RE: using promiscuous mode to tabulate network statistics

["Daniel G. Rohan" <d-rohan () northwestern edu>]

Hi Terra,

Wireshark will indeed do what you are looking for in the first described scenario.  After you capture, or open up a 
saved capture, you can click on Statistics > IP Address > Create Stats (do not filter).

As far as viewing real-time statistics, Wireshark used to provide an interface for very simple stats (percentage of 
protocols, bytes captured, etc), but I don't see that option anymore (perhaps it's there and buried). You might want to 
download an old version of Ethereal (previous name of Wireshark) and use that to provide your real-time analysis and 
then use the Wireshark for any post-capture needs. If this is just a lab environment, this method might suffice.  If 
it's a more permanent or production environment, I would suggest using Cisco netflow and a collector box to gather the 
statistics you are looking for.

Good luck,

Dan

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Terra Frost
Sent: Tuesday, November 25, 2008 8:51 PM
To: security-basics () securityfocus com
Subject: using promiscuous mode to tabulate network statistics

I have four computers all plugged into a hub and I'd like to see which
one (well, which IP address) is sending / receiving the most data.  To
do this, I was thinking I could just install a package that would
tabulate such statistics using promiscuous mode.  Wireshark can sniff
packets via promiscuous mode but if it can be used in this manner, I'm
unsure of how.

I'm also not interested in real time statistics - I just want to know
how much data has been sent / received since the analysis program has
been running.

Any ideas?