'Re: monitoring traffic on multiple interfaces'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nfr-users
Subject:    Re: monitoring traffic on multiple interfaces
From:       mark () nfr ! net
Date:       1998-09-29 14:59:01
[Download RAW message or body]

>Is it possible to set up nfr to monitor traffic on more than 1
>interface? I'd like to have an nfr monitoring traffic on 2 different
>network segments in stealth mode and then accessing it with the GUI via
>a third interface.

Yes, but there are some caveats:

NFR 1.6.2 can monitor multiple segments by listing all the interfaces
in nfrd.cfg, but it does not pay attention to which segment a packet
came from.  It sees all the traffic from all networks as if it were
watching a single network that is the union of them all.

This works nicely if you are watching a bridged/switched network.
You put an interface on each segment you are interested in and
it is ready to go.  (Of course, some packets will be counted twice,
but the issues should be obvious if you think about it for a while.)

It doesn't work so nicely if the two interfaces are not connected
to different segments of the same network.  You can do it, but
you won't be able to tell what traffic came from what network.


NFR 2.0 will have remote monitoring stations.  In that configuration,
you have a central NFR, at your NOC for example, that collects data
from remote NFRs.  Each remote NFR sniffs a single network (or
maybe several branches of a switch) and reports its data to the
central NFR.  You place one remote NFR on each network you want to
monitor.

In this configuration, it *does* pay attention to where the data
comes from.  It shows up as an additional column in your query
results.  

Of course, it is possible to run the central NFR and remote NFRs
on the same hardware, if your machine is fast enough.  I do it all
the time.  This means you can conceivably have a single machine
running 3 NFRs:  the central, a remote for network A, and a remote
for network B.  It sounds like a lot of loading on the system, but
the load is still dominated by the hard work of doing the sniffing.

Now this feature comes with a caveat too:  It won't be available
for free.  You can see a list of resellers at
	http://www.nfr.net/products/resellers/

Mark S.
NFR

****************************************************************
TO POST A MESSAGE on this list, send it to nfr-users@nfr.net.
TO UNSUBSCRIBE from this list, send the following text in the
message body (not subject line) to majordomo@nfr.net

unsubscribe nfr-users your-email-address
****************************************************************

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic