Jump to my Home Page Send me a message Check out stuff on GitHub Check out my photography on Instagram Check out my profile on LinkedIn Check me out on Facebook

Solaris Network Surveillance

tker is a tool for Solaris system administrators managing open networks in hostile environments (university computer labs for example). What the client really needed to be able to do was monitor 200 servers real time with one qualified admin and one student assistant.

This tool can do lots of cool stuff:

  • Get computer info including ARP, IP address, snoop packets from/to, check login history, grab error logs, a view monitor, view all keystrokes, processes, memory use, etc...
  • Work with computers by deactivating network cards, configuring hubs, configuring Win95 with back orifice, telnet, ftp, ssh, ping, and nmap.
  • Get info about a user including login history, current logins, contents of text terminals, content of graphics terminals, keystrokes, disk usage, network traffic, processes, memory use, etc...
  • Work with user accounts by locking accounts, killing processes, checking disk use, deleting accounts, and edit config files.
  • Monitor system CPU with tyr, ps, xosview, procmeter, top, etc..
  • Single click access to common tools like admintool and linuxconf.
  • Very sophisticated network packet analysis.

The use cases:

  • The tool will alert an administrator of excessive CPU consumption by a single user on a shared system. The administrator, with two clicks, can then see what, and who, is consuming the resources. Three clicks later the admin can be viewing the contents of TTY sessions, VNC sessions, and/or Xwindow servers. With just two clicks more, the the user's system activity (network traffic, TTY logs, X11 events, keystrokes, and mouse movements) can be logged for later disciplinary review by the IT security board. And finally, just one more click away, the admin can disconnect the user or take over any TTY sessions, X11 clients, or VNC sessions.
  • The tool notifies local administrators when critical systems that should not be accessed from shared, student labs are accessed -- administrative computers holding student grades for example. Logging of all host activity (network traffic, TTY logs, X11 events, keystrokes, and mouse movements) is automatically initiated without admin intervention. When the admin brings up the tool, a monitoring window showing host activity is automatically opened -- one click and the host is disconnected from the network at the layer 2 switch, two clicks and the admin has taken over the host (X11, VNC, and TTY).
  • The tool provides novice administrators with the ability to trace TCP/IP flows/streams without knowing much about TCP/IP. For example, a TTY connected to an telnet session may be selected, and the network ports the TTY is using will be detected. The session traffic from just that telnet can then be isolated, and the contents of the packets extracted. The contents can even be sent to a screen replay tool so that one can "watch" the session after the fact.
  • The network syslog messages are automatically monitored, and when trigger patters are matched (a sequence of messages or a simple regular expression on single messages) an action is triggered.

User Info:
  - finger output
  - login history
  - Processes & resource usage
  - Image of the user's X11 display
User Info:
  - Process list with process killing
  - Image of the user's Win95 screen
  - Summary of there disk use
  - Click-able list of there files.
General user information:
  - Integration with tyr
  - User CPU & RAM consumption
  - Output of finger
  - Output of who
Network trace between two hosts
Details of a packet from previous screen

© 2009 Mitch Richling