Page 1 of 1

How to monitor and log traffic from /to user

Posted: August 11th, 2017, 12:31 pm
by kamilk
Hi,
how can i monitor and log a traffic from my local user to wan netwroks and from wan to my local user ?
When i`am an ISP i must logs traffic from my local network to Internet, and i must know about person x was cennected to server x in date. How can i do it?

Re: How to monitor and log traffic from /to user

Posted: August 11th, 2017, 8:37 pm
by ummeegge
Hi kamilk ,
the german federal constitutional court will make in the main trial a decision if the so called "Vorratsdatenspeicherung" is legal in the terms of the german law even it is active until then --> https://netzpolitik.org/2017/bundesverf ... en-urteil/ my opinion of a InternetServiceProvider is to provide the internet as a service to me and not to analyse my user activity.
<--> if you are not an ISP but wanted to do that in your company, you should also be informed over the law specifics in that manner. Here we have a so called "Arbeitnehmerdatenschutz" which should prevent a permanent logging of the user activity --> https://www.datenschutzbeauftragter-inf ... tenschutz/
<--> but if you are a normal user which wants to log and observe his infrastructure you can find some tools which do not provide NSA capabilities :D but does have some of your quested features even the official tools are not for long term usage...
iptraf-ng --> http://wiki.ipfire.org/en/addons/iptraf-ng/start --> a lot of protocols, filter possibilities, logging, (-) a vast amount of logs after a shorter period.
iftop --> http://wiki.ipfire.org/en/addons/iftop/start --> which is in Core112 currently out but should come again with Core113 i think, no logging, only realtime overview.
inofficial tools are more findable in here i think:
pmacct --> viewtopic.php?t=14849 . History is possible over databases such as MySQL .
Nfsen, Nfacct --> viewtopic.php?t=19022 . History is also possible over pcap files no DB needed.
A lightweight solution and may technically also a way which ISPs go is to collect only the data and send it to another machine e.g.:
softflowd or fprobe --> http://people.ipfire.org/~ummeegge/Netf ... _analyzer/ or a flow-based network traffic analyser which captures the "Netflows" and send them to a dedicated machine which makes nothing else then to correlate, analyze, process but also displays some nice/wanted visuals. For regular user ELK --> https://logz.io/learn/complete-guide-elk-stack/ --> https://forum.ipfire.org/viewtopic.php? ... 86#p109986 or SPLUNK --> https://www.splunk.com/ or even a SIEM, OSSIM --> https://www.alienvault.com/products/ossim --> https://forum.ipfire.org/viewtopic.php?f=50&t=15597 might be a solution too, so it depends there clearly what you want to do with this data and for what purposes you want to collect them.
nDPI --> viewtopic.php?t=18372 . Which is a kind of backend for ntopng which is currently not available in that thread but as i have seen nDPI should provide a ndpiReader which is currently only for testing purposes but do also stuff like this.

Long story short, i think IPFire lacks there a little with a nice in between solution.

Greetings,

UE

Re: How to monitor and log traffic from /to user

Posted: August 12th, 2017, 11:43 am
by Hellfire
Huh! Gerade nichts zu tun gehabt? ;) Are you bored at the moment :P

I was attempted to press the "Report this post" button 'cause I thought: again such a bloody spammer, but fortunately I did read on and discovered many many information between the lines ^^

Danke für die umfangreichen Infos!

Thanks,
Michael

Re: How to monitor and log traffic from /to user

Posted: August 12th, 2017, 1:53 pm
by ummeegge
Moin moin,
Hellfire wrote:
August 12th, 2017, 11:43 am
Huh! Gerade nichts zu tun gehabt
in der Tat und was mach ich da dann wieder ? Setz mich von einem Bildschirm zum anderen :-X .
Hellfire wrote:
August 12th, 2017, 11:43 am
Are you bored at the moment :P
The "Community Developer" project work and the community developed topics and their testing results in here leaves a lot of time in space :D .
Hellfire wrote:
August 12th, 2017, 11:43 am
I was attempted to press the "Report this post" button 'cause I thought: again such a bloody spammer,
Well done, more eyes see more then less ;) .
Hellfire wrote:
August 12th, 2017, 11:43 am
but fortunately I did read on and discovered many many information between the lines ^^

Danke für die umfangreichen Infos!
Your welcome.

Grüssle,

UE

Re: How to monitor and log traffic from /to user

Posted: August 16th, 2017, 12:59 pm
by kamilk
OK thanks for your answers, but mayby i can log this connections when i use iptables rules with state new ?
I must log every connections in background

Re: How to monitor and log traffic from /to user

Posted: August 18th, 2017, 10:26 am
by ummeegge
Hi,
IPTables is surely also a possibility beneath all already mentioned things, it depends on what you want to do with that data and therefor what kind of structure do you need.

UE