Monitor Internet activity?
 

Is there a small utility or application out there which can tell me how much, how little, if/any internet activity I have on a computer on a network?

I programmed my router to deny in/out access to one of the computers connected to it..I just want to make sure there's zip activity with the Net on that particular mac

thanks!

gphz

If you are on OSX 10.4.6, go to Utilities/Activity Montior and select the Network tab. That will allow you to view all of your current networking activities.

There's several good options. The ones that come to my mind involve installing additional software in your command line. For example, ntop has an interface something like top, except it shows current network activity instead of the processes running on your computer. It is easily available with fink.

Another choice is ethereal. That also involves having X11 installed, though, so it's more complicated. It is extremely powerful and shows you a LOT of stuff on the network. It's also available on fink.

Trevor

I'm on 10.4.5, and Activity Monitor does have a Network tab..

will I don't see how it shows network activity..

look at the others named...

thanks!

gphze

Is the user of the offline Mac hostile ?
Explaining what all this is about might help to come up with an appropriate solution.

If you want to monitor network traffic from that Mac from another one, you'd need to have a switch with a monitor port or a -cough- hub, otherwise you won't see the packets unless you do some pretty sophisticated ARP-spoofing.

Sorry...

No..not a hostile user. I want to prevent surfing and sending/receiving e-mail..in short, ALL in/out internet traffic of any kind.

I want the other mac to see and be seen on my ethernet set up, but not to have anything at all to do with the web.

I was hoping there was a utility out there which could "prove" that my router settings are now accomplishing this.

thanks!

gphaze

Why not just try surfing on this blocked computer, try sending some emails and a few other things, ftp, ping, etc, etc, etc. And if they are all blocked then you should be good..Yes?

(smacks head) d'oh!

Yeah..good ol' empirical evidence. A good idea.. I must admit I'm just a hair suspicious of what might be going on under the hood with respect to little apps that might be "doing things."

Maybe I'm reading too much into articles on line which cover this..

gphaze

What people have been telling you is that the packets from that Mac go from that machine to your router and then out to the Internet. So if you want to monitor what that machine is doing, it will have to be with something that is on that machine itself, or on the router, or on some machine which is physically intermediate on the wire between that Mac and the router.

The easiest way to prevent a Mac from being able to access the web or email etc, would be to set up firewall rules on that Mac to prevent this sort of traffic. Of course you would need to restrict admin access to that Mac so that the user (other users?) would not be able to disable these firewall restrictions.

You could also try a 3rd party firewall program on the Mac and blacklist any programs (Safari, Firefox, Mail, etc) to be blocked access.
You'd have double protection from the Net.
Depends on who you are trying to block access to.

Just remember to block any programs that might allow a VPN to your computer and then out through your router that way...;)

There's a really interesting article regarding the sniffing of switched networks at SANS: Why your switched network isn't secure.

Also, even without any ARP-spoofing, MAC flooding, or MAC duplicating, or without special placement (such as using a monitor port on the switch), ntop and ethereal see a lot of other people's packets going by, just by putting your computer into promiscuous mode.

Trevor

You must have a very broken switch for this to happen ;) .
There are some switches with buggy firmware/ASICs out there which misdirect packets on occasion, but you can't rely on it to see the complete traffic.

The easiest way to keep that Mac offline would be to enter a bogus default gateway, a lot less hassle than coming up with firewall rules or null-routing anything but the local subnet.
Only downside: it'll just take a bit before connection attempts time out.

DMZ's are always fun, that is; if you REALLY want to isolate your computer from the rest of the world.

No, you don't need to have a broken switch or buggy firmware. Let me clarify:

Putting your computer into promiscuous mode on a switched network will let you see all of the multicast and broadcast packets (as well as the ones destined for your MAC, of course). And there are a LOT of multicast and broadcast packets, including some containing sensitive information.

Try it sometime if you don't believe me.

Of course, if you want to see everything including all of the unicast packets on a switched network, then you'd need to use ARP spoofing, MAC flooding, or MAC duplicating, or else use a special monitoring port on the switch or other special placement such as using two network cards and placing your computer between the outgoing network connection (such as a modem) and the LAN.

I certainly do.
But stuff like ARP packets, multi- and broadcasts are not "a lot of other peoples packets" in my book, not seeing them would break functionality and this is entirely up-to-spec behaviour.
Of course some of these packets contain useful information to map a network and the very way ARP was designed back in the days when nobody had malicious uses in mind opens the possibility to do pretty evil things by just artfully hand-crafting a couple of packets to pull of some pretty impressive stunts.
But for the purpose of this thread, I can't think of any type of packet that would be expected to fly by on all ports to be useful in order to determine whether the isolated Mac has a successful WAN connection going.

So basically, we agree on the facts, but not on how to word them.

I have an app called net monitor installed that shows me my internet traffic, inbound and outbound. However it only shows me the total bandwidth being used and not which apps are using the connection. Does anyone know of an app for osx that will show me which apps are using my internet connection in real time and how much bandwidth they're using? I've had some odd internet traffic over the past 2 days and i'd like to find out which apps are accessing my connection without my knowledge.

You could check LittleSnitch out. I don't think it provides traffic volume info, but does identify traffic on an app by app basis.

Not free, but might provide what you're looking for.

<http://www.versiontracker.com/dyn/moreinfo/macosx/17642>

add'l cmt: Actually LittleSnitch monitors outgoing traffic. However, it works together with NetworkMonitor (included/bundled with LS) which shows the app by app traffic, although you can enable/disable it independently.

hmm, yes this looks like the kind of thing i'm after. thanks iampete.

Just a word of warning -

LittleSnitch will ask for permission to allow your computer (on an application by application basis) to connect to external hosts. Each time, it will give you the option to allow or disallow "once", "until the application quits", or "forever". It will save these options but you can change them at any time.

The first few times you go surfing, it can be quite intimidating because you'll get the ask permission dialogs very frequently, every couple of seconds!. As you respond each time and add to its database, you won't be asked about items to which you've already responded, and after a while, it'll ask very infrequently.

Yeah, it's annoying, but it goes away.

I just wanted to warn you what to expect, since I know quite a number of people that gave up on it before they allowed it to populate its database.

it's what i expected, i'm used to that sort of stuff from using various firewalls on windows pc's. it's settling down nicely now.

I think the new version of Little Snitch also has a application connection monitor, which lists all the current apps connected to the internet.