Thursday, December 22, 2005

Monitor Network Activity using IPAudit

What does IPAudit do?

IPAudit monitors network activity on a network by host, protocol and port.

IPAudit listens to a network device in promiscuous mode, and records every connection between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them, and the port numbers (if they are communicating via udp or tcp).

IPAudit can be used to monitor network activity for a variety of purposes. It has proved useful for monitoring intrusion detection, bandwith consumption and denial of service attacks. It can be used with IPAudit-Web to provide web based network reports.

Installation and Configuration

Step 1 - Become root on your system and create a user called "ipaudit". It will need a valid shell and home directory (typically /home/ipaudit, which will be used in this article for simplicity). Now switch to the newly created "ipaudit" user.

Step 2 - Download and unpack the ipaudit-web tarball in /home/ipaudit.

[root@mybox ipaudit]$ tar zxvf ipaudit-web-1.0BETA9.tar.gz

Now you will need a few things installed before compiling or else it will throw

Make sure you have these installed

1) libpcap - (I installed libpcap0-0.7.2-3mdk urpmi way)

2) yacc - (This is needed, again I did a urpmi yacc - byacc-1.9-14mdk)

3) gnuplot - (This is not required now, later to create png files)

4) gcc compiler.

5) perl (To enable the scripts to run.)

Optional : Perl module Time :: ParseDate for the cgi-scripts
SearchIpauditData to work ( can omit if necessry).

Now lets complie ,

Step 3 - Change to the compile directory:

[ipaudit@mybox ipaudit]$cd ipaudit-web-1.0BETA9/compile

Step 4 - Execute the configure script and run make:

[ipaudit@mybox ipaudit]$ ./configure
[ipaudit@mybox ipaudit]$ make

Step 5 - Become root and execute the make install commands:

[ipaudit@mybox ipaudit]$ su -
[ipaudit@mybox ipaudit] # make install
[ipaudit@mybox ipaudit] # make install-cron
[ipaudit@mybox ipaudit] # exit (Leave root and become ipaudit user again)
[ipaudit@mybox ipaudit] $

Step 6 - Now you will need to edit /home/ipaudit/ipaudit-web.conf


My network is on range ... Place it accordingly.


I have only one ethernet card eth0 connected to my ISP Provider.

If you have 2 ethernet cards and eth1 connected to your ISP provider then you may mention that.

Step 7 - Add the following lines to your Apache httpd.conf file if they do not already exist:

Directory /home/ipaudit/public_html
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks
Order allow,deny
Allow from all

Directory /home/ipaudit/public_html/cgi-bin
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script

Note : I am having problems posting blogs with <> and < / > signs so you may have embed that on the above Directory lines.

Note that your Apache server may already contain configuration similar to the above for the "/home/*/public_html" directory. If you do not plan to use the Userdir module for anything other than IPAudit, it is suggested that you comment out the original configuration and replacing it with the configuration above.

Your Apache server will need to support SUEXEC, Mod_Perl, and Mod_Userdir. Once you have modified the Apache configuration restart your Apache server. For more details on the IPAudit-Web installation, refer to the INSTALL file located in the installation directory of that package. It contains more information about the required Perl module Time::ParseDate, SUEXEC, and password protecting your IPADUIT-Web installation. Since is requires just moderate Google hacking skills to find other peoples IPAudit installations, protecting IPAudit with a password would be a very good idea.

Step 8 - Check your installation

Open a web browser and go to:


If your installation was successful you should now see a screen like the one shown with a Sample page and later after 30 mins look like above.

Please make sure the below are in the location mentioned.

If not change the settings in /home/ipaudit/ipaudit-web.conf to their locations

GNUPLOT="nice -19 /usr/bin/gnuplot"

I have also made one more change in /home/ipaudit/ipaudit-web.conf


Previously it was

#CGI_BIN=/~ipaudit/cgi-bin ( I have hashed it)

Make sure your pearl is located in /us/bin/perl or else change it accordingly in all all files in /home/ipaudit.

Additionally you may also check this and this for more info.