K
K
Konstantin2015-01-21 17:38:35
Monitoring
Konstantin, 2015-01-21 17:38:35

Is there a ready-made solution for passive monitoring of HTTP traffic under a Unix-like system?

Здравствуйте!
Подскажите пожалуйста средство для пассивного мониторинга HTTP-запросов.
Есть слабый компьютер на Unix, который подключается в порт свича, на который выполняется зеркалирование трафика в сети. Задача в том, чтобы в promiscuous-режиме собирать трафик и иметь возможность генерировать статистику: на какие сайты какие пользователи ходили и объем трафика, как общий, так и по пользователям.
Компьютер слабый, да и специфика задачи не предполагает его работу в качестве прокси, что отсекает многие варианты. Готового решения данной задачи не нашел, так как снифферы собирают слишком много лишего, желательно мониторинг на прикладном уровне, а не возня с миллионами пакетов.
I've been solving this problem for a couple of days, and I'm going to have to collect traffic / logs and write a simple parser, if anyone has good advice, I'll be very grateful!
ps I also considered an option on Windows, I tried Traffic Inspector, but it was not possible to get it to work correctly, although everything was done according to the video on the developers channel. If there are suitable programs for Windows, I will be glad.
UPD: Thanks for the replies!
All the proposed solutions are based one way or another on traffic inversion.
That's the whole problem! It is necessary to solve the problem without wrapping traffic, this computer should not be a significant network node, you just need to "stand on the sidelines" and analyze the traffic.
So, even a transparent proxy is not an option.
Generally speaking, the variant with Squid and others is my first thought, which is natural, since this is the most common and effective solution to such problems with a bunch of useful add-ons.
But, unfortunately, so far only the option of collecting traffic "on the sidelines" in promiscuous mode is being considered.
Perhaps I am not aware of some chips and technologies, since I did not particularly solve such problems, I hope for help :)

Answer the question

In order to leave comments, you need to log in

4 answer(s)
O
O Di, 2015-01-21
@kvbrg

Maybe squid with all sorts of reports in lightsquid, sarg and the like?
You can smoke a little IPTABLES, mark packages, and, using the fprobe sensor in conjunction with netflow, stir up your own, like this guy
habrahabr.ru/post/232719 any of these: iftop, iptraf, ntop, vnStat, Bandwidthd, darkstats

A
Armenian Radio, 2015-01-21
@gbg

Why not wrap everything on squid running in transparent mode? Because raking TCP out of mirrored traffic (yeah, the segment is lost and that's it, no one will send it to us, the train has left!) It will be more difficult than just proxying.

M
mace-ftl, 2015-01-21
@mace-ftl

forum.ptraffer.ru/viewtopic.php?f=6&t=8263 по теме, хорошо работает на железе уровня Intel Atom 1.6 Ghz + 1 GB RAM

T
throughtheether, 2015-01-21
@throughtheether

на какие сайты какие пользователи ходили и объем трафика, как общий, так и по пользователям.
Если достаточно IP-адресов сайтов и IP-адресов клиентов, то можно подумать об использовании netflow, если ваше оборудование (маршрутизатор) его поддерживает.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question