With my zoo of docker containers and multiple servers hosted locally or on some cloud providers, I feel the need more and more to understand what kind of network traffic is happening. Seeing my outbound traffic on some cloud providers I’m sometimes wondering “huh-where did that traffic come from?”.

And honestly I have to say: I don’t know. Monitoring traffic is a real hurdle since I’m doing a lot via tunnels / wireguard in between servers or to my clients. When I spin up a network analysis tool such as ntopng, I do see a lot of traffic happening that is “Wireguard”. Cool. That doesn’t help me one bit.

I would have to do some deep package inspection I suppose and SSL interception to actually understand WHAT is doing stuff / where network traffic comes from. Honestly I wouldn’t be sure what stuff would be happening if there were some malicious thing running on the server and I really don’t like that. I want to see all traffic and be able to assign it to “known traffic” or in other words - “this traffic belongs to Jellyfin”, “That traffic is my gitea instance”, “the other traffic is syncthing” or something along those lines.

Is there a solution you beautiful people in this subreddit recommend or use? Don’t you care?

  • @PaulEngineer-89@alien.topB
    link
    fedilink
    English
    11 year ago

    Why not use Macvlan and join your Dockers to that rather than a bridge to Tailscale or Cloudflared? Then they are broken out so you can apply monitoring.

  • @elecboy@alien.topB
    link
    fedilink
    English
    11 year ago

    I use Pi-Hole & NextDNS for all my DNS and I check once a week, for extra security I run a Fortigate 61E with AV/IPS and of course VLAN just for IoT and NVR.

  • @Simon-RedditAccount@alien.topB
    link
    fedilink
    English
    11 year ago

    Do you monitor network traffic?

    Generally, no. But I seriously restrict container networking, most of my containers are unable to reach internet, unless absolutely necessary. Also, my firewall is not super-restrictive, but it is different from defaults :)

    Sometimes I do some monitoring though.

  • @SpongederpSquarefap@alien.topB
    link
    fedilink
    English
    11 year ago

    Yep, monitoring in multiple places with Zabbix

    I have pfSense as well (soon to be OPNsense) and that shows traffic per network it’s connected to, so that’s great for live traffic

    Zabbix monitors the networks and collects traffic data

    Zabbix also monitors all containers and their network traffic

  • @psychowood@alien.topB
    link
    fedilink
    English
    11 year ago

    I was recently thinking about setting up a transparent squid proxy at router level, I’m curious if it could be useful in this context.

  • @NeverNudeNo13
    link
    English
    11 year ago

    You probably want something like netgenius one. That’s enterprise grade but might be a good starting point to research. Alternatively you could look at ips/ids systems that can apply a set of definitions or rules to the analysis, ubiquiti or fortinet has some solutions for this sort of thing but I’m sure there are alternatives out there which would be better depending on your needs.

    You are kind of asking several questions here though and may need to clarify a bit what goal you have in mind for the solution you are looking for.

  • @s7orm@alien.topB
    link
    fedilink
    English
    11 year ago

    I have my Unifi Switch mirror the trunk port and send that to Splunk Stream, but I haven’t found it that useless to have that level of data.

  • @wallacebrf@alien.topB
    link
    fedilink
    English
    11 year ago

    I use my fortigate router as it logs everything natively. Logs DNS request, outbound traffic, internal lan local traffic, and so much more

  • @zwamkat@alien.topB
    link
    fedilink
    English
    11 year ago

    It seems as if you would like to see all traffic identified up to layer 7. That is pretty much enterprise level traffic inspection. I’ve done a lot of it on the edge of our network using a Palo Alto firewall with pretty much all software licenses enabled. I could create full blown reports of single users and/or applications. I sure did point out some co-workers ánd applications who where misbehaving on our network.