Bandwidth usage monitoring

How would you tell what computer was using up all of your Internet bandwidth ?

If you cannot answer this question, this article is for you.  

The solutions below should work with just about anything using established standards rather than proprietary software. Some commercial firewall appliances will already tell you this info. For this Article, I do refer to Sonicwall, but the suggestions will provide valuable information regardless. The resulting information is extremely valuable to have when there are problems (either real, or just perceived by your users).

Now, if budget was not a problem and there was a pressing need to just purchase something, I would probably purchase the PRTG Network Monitor ($380) or Solarwinds Orion NPM ($2475) because they will work with just about anything and aren't tied to Sonicwall.  They can even collect usage from packet sniffing so will work with ANYTHING.  

The quick answer may be able to just download and configure Passler PRTG trial or free version or AdvancedRM to get what you need, if needed "now".  Both of these utilities rely on SNMP.  PRTG also can collect info a few different ways and is more versatile and comprehensive.  Free version is limited to 10 sensors but the commercial version isn't that expensive compared to enterprise consoles.  If you enable the SNMP services on each of the servers and user systems as well as the Sonicwall, you can compare charts and get what you need.  

Being budget concious, what I actually did was setup a Zenoss virtual machine because I am an IT consultant and monitor multiple distributed client networks with diverse systems, servers, and devices. For the actual measurements, there are really three main ways I would accomplish this, and provides a robust, easier to manage, and more of a long term automated solution that will provide you with benefits you are not even aware of yet.

1.  Collect data manually and correlate yourself.  Overall Internet utilzation data from the Sonicwall using it's web interface or better yet, SNMP.  Collect individual host utilzation using an SNMP tool, or if you cannot use SNMP you can use perfmon in windows or iptraf in linux.  This requires you to pull stats together for analysis manually (i.e. spreadsheet/graph)  Some SNMP stats tools: Monomon, AdvancedRM, Paessler PRTG, etc.

2. Collect data automatically from routers, switches, and  firewalls using Netflow/IPFIX utility or SNMP console/utility that supports these protocols(most do).  If you put a netflow/ipfix compatible managed switch in front of your firewall, one device will capture all internal utilzation data which can be compared to SNMP utilization of the Sonicwall Internet or WAN interfaces.  Higher end Sonicwalls support netflow/IPIX, this could be accomplished with one device collecting everything.

3.  Collect utilization from each server, host, and network device directly using SNMP console/utility.

There are lower cost or free individual SNMP collection and graphing tools that collect and graph traffic data but do not compare and correlate ALL the traffic data that you could use to accomplish this.  You would have to pull the data together for comparison yourself.  This may get you through your current problem most quickly.

If these are Microsoft OS based machines, you can also use the performance monitor (perfmon) and MMC in windows to get network interface utilzation from all of the servers, users computers, and network devices to compare with the overall utilization at your internet router or firewall.  Most managed switches allow collection of stats via SNMP.  You can collect basic overall usage via SNMP or stats within your firewall or bonded T-1 router.

The basic idea is to either collect utilization from one device (using Netflow/IPFIX) or collect it individually from each host and correlate the data and compare to overall Internet utilization.  Note that in order for netflow/IPFIX to be effective all hosts being monitored must not be behind NAT (Network Address Translation) or there must be a Netflow/IPFIX compatible device inside of NAT that all traffic passes through to get to your NAT device (usually your firewall).

The easiest solution is if your routers and firewalls support netflow or IPFIX as these protocols are used specifically for this.

Netflow (IETF RFC 3954) is a protocol developed by Cisco for monitoring bandwidth usage by IP address.  This has been superceeded by IPFIX (RFC 5101, RFC 5102).

If your devices do not have this capability you have to rely on SNMP network interface data collected from each host as well as you Internet router or firewall.

Most of the enterprise management consoles will collect data using netflow/IPFIX, custom agents, probes, and/or snmp.

Commerical SNMP console
Various maufacturers, various capabilities.  Many have probes, agents, and can interface with SNMP services of computers and network devices.  This would be the quickest, easiest, automated, and most detailed solution.  There are free versions and trials you can use for free to see if it works for you.

GPL/open source/free SNMP Management console  
Zenoss is a great long term solution, but it's complicated and has a lot to learn.  Zenoss can run as a virtual machine which makes it easy to deploy.  Spiceworks also provides quite a bit for free, is easy to use, and runs on windows.  There are others...


Comments (3)

J SpoorTME / Network Security Evangelist

Another alternative is using a flow collector and using the Netflow or IPFix capabilities.
Tools like splunk and scrutinizer can help you out.
Splunk has a free version but that's limited to 500 MB per day. They nowadays do have a light version.

IPFix is a more accurate way of collecting data than syslog or snmp, it's also near real time while syslog is event driven and snmp is sampling.
J SpoorTME / Network Security Evangelist

Overall a really good document !
Kimberley from PaesslerPRTG Product Evangelist

Hi cybervzhn_tech,

Yes, a good article!  I wonder if you could update the parts about PRTG, since there's been a significant change in our licensing since 2010.  In particular, the 100-sensor licence which was $380 is now free!  The first paid license is now the 500-sensor license ($1600).  Could you please update the price from $380 to $1600, and then later in the article, where you talk about 10 free sensors, update this part to 100 sensors?


Kimberley (from Paessler)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.