Overview
Effective network monitoring is essential for security and operational visibility. This guide covers fundamental concepts and tools for monitoring your network infrastructure.
Who Should Use This Guide
- Network administrators managing infrastructure
- Security analysts monitoring for threats
- System administrators troubleshooting connectivity
- SOC teams building detection capabilities
Why Monitor Your Network
| Benefit | Description |
|---|---|
| Intrusion Detection | Identify malicious activity early |
| Troubleshooting | Diagnose network issues quickly |
| Capacity Planning | Track bandwidth utilization trends |
| Compliance | Meet regulatory audit requirements |
| Forensics | Support incident investigation |
Requirements
System Requirements
| Component | Requirement |
|---|---|
| Operating System | Linux (Ubuntu 22.04+, Debian 12+) |
| RAM | 4GB minimum, 8GB+ recommended |
| Storage | 50GB+ for log retention |
| Network | SPAN/mirror port access recommended |
Tools Referenced
| Tool | Purpose | Installation |
|---|---|---|
| tcpdump | Packet capture | apt install tcpdump |
| Wireshark | Graphical analysis | apt install wireshark |
| Suricata | Network IDS | apt install suricata |
| Prometheus | Metrics collection | Container or binary |
| Grafana | Visualization | Container or binary |
Key Metrics to Monitor
Bandwidth and Throughput
| Metric | Description | Alert Threshold |
|---|---|---|
| Inbound traffic | Data received per interface | > 80% capacity |
| Outbound traffic | Data sent per interface | > 80% capacity |
| Protocol distribution | Traffic by protocol type | Unusual protocols |
| Peak usage | Maximum utilization times | Capacity planning |
Connection Statistics
| Metric | Description | Alert Threshold |
|---|---|---|
| Active connections | Current established connections | > baseline + 50% |
| New connections/sec | Connection rate | > 1000/sec |
| Connection duration | Average session length | Anomalous patterns |
| Port utilization | Services in use | Unexpected ports |
Error Rates
| Metric | Description | Alert Threshold |
|---|---|---|
| Packet drops | Lost packets | > 1% |
| Retransmissions | TCP retries | > 5% |
| ICMP errors | Network layer issues | Sudden increase |
| Interface errors | Hardware/driver issues | Any sustained errors |
Process
Step 1: Install Packet Capture Tools
Set up fundamental traffic analysis capability.
Installation:
# Debian/Ubuntu
sudo apt update
sudo apt install tcpdump wireshark nethogs iftop -yVerification:
tcpdump --version
wireshark --versionExpected Output: Version information for each tool.
Step 2: Capture Network Traffic
Use tcpdump for command-line packet capture.
Basic Capture Commands:
# Capture traffic on interface
sudo tcpdump -i eth0 -n
# Capture specific port
sudo tcpdump -i eth0 port 443
# Capture and write to file
sudo tcpdump -i eth0 -w capture.pcap
# Read from capture file
tcpdump -r capture.pcap
# Filter by host
sudo tcpdump -i eth0 host 10.0.0.50
# Capture specific protocols
sudo tcpdump -i eth0 'tcp port 80 or tcp port 443'Verification:
ls -la capture.pcapExpected Result: Capture file created with packet data.
Step 3: Analyze Traffic with Wireshark
Use graphical analysis for deep packet inspection.
Common Display Filters:
| Filter | Purpose |
|---|---|
http | HTTP traffic only |
dns | DNS queries and responses |
tcp.flags.syn == 1 | TCP SYN packets |
tcp.flags.reset == 1 | Connection resets |
frame.len > 1000 | Large packets |
ip.addr == 10.0.0.100 | Specific IP address |
Analysis Workflow:
- Open capture file in Wireshark
- Apply display filter for traffic type
- Follow TCP streams for full conversation
- Export suspicious traffic for further analysis
Step 4: Monitor Real-Time Bandwidth
Track bandwidth usage by process and connection.
Using iftop:
sudo iftop -i eth0Key Display Information:
| Column | Description |
|---|---|
| TX | Transmitted data |
| RX | Received data |
| TOTAL | Combined bandwidth |
| Cumulative | Session totals |
Using nethogs (per-process):
sudo nethogs eth0Verification: Real-time display shows active connections and bandwidth.
Step 5: Deploy Suricata IDS
Install network-based intrusion detection.
Installation:
sudo apt install suricata -yConfiguration (/etc/suricata/suricata.yaml):
vars:
address-groups:
HOME_NET: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
- dns
- http
- tlsUpdate Rules:
sudo suricata-update
sudo systemctl restart suricataVerification:
sudo systemctl status suricata
tail -f /var/log/suricata/fast.logExpected Result: Suricata running; alerts appearing in log.
Step 6: Set Up Prometheus Monitoring
Deploy metrics collection infrastructure.
Install Node Exporter:
wget https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz
tar xvf node_exporter-1.7.0.linux-amd64.tar.gz
sudo mv node_exporter-1.7.0.linux-amd64/node_exporter /usr/local/bin/Create Systemd Service (/etc/systemd/system/node_exporter.service):
[Unit]
Description=Node Exporter
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/node_exporter
Restart=always
[Install]
WantedBy=multi-user.targetEnable Service:
sudo systemctl daemon-reload
sudo systemctl enable --now node_exporterVerification:
curl http://localhost:9100/metrics | head -20Expected Result: Prometheus metrics displayed.
Step 7: Configure Alerting
Set up alerts for security-relevant events.
Prometheus Alerting Rules:
groups:
- name: network
rules:
- alert: HighBandwidth
expr: rate(node_network_receive_bytes_total[5m]) > 100000000
for: 5m
labels:
severity: warning
annotations:
summary: High inbound bandwidth detected
- alert: ManyConnections
expr: node_netstat_Tcp_CurrEstab > 1000
for: 5m
labels:
severity: warning
annotations:
summary: Unusual number of connectionsCommon Indicators of Compromise
Suspicious Traffic Patterns
| Indicator | Description | Detection Method |
|---|---|---|
| Port scans | Sequential port connections | Suricata rules, connection logs |
| Beaconing | Regular intervals to same destination | Flow analysis, timing patterns |
| DNS tunneling | Unusual DNS query patterns | DNS log analysis, query length |
| Data exfiltration | Large outbound transfers | Bandwidth monitoring, flow analysis |
| C2 traffic | Connections to known bad IPs | Threat intelligence integration |
Detection Examples
# Find potential port scans
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0' -c 1000
# Look for DNS tunneling (long queries)
sudo tcpdump -i eth0 port 53 -A | grep -E '.{50,}\.'
# Large data transfers
sudo tcpdump -i eth0 -n 'greater 10000'Troubleshooting
| Symptom | Possible Cause | Solution |
|---|---|---|
| No packets captured | Wrong interface | Verify interface with ip link |
| Permission denied | Missing privileges | Run with sudo |
| Suricata not alerting | Rules not loaded | Run suricata-update |
| High CPU on capture | Too much traffic | Use BPF filters |
| Missing metrics | Exporter not running | Check systemd status |
Verification Checklist
Tools
- tcpdump installed and working
- Wireshark available for analysis
- Suricata IDS deployed
- Prometheus/Grafana configured
Configuration
- SPAN/mirror port configured (if available)
- IDS rules updated
- Alerting rules defined
- Dashboards created
Operations
- Baseline traffic documented
- Log retention configured
- Alert escalation defined
- Regular review scheduled
Best Practices
| Practice | Description |
|---|---|
| Baseline Normal Behavior | Document typical patterns before detecting anomalies |
| Network Segmentation Visibility | Monitor inter-VLAN traffic at boundaries |
| Log Retention | Keep logs 90+ days for investigation |
| Regular Rule Updates | Update IDS signatures weekly |
References
Last Updated: January 2026