Monitor network traffic/usage by PORT

You asked for ideas and... here is mine.

To solve your problem, you've two very limiting conditions:

  1. You're unable to take hands on your Cisco ('cause it's not yours and its configuration cannot be changed to suite your needs);

  2. You cannot change (at least, not easily) the way Zeroshell is working (due to the very nature of Zeroshell itself [it's quite complex to rebuild Zeroshell to suite your needs [see below]).

On the other end as you want REAL_TIME_MONITORING and PER-PORT-TRAFFIC-ACCOUNTING you're mostly forced to have at least one point (one network interface) where:

  1. All the traffic will be flowing, so for you to "account" the all of it;
  2. the interface is "owned" by some equipment you can manage.

What I have done in such situations is to REPLACE the existing appliance (in your case: Zeroshell; in my case various hardware appliances from various vendors) with something I can fully manage without constraints: a common linux box with at least two interfaces properly configured to route/firewall traffic.

Let's suppose this could be OK for you (...even tough I understand that could be an issue, for you, due to the initial setup-efforts).

IF such a machine is available, THEN I'd add to the set of software to install on it:

  • IPTRAF: despite its age, it's still perfectly able to gives out REAL-TIME data from your network interfaces. It provides a character-user-interface, so it can be launched remotely, within a simple SSH connection (no web, no big GUI libraries, etc.);

  • NTOP: from the official website: "...a network traffic probe that shows the network usage, similar to what the popular top Unix command does...". NTOP is way much feature-rich than IPTRAF. Definitely more powerful (but more complex to configure/install than a single "apt-get install" or "yum install")

As clearly stated, both tools above provides good REAL-TIME data (as you asked in your question). Anyway, I'm quite confident that you need ALSO asynchronous data: I'm sure you want also to be able to check something like: "who were the hosts/MACs that generated/consumed most of the traffic, yesterday? And for which protocols?", probably drilling down such data back to a single IP/MAC/PORT, and down to a granularity of.... 1 minute. Don't you? In such a case I strongly reccomend:

  • PMACCT: from the official website: "...pmacct is a small set of passive network monitoring tools to measure, account, classify, aggregate and export IPv4 and IPv6 traffic..". Please note that PMACCT can solve a wide range of problems, most of them suited for big/large ISP/operators. Nevertheless, it can run perfectly of your linux-box and account for traffic flowing along its interfaces. With a configuration like this:

-

host:~# cat /etc/pmacct/pmacctd.conf

interface: eth0
daemonize: true
aggregate: src_mac,dst_mac,src_host,dst_host,proto,src_port,dst_port

ports_file: /etc/pmacct/ports.list 

plugins: mysql

sql_user: pmacct
sql_passwd: sqlpassword
sql_db: pmacct
sql_table: acct_v4_%Y_%m_%d
[...]

it can easily keep track of traffic flowing along eth0 in a mysql table, so for you to easily check what happened on your network with a common/simple SQL-query.

Just to give you some real numbers, I've succesfully used PMACCT on a server with a XEON X3350; 4GB of RAM; 4 broadcom GigaEth interfaces; nearly 70 VLANs configured on eth0 and pmacct listening on all of them; +/- 300GB of various IP traffic routed on a daily basis; PMACCT generating accounting EVERY_MINUTE, for EVERY_VLAN, for EVERY tuple (src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port); +/- 60.000.000 accounting records per day. All of this, without any issue (but writing on text-files, not in MySQL). In smaller environments, anyway, there are no problems in writing directly to MySQL.

Also, please note that thanks to PMACCT I keep track of EACH IP addresses seen on my networks, on a daily basis (in other words: I know that 10.29.19.89 have not been seen since july 16th 2014; 172.17.1.45 have never been seen [since the start of PMACCT accounting]; etc.).

Also on PMACCT: I have configured the ethernet switch connecting my main Internet-gateway, to "mirror" its traffic to a free port, where I've plugged an ad-hoc linux-box accounting all the Internet traffic (a 1GEth link). No issue at all.

A final note about PMACCT: should you (or some other readers) wonder why I NOT choosed some more common NETFLOW/IPFIX probe/collector, the reason is very simple: PMACCT is the only one I've found being able to account also MAC-addresses.