I am using such an installation for my firewalls, routers, etc., to have an archive with all of its messages. Later on, I can grep through these logfiles and search for specific events. Of course it does not provide any built-in filter or correlation features – it is obviously not a SIEM. However, as a first step it’s better than nothing. ;)
After my Tcpdump script for storing MAC-IPv6 address bindings via the Duplicate Address Detection messages (link) and an analysis of the realibility of them (here), I had the idea of a Linux script that analyzes the Tcpdump output for obtaining some IPv6 address statistics. It should not show concrete bindings between MAC- and IPv6-addresses, but the number of different kind of IPv6 addresses, such as link-local or global-unicast addresses, built with or without EUI-64, etc.
In the following, I will present my script and will show the results after running it through the DAD logs of a whole month (March 2014) in a BYOD-WLAN with more than 100 clients.
A few weeks ago I published an article in which I proposed a method on how to capture the MAC- to IPv6-address bindings via sniffing and storing IPv6 DAD messages. Though any IPv6 node MUST send these Duplicate Address Detection messages prior to assign the address, I was not fully assured that *really* each new IPv6 address is stored with this Tcpdump sniffer.
That is, over a whole month I captured the DAD messages on a test BYOD-LAN and furthermore the complete IPv6 connection logs of the corresponding firewall. At best, I should have any IPv6 address that made an outbound connection through the firewall in the DAD logfiles. Here are the results:
Eine sehr praktische Variante, möglichst viele Sensoren übers Netzwerk abzufragen ohne dabei viel basteln zu müssen, ist die Ethernetbox von MessPC. Man kann sie zum Beispiel mit mehreren kombinierten Temperatur/Luftfeuchtigkeits-Sensoren bestücken. Die Auswertung erfolgt am besten über ein zentrales Monitoring-System.
Auf der Homepage von MessPC befindet sich zwar eine kleine Dokumentation für die Verwendung von MRTG, allerdings wird dort ein zusätzliches Skript vorgestellt, was dank der Verwendung von SNMP ja gar nicht nötig ist. Deswegen poste ich hier mein Template von einem MessPC mit zwei Kombisensoren für Temperatur/Luftfeuchtigkeit, welches für die Verwendung mit MRTG und Routers2 gemäß meiner Installation geeignet ist. Mit nur drei Suchen-und-Ersetzen Durchläufen hat man das Template angepasst.
In the IPv4 world, the DHCP server allocates IPv4 addresses and thereby stores the MAC addresses of the clients. In the IPv6 world, if SLAAC (autoconfiguration) is used, no network or security device per se stores the binding between the MAC (layer 2) and the IPv6 (layer 3) addresses from the clients. That is, a subsequent analysis of network behaviour corresponding to concrete IPv6 addresses and their client machines is not possible anymore.
A simple way to overcome this issue is to install a service that captures Duplicate Address Detection (DAD) messages from all clients on the subnet in order to store the bindings of MAC and IPv6 addresses. This can be done with a small Tcpdump script on a dedicated Ethernet interface of a Linux host.
In this blog post I will present a use case for storing these bindings, the concept of the DAD messages, a Tcpdump script for doing this job, and the disadvantages and alternatives of this method.
I am always interested in capturing real values via hardware devices in order to generate the appropriate graphs with my monitoring system. Of course, the outside temperature in our city was at the pole position for such a project. Therefore I ordered a few temperature/humidity sensors from PCsensor (via eBay), plugged them via USB on my Raspberry Pi (Raspbian Linux), and queried them via SNMP from my MRTG/Routers2 monitoring server. Here is the whole story:
Natürlich wollte ich auch Statistiken von der FRITZ!Box in meiner MRTG/Routers2-basierten Monitoring Umgebung haben. Glücklicherweise habe ich ein Tool namens upnp2mrtg gefunden, welches exakt das macht, nämlich die Interface-Statistik des WAN Ports der FRITZ!Box über UPnP abzufragen und für MRTG aufzubereiten. Sehr einfach zu benutzen. Hier also eine Anleitung mit einigen zusätzlichen Hinweisen.
This post describes how to add a Linux machine to the MRTG/Routers2 monitoring server. First, the host must be able to process SNMP requests. Then, a *.cfg file for MRTG/Routers2 is created by running the “cfgmaker” tool with a host-template. Since a few values are wrong in the cfgmaker file, I also explain how to correct them. Finally, I am adding the mrtg-ping-probe lines to the configuration.
I was interested in generating graphs within the MRTG/Routers2 monitoring system that display the number of hops for an IP connection through the Internet. In my opinion its interesting to see the different routing run times/hop counts e.g. for remote offices that are connected via dynamic ISP connections such as DSL. Therefore, I wrote a small script that executes a traceroute command which can be called from MRTG.
MRTG can also evaluate values from external scripts such as the “mrtg-ping-probe” program which returns the round-trip time from the initiated ping command to the specified destination host. With an additional GraphStyle called “range” from Routers2, these ping times can be displayed in the monitoring system. This graph style shows the “min” and “max” RTT in one vertical line instead of two independent lines.
Since there is not much to say about this process, I will only paste my MRTG/Routers2 config for mrtg-ping-probe and will show a few example graphs here.
The Multi Router Traffic Grapher (MRTG) can, of course, not only monitor routers via SNMP, but any devices that support the Simple Network Management Protocol, e.g., switches. With the tool “cfgmaker” it is quite easy to add switches with many ports to the monitoring system. However, some subsequent work is needed to have a clean configuration. This blog post presents a step-by-step guide for adding a switch into MRTG/Routers2.
This post shortly explains the process of adding a Cisco router into the monitoring system “MRTG with Routers2” as I explained it here. It gives an example on how SNMP is activated on the router and how the *.cfg file for MRTG/Routers2 is created with the additional values for CPU and memory usage.
I always wanted to monitor my private network with an open source tool. Since I knew some nice statistics, e.g. from the DE-CIX (printed with RRDtool) or from the Uni-Gießen (generated with MRTG), I had the idea of installing such a system by myself. Luckily I found a book from Steve Shipway, called “Using MRTG with RRDtool and Routers2“, which actually disappointed me because it did not offer a complete installation guide but mainly further information about fine-tuning the appropriate tools.
Therefore, I want to show a complete step-by-step installation of all the needed tools in order to monitor a network with MRTG, RRDtool and Routers2. “From scratch” means that there are no prerequisite to this installation guide except a plain Linux server (in my case a Ubuntu Linux) such as presented here. Okay, let’s go: Continue reading MRTG with RRDtool and Routers2 – Installation from Scratch