was plugged into a usb hub (powered one) toghether with a usb memory stick and a third antenna but I believe this one was off. Sorry can’t help more; locked away my router related stuff for holyday and still in the cupboard.
I tried running softflowd on my x86 router, and during a dslreports speedtest ~ 600Mbps it used about 1 full core and completely destroyed my QoS. Is there a way to set it to sub-sample the packets randomly? Like for example 1/20 of the packets. That'd probably be totally acceptable.
I want to monitor the router traffic on another machine as well. This machine is running v3.8.1 of the community version of ntopng. Since you need a pay license for nprobe now, I just used the iptable rules of
iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.1.189 -j TEE --gateway 192.168.1.189
iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.1.189 -j TEE --gateway 192.168.1.189
(were .189 is the ntop vm) to forward copies of data to this machine. This works great, except, on my WRT1900AC my throughput drops from 38MB download to around 18MB down, and (sometimes worse). My question is, is it supposed to cause such a large impact? Is there any way to make it better? Would softflowd work better? And if it did, how do you get it to ntopng without nprobe?)? I actually tried nfsen but did not find any prebuilt packages and trying to build/make it always failed. I like ntop better anyways and would love if there was a way to 'make it work'
if you mean mirror on a port on the router switch, the problem with that is the router and the esxi server are on opposite ends of the house, it would be very difficult, (which is why I opted for iptables). But searching online, lots of articles talk about iptables/mangle/TEE for this purpose, but no one mentions an impact on throughput, I am partly wondering if what I am experiencing is "normal" ?
Looking at articles like https://wiki.mikejung.biz/Sysctl_tweaks something like net.core.netdev_max_backlog sounds interesting? or anything like net.core.somaxconn? Does anyone have any suggestions? I'm curious where I can look to see what is happening (why the throughput is dropping (dropped packets cause of backlog etc?) )
iptables-tee copys the hole packet and modifies a part hence the (high) resource consumption.
the mentioned solutions try to only extract the relevant bits.
there are multiple encapsulation methods available to solve this, vlans probably beeing the most common, but unneeded if you opt for something like netflow or pcap based.
afaik these only affect localy terminated (not routed) connections.
I initially dropped it to only tcp, and now trying to use limits. Something I noticed, if the 192.168.1.189 machine is off, there is no download delay; does that suggest that the router can handle copying/manipulation of the packets and its a problem on the ntop machine, OR, does it drop/not do the work if it knows it can't get to --gateway 192.168.1.189?
Doesn't the replication of the traffic to port/vlan create about the same amount of work for the router?
When the rules are in place, and downloading CPU1 is only 80% and CPU2 is 40%, what is the limiting/bottleneck piece (network I/O)? There seems to be CPU room and memory is about 130Megs free? With the rules in place, the download starts pretty high, (high 20's) but then starts to fall, like it can't keep up with the workload but I'm not sure what can't keep up?
Finally ... has anyone used these commands and NOT had any throughput problems?
Update: probably will change to hashlimit (testing...)
Thanks.
iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.1.189 -p tcp -m limit --limit 5/second -j TEE --gateway 192.168.1.189
iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.1.189 -p tcp -m limit --limit 5/second -j TEE --gateway 192.168.1.189
Just as a final update, (incase it helps anyone else), I seem to have it working (by basically dropping the packets to the copy server (nTop) when the count from a given source is high). The numbers might not be ideal, and need tweaking, but the principle seems to work.
so if I have an issue I engage it but can't run it all the time. perhaps softflowd is less intensive though?
can’t help more; locked away my router related stuff for holyday and still in the cupboard.