I was asked by the powers that be to set up some monitoring of our workplaces internet traffic. Basically a breakdown of the volume used and what protocol is using it. i.e. 20% mail, 30% web, 10% ftp, etc....
I have installed a RH9 box and installed it onto a hub that also has the internal interface of our router and the connection to our internal network. By my understanding this is the spot to "sniff" all traffic entering or leaving the internal network.
On the box I have iptables running using the following:
iptables -A INPUT -j LOG --log-level 7 --log-prefix '[MONITOR]'
I have also altered the syslog to send kern.* to a new log file.
Now all this seems to be working (sort of). If I compare the log to a tcpdump output the log is only capturing about 5%. On looking closer the log is only filing local and broadcast traffic. It is not recording any traffic from other hosts out. Perhaps I am using the wrong tool for the job or am just missing a step, something easy. Any help is greatly appreciated.
Oh I also tried setting the interface on the RH box via: ifconfig eth0 promisc
This seemed to increase the amount of traffic logged but makes all traffic appear to be for the local machine.
Thanks in advance.
