General Questions

I apologize if this has been covered comprehensively somewhere before, my searches weren't that successful as I'll note below.

I have a monowall (1.3b14 as of now, running on an ALIX) that I wish to monitor traffic on. That is to say, it's on a T1 at a client location and the connection is routinely saturated, I'd like to find out what type of traffic is saturating it. I've read a thread here about using a "SPAN" command to accomplish this but there wasn't much detail. Is the idea to span the LAN interface to an Optional interface then have that Optional interface plugged into a NIC on a machine running Wireshark (Ethereal) or the like?

I know I can't be the first person to want a way to monitor the traffic "flowing across" a monowall so I put this to the forums so we'll have a (hopefully) better documented (and easier to find) solution.

Thanks in advance,
Wes

Anyone? I've found the firewall state table (particularly with the "delta" option) to be somewhat useful but I'd really like a clearer picture of what data is going over the connection.

Yes to your first question, but like I said, I've never tried it -though I'm sure it wouldn't hurt anything to try.

I don't really use my monowall for traffic monitoring.  I instead put a network tap between the switch & monowall and attach a monitoring machine to it.  At that point you can use any software you like to watch what comes over the wire.

I looked again and the span port feature in ifconfig only works on a network bridge (I think).  This link may be of some help: http://osdir.com/ml/security.firewalls.pfsense.user/2007-12/msg00029.html

Thanks for the help Godzilla, I'd come across the same information on SPAN, just wasn't sure if it was the best option (thought unfortunately it seems to be, assuming it works at all). I guess the definitive traffic monitoring thread has failed. :-)

Wes