Monitor the bandwidth usage of each computer on a network

I have a Linux box that I would like to use to monitor all bandwidth my network, there are multiple computers all plugged into the network.

Is there some way to ARP spoof all the traffic through the Linux box and record the amount of bandwidth each computer is using?


I use Bandwidthd

BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.


What you need to do is put the machine in the network between those machines and your connection to the internet, like so:

PC1 ----\
PC2 ----+---- monitor ---- router/modem/other ---- hinterwebs
PC3 ----/

You need two network cards in the monitor box, one for the local LAN's switch that the other machines plug into too and one for the router. The monitor box would then either be set to act as a transparent bridge or (easier) it would perform NAT (like so) for the LAN. You can then use extra iptables rules with comments to mark them so that you can use something like collectd's iptables module (see here) to record packet and byte counts. You could also use tools like bandwidthd though I've not used that myself. If you are looking to check current traffic rather than log the traffic for future analysis, you can just use iftop (see here, and should be available in all Linux distributions) to list what is going through the box right now.

Seeing the traffic for all the machines as you describe, without sitting the monitoring machine between the machines you want to monitor, is not really possible an a switched network which all modern networks are. When using a hub all you had to do was drop the network card into promiscuous mode and it would inspect all the traffic on the line but with a switched network the switch makes sure each line only gets the packets is needs not everything.