Access Keys:
Skip to content (Access Key - 0)

Passive Monitoring Modes - Q10084

PURPOSE: This article shows how your TTC server may be used to passively monitor network traffic.

This article applies to:
  • TTC Security Server v6.0x and v7.0x

Passive Monitoring Example

One way to use the Total Traffic Control Security Server is to passively monitor your network. This is a good way to monitor and anlayze your network traffic without having to reconfigure network connections, and this mode can be operated for a demonstration period, such as a pre-purchase evaluation or pre-installation analysis.
In Passive mode, you can employ the various traffic reporting objects, such as the Traffic Classification Object and Content Filtering Object to monitor and accumulate data for the various traffic reports.
You can then use the traffic reports to help justify and plan the implementation of an active TTC Security Server in your network, including pre-defining policies, configuration options and filtering rules.

Connecting the Passive Monitoring TTC Server to your network

In this mode ONLY the Total Traffic Server's 'Internal Interface' card is used to monitor and record the desired traffic, it is simply plugged into either a mirrored port of your outside router, or into the same network hub used by your outside router. The TCP/IP stack should be disabled just like any other TTC setup would. The external network interface is not used in this configuration. The Management NIC serves as the connection for remote accessing the TTC Security Server's Management Console and the traffic reports.

Network Overview
Click Image to enlarge

Steps to create the Passive Monitoring Configuration

In building the configuration on the TTC Server, you simply identify the network IP Address that you want to monitor, such as your network's primary gateway or router interface to the internal network, and identify an unused internal IP address that the TTC Security Server will use.

  1. Open the 'Configuration Wizard' selecting 'New Configuration' and click 'Next'
  2. Choose 'Passive Monitor' from the list and click 'Next'
  3. Fill in the required Network Settings and click 'Next'
    1. 'Ip Address to Monitor and Report on' is the ip of the mirrored port
    2. 'Total Traffic IP Address' is just an availvable ip to be assigned to the Internal Nic allowing it to communicate with the switch. This ip is different than that of the management nic
  4. Give the configuration a name and click 'Next'
  5. Review information and make active and click 'Finish'
  6. If you did everything correctly you should have a config something like picture 6 below
Configuration Step 1 Configuration Step 2 Configuration Step 3
Configuration Step 4 Configuration Step 5 Configuration Step 6
Click Image to enlarge

Troubleshooting

  • In some instances in has been needed for the Switch doing the port mirroring to be rebooted in order for traffic to mirror properly


If you would like to download the configuration file used to create the above sample, please see the Related Articles link below.

Related Articles:
Review and Submit comments for this article below [Return to Security Server articles index]

"Passive Monitoring Modes - Q10084"
Created by Roy Byers on Apr 30, 07 at 4:13 PM PDT
Last edited by Jeff Wilbert on May 15, 08 at 9:02 AM PDT
Adaptavist Theme Builder Powered by Atlassian Confluence