Author: Ben Martin
The PasTmon passive traffic monitor keeps an eye on your network, recording which clients are interacting with which services, when and how long things took. You can then use the application’s PHP Web interface to investigate these figures to see if any host is connecting to Web services that it shouldn’t, or is contacting services suspiciously more frequently than you would expect for normal operation, or when response times become excessively long.
The Ubuntu, openSUSE, and Fedora repositories do not include packages for PasTmon. Although the version number is still low, the project has had releases available for three years. I built version 0.12 of PasTmon from source on a 64-bit Fedora 9 machine with the normal
./configure; make; sudo make install commands. To build PasTmon you will need to have the libpcap, pcre, and libdbi development packages installed. To run PasTmon you’ll also need PostgreSQL and libdbi-dbd-pgsql. For the Web interface you’ll need Apache, PHP, and jpgraph installed.
For Fedora 9 the package names are libpcap-devel, pcre-devel, libdbi-devel, libdbi-dbd-pgsql, and postgresql-server. jpgraph is not in the Fedora 9 repository. For openSUSE 11 the package names are libpcap-devel, pcre-devel, libdbi-devel, libdbi-drivers-dbd-pgsql and postgresql-server. pgraph is not in the openSUSE 11 repository. For Ubuntu Intrepid the package names are libpcap-dev, libpcre3-dev, libdbi0-dev, libdbd-pgsql, and postgresql.
The default installation prefix is /usr/local/pastmon instead of simply /usr/local. This is convenient, as it keeps all of the files related to PasTmon under a single directory.
After PasTmon itself is set up, you still have to set up a PostgreSQL database, put an init.d file in place so that PasTmon is automatically started, and set up the PHP Web interface to get a full installation. The project’s documentation discusses the
./configure; make; make install steps, but you need to also perform steps like the following to get up and running. To set up a PostgreSQL database, as root run the create_database_summary script that was installed in the /usr/local/pastmon/bin/postgresql_admin directory. The script will quietly remove a database named postmon2 if one already exists. The below commands will set up the PostgreSQL database and create an init.d file on a Fedora machine; you might have to edit the init.d file on other distributions.
# cd /usr/local/pastmon/bin/postgresql_admin # ./create_database_summary # cd /usr/local/pastmon/etc # install -m 700 rc_pastmon.redhat /etc/init.d/pastmon # chkconfig --add pastmon service pastmon start
The software’s PHP Web interface is installed at /usr/local/pastmon/share/pastmonphp, but that directory is not accessible through Apache without some additional configuration. Before you make those changes, download and expand jpgraph and add it to your PHP include_path. Then use the commands below to make the PHP Web interface available at http://localhost/PasTmon and set up the jpgraph library for the PasTmon Web interface.
# cd /etc/httpd/conf.d # vi PasTmon.conf Alias /PasTmon /usr/local/pastmon/share/pastmonphp <Location /PasTmon> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 </Location> # cd /usr/local/ # tar xzvf /.../jpgraph-2.3.3.tar.gz # ln -s jpgraph-2.3.3 jpgraph # cd jpgraph # mv src jpgraph # vi /etc/php.ini ... ;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; ; UNIX: "/path1:/path2" include_path = ".:/php/includes:...:/usr/share/pear:/usr/local/jpgraph" ; ... # service httpd restart
The main PasTmon configuration file is at /usr/local/pastmon/etc/pastmon.conf. If you didn’t use the default database name or you want to run PostgreSQL on a different machine to PasTmon, the credentials and database location are set in key-value parameters in the output_DBI section of pastmon.conf. The configuration file is well commented, and the section that you might need to change is the database parameters. See /usr/local/pastmon/share/pastmondocs/install_guide.pdf for more details on changing the configuration.
Getting PasTmon installed and running was not as easy as I’d hoped. Originally I didn’t have the right DBI provider packages installed, and got strange backtraces in /var/log/messages until I stumbled on the issue.
Now you should be able to start PasTmon. It will then take some time to write enough data to the PostgreSQL database to be interesting. When you load http://localhost/PasTmon into your Web browser you will be offered a menu of five choices — level 1, level 2, All, favorites, and Internal. The last three let you see all the data aggregated into hourly, daily, and weekly summaries. The favorites page will be empty when you begin to use the program. The internal page lets you see things like the number of packets received on a network interface. It can be handy if you want to quickly check whether PasTmon is actually capturing the information you expect.
The level 1 menu option lets you see data summarized at five-minute intervals. It allows you to quickly see what clients are connecting to what services and how frequently. Level 2 is for investigating data that’s more than a month old. Because logging information every five minutes will make the database tables continually grow in size, PasTmon includes a script in pastmon/bin/pastmon_summarise_level_2.pl that moves information into archive tables. This keeps the most recent information in a table with a relatively fixed size so that queries on the most recent events do not slow down over time. The below crontab entry will run pastmon_summarise_level_2 to archive events that are older than 31 days.
0 1 * * * /usr/local/pastmon/bin/pastmon_summarise_level_2.pl --age=32 --interval=3600 --delete 2>&1 | logger -t pastmon_summarise_level_2.pl
The table at the top of the level 1 window (see figure) is filled in as you drill down into your query. The Filter section in the upper middle should be self-explanatory, with the exception of the Signature filter combo box, which lets you filter to show only certain activities, such as HTTP Get, SMTP EHLO, and TCP SYNACK events. If you have not entered a filter, the bottom of the page displays pie charts showing what activities are the most common — in this case HTTP Get — and information about SYNACK, ICMP, and DNS transactions.
When you enter a query into the filter section, the bottom of the window shows matching events with various cells linking to a more specialized view. For example, searching by regex for a server IP address will show a summary of the traffic for that server. If there was DNS traffic from the server from your initial search, then the window will display a row in the results table that describes how much traffic was DNS and when it started and ended. The DNS row will include a clickable link to refine your query to only that type of event. Each time you follow one of these links to more specific data, the table showing the current query at the top of the Web page will have more information filled in. In this screenshot I started searching for a hostname by regex, then clicked a client IP address, and finally the DNS event type.
While looking at what services were used by whom is great from a security standpoint, the real power of PasTmon is in viewing metrics such as the transaction count, average round trip time, packet statistics, and low-level TCP metrics on client and server segment and window sizes. To see these network and service monitoring statistics, you have to select a service signature (for example, HTTP GET traffic), a client, and a server. Note that for the last two, you can also click on the
* to elect not to restrict the results by client or server. You’ll be offered a choice of which metric you want to see, and for each metric you can investigate the min, max, and average. Once you choose your metric you elect a start and end time you want to investigate, and you are shown your metric for the time interval, network service, clients, and servers you have chosen. You can thus learn, for instance, that for Web accesses you have a high average at around 9 a.m., and then decide to see what the maximum response time is like at 9 a.m. to see how patient your clients are.
The Web interface to PastMon hides away its most powerful feature: the graphing of metrics. Unless you know that picking a service, client, and server will open up the possibility of a graph you might miss it. When you are viewing a graph you can edit the view (change the time interval) and save it to your favorites. You can then choose favorites from the top-level menu and view your graph for today, yesterday, this week, last week, and longer time intervals in the past.
Once you have your graphs configured and saved into your favorites, PasTmon lets you quickly see spikes in the average or maximum transaction count or round trip time for a selection of time intervals. You might not be aware that the server has been struggling to serve client demand during the night, but with PasTmon you’ll see it in an instant. You can also bookmark the Web pages for graphs in your favorites, allowing direct access to these statistics.
- System Administration