ntop is a network probe that shows
network usage in a way similar to what
top does for processes. In interactive
mode, it displays the network status
on the user's terminal. In Web mode,
it acts as a web server, creating a
HTML dump of the network status. It
sports a NetFlow/sFlow
emitter/collector, a HTTP-based client
interface for creating ntop-centric
monitoring applications, and RRD for
persistently storing traffic
statistics.
ntop is available for both Unix and
Win32-based platforms. It has been
developed by Luca Deri, an Italian
research scientist and network manager
at University of Pisa.
Common usage on linux system is to
start the ntop daemon
(/etc/init.d/ntopd start), then one
can use the web interface to ntop via
visiting http://127.0.0.1:3000
provided the loopback device has been
started (/etc/init.d/net.lo start) and
the listening port for ntop is 3000
(look out for the -w option in ps aux
| grep ntop).
Probably wireshark, maybe. But it's difficult to tell from your question since it does not include enough information to be able to tell what you mean by "monitor".
First, you need a network design that allows for network monitoring. One could use lots of monitor ports. Alternatively, use network hubs instead of layer 2 bridges or switches.
Then install IDS (Intrusion Detection System) on every network segment.
"Monitor" can have multiple meaning so it is difficult to tell what you mean. If you want to monitor the status of your network connections (as in whether the connections are up or down) then many switches support SNMP and you can use a program like What's Up Gold or Solarwinds to report changes on the ports status.
If you want to monitor the network connections on the servers you can use a platform that does periodic ICMP requests to test if the servers are still alive. The previously mentioned software does that too as well as software like IPSentry (and numerous others mentioned in other questions on Serverfault like here or here).
If you want to monitor the actual traffic and look at the packets, then you need to mirror the ports on your switch to a copy port (assuming your switch has that capability) and have something like Wireshark on a system capturing that port. However you might be overloading the bandwidth of that port (depending on the traffic on the other ports, and the number of other ports being mirrored). If that happens you will lose packets.
Hmm. I guess we can just take a stab and guess that you're probably looking for something like SNMP (Simple Network Management Protocol). If your switch/router/PC supports SNMP traps then it can send its status and codes and messages to an NMS (Network Monitor Station) which can show you the status of the devices.
We have all our custom software sending SNMP traps every time there is a failure or a crash, and a lot of managed switches will give you port details via the same method (who is on, off, speed and duplexing, etc)
It sounds to me as if NetFlow is the sort of tool you want to be using here. If you're using switches that support it, they can do things like log every TCP connection (or only certain ones based on filters such as port), the amount of traffic across each connection, and that sort of thing. You can do something similar with non-NetFlow-enabled switches if you have a monitoring port to which you can hook up a computer running nProbe (at the http site www.ntop.org/nProbe.html) or something similar. There's a large list of software related to NetFlow applications here: (at the http site www.switch.ch/network/projects/completed/TF-NGN/floma/software.html)
(BTW, don't blame me for lack of links beyond the first; this site has decided it doesn't want them.)
Try 'IPTRAF' Its wonderful tool.After installation, it will detect all ethernet ports and yu can start monitoring your local network. http://iptraf.seul.org/
download WIRESHARK (network monitoring tool, used to be called ethereal) with this you will see all network traffic and protocols live and also THE DUDE (network mapping) will give you a graphical interface of your network with statistics.
they are both free.
that clearly depends the goal you're trying to achieve. Maybe you could grab all traffic from a span port on your switches with wireshark, or put in that port an NIDS (snort+base will do the job). You can also deploy some monitoring system using Zabbix for example to graph the snmp values of your snmp queries. You can also use arp cache poisoning with etercap to go beyond in the middle.
Hope this helps.
ntop
Probably wireshark, maybe. But it's difficult to tell from your question since it does not include enough information to be able to tell what you mean by "monitor".
First, you need a network design that allows for network monitoring. One could use lots of monitor ports. Alternatively, use network hubs instead of layer 2 bridges or switches.
Then install IDS (Intrusion Detection System) on every network segment.
"Monitor" can have multiple meaning so it is difficult to tell what you mean. If you want to monitor the status of your network connections (as in whether the connections are up or down) then many switches support SNMP and you can use a program like What's Up Gold or Solarwinds to report changes on the ports status.
If you want to monitor the network connections on the servers you can use a platform that does periodic ICMP requests to test if the servers are still alive. The previously mentioned software does that too as well as software like IPSentry (and numerous others mentioned in other questions on Serverfault like here or here).
If you want to monitor the actual traffic and look at the packets, then you need to mirror the ports on your switch to a copy port (assuming your switch has that capability) and have something like Wireshark on a system capturing that port. However you might be overloading the bandwidth of that port (depending on the traffic on the other ports, and the number of other ports being mirrored). If that happens you will lose packets.
Hmm. I guess we can just take a stab and guess that you're probably looking for something like SNMP (Simple Network Management Protocol). If your switch/router/PC supports SNMP traps then it can send its status and codes and messages to an NMS (Network Monitor Station) which can show you the status of the devices.
We have all our custom software sending SNMP traps every time there is a failure or a crash, and a lot of managed switches will give you port details via the same method (who is on, off, speed and duplexing, etc)
It sounds to me as if NetFlow is the sort of tool you want to be using here. If you're using switches that support it, they can do things like log every TCP connection (or only certain ones based on filters such as port), the amount of traffic across each connection, and that sort of thing. You can do something similar with non-NetFlow-enabled switches if you have a monitoring port to which you can hook up a computer running nProbe (at the http site www.ntop.org/nProbe.html) or something similar. There's a large list of software related to NetFlow applications here: (at the http site www.switch.ch/network/projects/completed/TF-NGN/floma/software.html)
(BTW, don't blame me for lack of links beyond the first; this site has decided it doesn't want them.)
Try 'IPTRAF' Its wonderful tool.After installation, it will detect all ethernet ports and yu can start monitoring your local network. http://iptraf.seul.org/
enjoy..:)
If you just want to have a fast overwiew of who is doing what, then you could give "iftop" a try.
Project Homepage: http://www.ex-parrot.com/~pdw/iftop/
download WIRESHARK (network monitoring tool, used to be called ethereal) with this you will see all network traffic and protocols live and also THE DUDE (network mapping) will give you a graphical interface of your network with statistics. they are both free.
that clearly depends the goal you're trying to achieve. Maybe you could grab all traffic from a span port on your switches with wireshark, or put in that port an NIDS (snort+base will do the job). You can also deploy some monitoring system using Zabbix for example to graph the snmp values of your snmp queries. You can also use arp cache poisoning with etercap to go beyond in the middle. Hope this helps.