Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record who transferred, nothing else

As Seth has said, this is pretty much a perfect match for Netflow or IPFIX
(which is more or less the "New" version of Netflow). You want a netflow
probe to convert seen packet data to netflow records. And then a collector
to grab the netflow records and save them to some form of database. The
collector will normally have a means of displaying the data.

Many high end switches and routers have probe capability, so depending on
your hardware, you might already have this.

If not, the following open-source software may be useful

ntop, has both a probe and a collector that can display the collected data
in various formats. It has GUI to enable you to drive it.
fprobe is able to capture packets (using libpcap like wirehark) and create
netflow records.
flow-tools is a set of tools that can capture netflow and process it to
produce reports similar to what you require. (It is CLI only)

Regards, Martin

MartinVisser99@gmail.com

On 23 April 2012 00:59, Seth Hall <seth@icir.org> wrote:

>
> On Apr 20, 2012, at 11:45 AM, Brian Excarnate wrote:
>
> > So my first question is: Is there some other tool that is a better
> choice, and if so which?
>
>
> You could use something that generates netflow records and a netflow
> collector or Argus. You could also give Bro-IDS a try (I'm one of the
> developers). The output you're looking for can be found in our conn logs.
> You can download a binary package from our website too:
> http://www.bro-ids.org/download/#binarypackages
>
> If you're just interested in getting the conn logs, you should be to run
> (with the appropriate interface):
> sudo bro -i eth0
>
> It will start creating logs in your current working directory.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
>

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

• This message: [ Message body ]
• Next message: Marius-Simion Cristea: "Re: [Wireshark-users] capture traffic to PLC"
• Previous message: Seth Hall: "Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record who transferred, nothing else"
• In reply to: Seth Hall: "Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record who transferred, nothing else"
• Next in thread: Seth Hall: "Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record who transferred, nothing else"
• Reply: Seth Hall: "Re: [Wireshark-users] Want to monitor a port, count bytes transferred, record who transferred, nothing else"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]