Network monitoring

Bart Silverstrim bsilver at chrononomicon.com
Mon Jul 28 15:43:25 UTC 2008 

Dan Farrell wrote:
> On Sun, 27 Jul 2008 19:49:49 -0400
> Bart Silverstrim <bsilver at chrononomicon.com> wrote:
> 
>> Does anyone here have a program, preference, configuration, 
>> recommendation...etc...for monitoring your own network for what
>> machines are connected to it, as in auditing for people that may
>> have connected with unauthorized hardware somewhere or at least log
>> when machines are on the wifi or wired network when that network is
>> too small to have a managed switch or managed WAP?
>>
> 
> It depends on the hardware that provides your wifi Access Point and your
> internet router.  It's pretty unlikely on a small network that somebody
> could plug a network cable in to your network without your noticing
> it, but wireless network connections are of course much less
> transparent.  
> 
> For these I would recommend looking into the options your AP gives
> you.  If your wireless AP allows you some access, it will probably show
> you the list of wireless devices connected to it.  If not, an
> option might be to look at DHCP leases on your DHCP server, but this
> may not be a perfect solution, because uninvited visitors could use a
> static configuration instead.  
> 
> The fail-safe solution would be to use
> an internet gateway with good reporting (like a linux compuer!) that
> can show you the traffic going through your internet connection, where
> it's from, and where it's headed.  You can then see if there's any
> traffic you don't expect, and start to track down it's source.  
> 
> I would highly recommend using WPA on your wireless AP so you don't
> have to worry about unauthorized access.  
> 
> Unfortunately, if your AP doesn't tell you these things, and you can't
> get the information from another piece of hardware between the AP and
> the internet connection, and you aren't on the same collision domain as
> the AP (eg a hub rather than a switch) your only option is probably to
> change your network topology to interpose a better statistics generator
> between potential untrusted network segments and the internet.  

This AP does have SNMP (disabled at the moment) and does track 
associations made to it; the component I'm kind of missing is polling it 
periodically and reporting back to me...perhaps the suggestion of SNMP 
might work? I just need help cobbling together scripts to do this if I 
do that route, though.

More information about the ubuntu-users mailing list