Network detective

Here you are 3 "network detective" activities

Scenario 1: There is a Ubuntu Linux box connected to a shared LAN. There is a need to know whether that computer has had a network outage e.g. during the night or during the time when we are not looking at the screen. A network outage would mean that, for any given period of time, there was no network connectivity from the computer to the neighboring edge network device, a router, a switch or a hub, that it is connected to. What to do with no additional tools?

Quick solution:
$ grep -i networkmanager /var/log/syslog
and it will be a output similar to this:

Dec 25 10:55:30 aware NetworkManager[2520]: (wlan0): bringing up device.
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): supplicant interface state: starting -> ready
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): device state change: unavailable -> disconnected (reason 'supplicant-available') [20 30 42]
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): supplicant interface state: ready -> inactive
Dec 25 10:55:31 aware NetworkManager[2520]:
WiFi now disabled by radio killswitch
Dec 25 10:55:31 aware NetworkManager[2520]:
(eth0): device state change: activated -> disconnected (reason 'user-requested') [100 30 39]
Dec 25 10:55:31 aware NetworkManager[2520]:
(wlan0): device state change: disconnected -> unavailable (reason 'none') [30 20 0]
Dec 25 10:55:31 aware NetworkManager[2520]:
(wlan0): deactivating device (reason 'none') [0]
Dec 25 10:55:31 aware NetworkManager[2520]:
Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
Dec 25 10:55:31 aware NetworkManager[2520]:
Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.

Network events will be identified e.g. in line number 6 the log says
activated -> disconnected (reason 'user-requested')


Scenario 2: There is a Ubuntu Linux box in a LAN. There is also the need to have a first approximation on the kind of traffic and IPs flowing through
the LAN e.g. the type of traffic, IP addresses that are chatting, packet sizes, and the like.

Quick solution:
# apt-get install iptraf
# iptraf

A character-based application will appear in the xterm window. Using the keyboard, there is the possibility to get a first glimpse of the data we mentioned we need in this scenario.

Scenario 3: There is a Ubuntu Linux box. There is also the need to have a fully fledged web-based network monitoring app running in localhost with statistics, graphs, apple pies and a myriad of possible functionalities.

Solution (based on http://www.cyberciti.biz/faq/debian-ubuntu-install-ntop-network-traffic-monitoring-software/)
# apt-get install ntop
# ntop (and choose an admin password to access the web interface)
# /etc/init.d/ntop restart

check that ntop is running at local port 3000
# netstat -tulpn | grep :3000
and connect via a browser to http://0.0.0.0:3000
Now the only required ingredient is time to fine tune ntop and to get the most of it!

By the way, if there is no need to start ntop at bootup time, just rename /etc/init.d/ntop to e.g. /etc/init.d/ntop.notnow

Happy network detective activities!


The evil is in the details ;-)