All we need is an easy explanation of the problem, so here it is.
I have a Linux box that I would like to use to monitor all bandwidth my network, there are multiple computers all plugged into the network.
Is there some way to ARP spoof all the traffic through the Linux box and record the amount of bandwidth each computer is using?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
I use Bandwidthd
BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address’s utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.
What you need to do is put the machine in the network between those machines and your connection to the internet, like so:
PC1 ----\ PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs PC3 ----/
You need two network cards in the monitor box, one for the local LAN’s switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd’s iptables module (see here) to record packet and byte counts. You could also use tools like bandwidthd though I’ve not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use
iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.
Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂