Network Monitoring Apps?

SeñorAmor

A client of mine has several apartment complexes. To attract tenants, he is offering free high-speed internet to all apartments. To save money, he has one internet connection that is then distributed to all his buildings (they are quite close to each other), and from there to each apartment.

The current setup is like so:

The main building -- where the internet feed is -- houses a simple Linux server running a basic firewall and DHCP and DNS servers. From there we route to a switch and from that switch, to switches in each of the other buildings, and finally from those switches to each apartment (each apartment has a single jack and it is up to the tenant to distribute it from there, if they so wish).

My client, being thrifty as all landlords are, opted to go with the bottom of the line switches (ie - no managing whatsoever), and mediocre hardware in his server. He is now having issues with tenants downloading illegal files and the ISP is threatening to terminate service unless this can be stopped.

I am looking for some software that runs under Linux (preferably) that can actively monitor and log people doing stuff they shouldn't be. It'd be nice to be able to check the logs and see someone using massive amounts of bandwidth. It'd be even nicer if it did some packet sniffing and was able to tell me what they were down/uploading. I'm thinking perhaps it could show IP address and maybe computer name, or something along those lines.

I'm sure something like this exists, but my Google-fu is weak and I cannot find what I'm looking for. Any suggestions, folks? Thanks in advance.

EggyToast

There's lots. Of course, most of it is geared towards a network administrator, although if you're doing this freelance you should be able to set up some basic protocols and let that manage most of it.

My google-fu is strong but my network administration is weak. Try googling "Linux network monitor," although you might have to look a little deeper to find something that lets you monitor traffic and then shape/block stuff. I would imagine you'd want to block certain ports/apps and give each tenant a set bandwidth amount.

Krikee

You're talking about a DPI (deep packet inspection) system which, if your client is too cheap to buy managed switches + routers to run his network then he will not even contemplate dropping the cash on one of those. An open-source alternative may be available but I'm not familiar with one (if you find one let me know). Without real networking gear I don't think you can use 802.1x accounting (might want to look into that just in case you can somehow implement it on your gear) and you can't use a Cacti server either.

Alternatively, you could limit destination ports at the firewall to common services. If they want the full interwebs then they can pay the full price for their own connection.

SunDragon

Ntop is a possibility. It would at least allow you to view who your top talkers were going through the firewall.

There is also a command line "live view" tool called iftop that I like to use to see exactly who is doing what right now.

Im also a big fan of IPCOP. Its an excellent linux based firewall/proxy server. There's lots of addon's and stuff. If you install something like the L7 blocker addon, you could block P2P or torrent traffic through the firewall. I think there is even one for it that can be used for billing based on bandwidth usage. And its all free. Could possible replace the current firewall with it and at least gain some manageability you might not have.

Its really hard to do individual monitoring without managed switches. Even if you had one managed switch in the central building, you could at least monitor the ports on that, and find out which building is using the most traffic with something like MRTG or cacti.

underdonk

Define "doing things they shouldn't be doing"? There are some good technical solutions to this problem, but some tough legal questions that need to be asked. As an ISP, your client needs to talk to a lawyer about what he legally can and cannot do in regards to filtering traffic and performing deep packet inspection.

JustinSane07

For the bandwidth, I'm pretty sure DD-WRT firmware can tell you what IP is using what amount of bandwidth. I don't know if it works on any professional grade routers, if that's what you're using, but it works well at my house.

And he's using one connection for multiple buildings? I sure hope his ISP doesn't have a bandwidth cap of any sorts or he's going to pay dearly.

DoctorArch

underdonk wrote: »

Define "doing things they shouldn't be doing"? There are some good technical solutions to this problem, but some tough legal questions that need to be asked. As an ISP, your client needs to talk to a lawyer about what he legally can and cannot do in regards to filtering traffic and performing deep packet inspection.

Technically, if he is providing the service for free, he can probably do whatever he wants with the connection. Have a lawyer draw up a quick document saying that your internet browsing can be observed and recorded, and if you don't like it, you don't get free internet.

Krikee

On a budget that IPCop solution seems to be the best way to handle this (without being a total traffic nazi ie limiting destination ports). Just be aware you won't be able to stop encrypted torrent traffic but, with some other tricks (bandwidth monitoring immediately comes to mind) you can find out who is still trying to get you owned via the DMCA. Good luck and I'll be interested to find out what you eventually end up doing.

t SunDragon good call on the IPCop.

underdonk

Archgarth wrote: »

Technically, if he is providing the service for free, he can probably do whatever he wants with the connection.

Laws typically don't differentiate between free and not free. For instance, free healthcare doesn't mean that the medical institution providing the service doesn't have to follow HIPAA regulations. IANAL, but it's really important for the landlord to contact a lawyer and ask what is legal and what is not in this situation. Both he and the OP could wind up in a heap of trouble.

Archgarth wrote: »

Have a lawyer draw up a quick document saying that your internet browsing can be observed and recorded, and if you don't like it, you don't get free internet.

Yeah, taking away the renter's right to privacy would make the whole legal issue a moot point.

vonPoonBurGer

SeñorAmor wrote: »

He is now having issues with tenants downloading illegal files and the ISP is threatening to terminate service unless this can be stopped.

I don't think your friend's ISP has the right to terminate service based on what his tenants are downloading. In many cases there's no reliable way for the ISP to tell what's actually being downloaded since most torrent traffic is encrypted. All they can really tell is yes, this particular connection has tons of torrents running on it and yes, it's using a hell of a lot of bandwidth. ISPs definitely do maintain the right to terminate service in cases of "network abuse," and this is generally spelled out in their terms of service. What exactly constitutes network abuse in their eyes is always nebulously defined, so they can maintain the ability to kick anyone off their network as long as they can somehow say it's network abuse. If he has multiple tennants torrenting 24x7, such that the connection is operating a peak capacity at all times, they would almost certainly consider that network abuse and grounds for terminating the service.

What kind of service is he getting from his ISP? Your friend is essentially operating as a reseller by taking on connection and sharing it out to multiple private parties. I think he'd need some kind of reseller's agreement with his provider in order to protect himself. Especially if he's concerned about what his tennants are downloading. What if one of his tennants downloads kiddie porn using this shared connection? Is he liable for that tennant's activity? Would he be able to claim protection from liability via the DCMA Safe Harbor provisions, i.e. by claiming that he's a service provider and thus not responsible for the things his users (tennants) choose to do with the connection? IANAL, so I can't answer these questions. These are things he should be asking a lawyer, though, and he would be a lot better off asking them now than at some crisis point in the future.

I don't see this as being a technical issue at all. If he just wants the connection to work well for all involved, all he needs to do is configure QoS on the link so that all traffic is considered bulk except for those protocols that are considered non-bulk traffic (e.g. HTTP, VOIP, etc.). The real issues here are legal ones, and it makes no sense to try to apply technical solutions to a legal problem. Even if there's no liability issue here in terms of what his tennants do with the connection, he stills needs legal advice in terms of coming to some agreement with his ISP, such that he can continue to share the connection they provide without causing the ISP to threaten disconnection.

Chanus

Archgarth wrote: »

Technically, if he is providing the service for free, he can probably do whatever he wants with the connection. Have a lawyer draw up a quick document saying that your internet browsing can be observed and recorded, and if you don't like it, you don't get free internet.

That's kind of like saying (Super Interwebs Analogy!) he's allowed to put cameras in his restrooms, so long as they're free to use.

There are privacy issues here. I wouldn't doubt he'd only be able to monitor raw bandwidth numbers.

Dinosaur Equals Gas

vonPoonBurGer wrote: »

SeñorAmor wrote: »

He is now having issues with tenants downloading illegal files and the ISP is threatening to terminate service unless this can be stopped.

I don't think your friend's ISP has the right to terminate service based on what his tenants are downloading. In many cases there's no reliable way for the ISP to tell what's actually being downloaded since most torrent traffic is encrypted. All they can really tell is yes, this particular connection has tons of torrents running on it and yes, it's using a hell of a lot of bandwidth. ISPs definitely do maintain the right to terminate service in cases of "network abuse," and this is generally spelled out in their terms of service. What exactly constitutes network abuse in their eyes is always nebulously defined, so they can maintain the ability to kick anyone off their network as long as they can somehow say it's network abuse. If he has multiple tennants torrenting 24x7, such that the connection is operating a peak capacity at all times, they would almost certainly consider that network abuse and grounds for terminating the service.

ISPs can terminate you or anyone at any time for pretty much any reason they want. It's their service that they are providing and if they want to refuse money then they can certainly do so. They can't terminate your service and then charge you some sort of earlier termination fee.