Over the past several months we've watched the Internet bandwidth consumption on our university network jump from an average of 55 megabits/second to more than 150 megabits/second. The biggest spike in usage occurred at the end of August and the beginning of September. Care to take a guess as to what caused the bandwidth barrage? Yup -- students returning from summer vacation and taking advantage of their blazingly fast dormitory Ethernet ports.
A brief description of our residential network: We have 40 buildings with at least one full-duplex Fast Ethernet uplink and approximately 6,500 10/100 megabit/second ports. The residential backbone is full-duplex Gigabit Ethernet. That sounds great, but if you do the math you see that the potential for overload is enormous: 6,500 ports x 100Mbps = 650 gigabits/second of possible demand. We needed to get a grip on the surge in bandwidth as quickly as possible.
Fortunately, we recently installed a home-brewed intrusion detection system that used optical splitters, allowing allowing us to passively tap into the network without stressing our routers by turning on port mirroring. Each splitter has two output ports, so we were able to leave our intrusion detection system in place while we installed a traffic analysis tool.
While there are several traffic analysis products on the market (such as Shomiti Systems' Surveyor) they were priced well above our budget. We elected to go with an open source application for Linux called Iptraf. Iptraf version 2.3.1 provides network managers with a console-based network statistics utility that is easy to install, a snap to use, and robust enough to win a permanent place in our network management toolkit.
Build it yourself
To build your own Linux-based traffic analysis system, first get your hands on a decent desktop workstation. We used an HP Pavilion 6630 that came configured with a Celeron 500MHz processor and 64MB of memory. We boosted the memory to 256MB and added a 30GB IDE drive to store logging data. Thirty gigabytes of disk space may seem like overkill, but log files can grow at an incredible rate. Put the extra drive in, you'll thank yourself later.
Choosing the right network interface card is critical to good performance. You'll need a rock-solid NIC to keep from dropping packets. A slow card can really degrade performance. We used NetGear's GA-620 Gigabit Ethernet card for our primary monitoring interface and Dlink's DFE-530TX Fast Ethernet card for our management interface.
Next, install the operating system. We selected Red Hat Linux 6.1 because it was fast, stable, and free. Follow the standard installation instructions and bring the system online.
Finish up by configuring the NICs. You don't want your traffic analysis system getting hacked, so don't assign an IP address to the Gigabit Ethernet card. Set it to run in promiscuous mode only, and make sure you filter incoming network connections by installing security software such as TCP wrappers or IP chains.
You should now have a functioning Linux system with two network interface cards.
