Solved

Network bandwith\traffic Analyser

Posted on 2004-10-01
27
515 Views
Last Modified: 2013-11-30
Hi

I'm looking at a good tool to monitor traffic on my network, particularly traffic on my 2mb lease line to my ISP.  I'd like to know what IP addresses are taking up the bandwith, or if it's more servers etc

Can anyone recommend a good easy to use low cost solution ?

Regards
Steve
0
Comment
Question by:stevendunne
  • 12
  • 8
  • 3
  • +3
27 Comments
 
LVL 8

Expert Comment

by:jodypeet
ID: 12198781
Etherreal is a great packet sniffer ... and it's free !!
0
 

Author Comment

by:stevendunne
ID: 12198793
Will it do what I'm looking for ?  Has it got a nice graphical real time display ?

Thats ideally what I'm looking for.

:-)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12199033
What model of router is connected to your ISP that you want to monitor?
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12199110
PRTG from http://www.paessler.com looks pretty cool.  It advertises that it can find who is using the bandwidth and is also really cheap - $49.95 to start for 25 different checks.  Here is their pricing page: http://www.paessler.com/order/prtg

Also, it has the nice graphical interface you requested as well.

Hope this helps.
0
 

Author Comment

by:stevendunne
ID: 12199177
This looks cool but it says you need to run the SNMP service on machines you want to monitor.  For workstations & servers running the SNMP service is a bit of a seceurity risk isn't it ?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12199762
SNMP can be secured by limiting communities to Read Only and using "strong" community names.  MRTG essentially does the same thing as PRTG but it's free:

http://mrtg.hdl.com/mrtg.html
0
 
LVL 3

Expert Comment

by:yegs2000
ID: 12199768
There is a nice tool to look at specific computers on a LAN. the utility is called Look @ Lan
It is nice if you want to see what protocols the network is using and such. try it out, it is free and you might like it. Here is the link http://www.lookatlan.com/

there are other network analyzers that seem to be feature packed and very awesome looking.

Peace and Luck ;)
-yegs
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12199878
It can be.  SNMP itself is not secure anyway since most nodes always have 'public' as their community string.  You could mediate this a bit by assigning another community string to your computers and routers.  However, that is still unsecure since someone could guess this new community string and retrieve SNMP values once again.  Other larger corporate packages such as Dell's OpenManage run via SNMP.

While someone could read certain settings of a node with SNMP enabled, I don't worry as much about that as long as no one from the outside can read these items - i.e. don't allow it through your firewall to the LAN.  I don't think it's the largest gaping hole in a network's security.

You may be surprised at how many devices already have SNMP enabled in your domain.
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12199890
Shoot, yegs beat me to it with the "strong" community string names.  I started my post before my meeting and just finished it.  But he is right, stronger names will give you more security than the standard 'public'.
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12199954
what i use here is a combination of cacti:
http://www.cacti.net/screenshots.php

and nagios:
http://www.nagios.org

if you want to get granular as far as managing multiple devices, and tracking down the media streaming purpetrator, use this:

http://www.netdisco.org

this combination of 3 programs will let you see a historical overview of the usage, trending on every interface, and then netdisco will help you find the ip associated with each switch's port.  its what i use here.  if somebody is streaming, it takes about 1 minute to find them :)

QoS is always your friend too, though.  Its nice for when you're not available to always be monitoring the network to know that the people streaming music arent interrupting services.
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12199978
Zerofield, this sounds very cool.  Though I'm not the originator of this thread, I would still be interested in exactly how you use these tools to monitor and also have a "here's how I find the culprit" walk-through, if you would be willing to do that. :-)
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12200318
Specifically, we recently had an infected laptop enter the network and I would like to have been able to find who it was that was creating the extra traffic - specifically, traffic trying to exploit the LSASS vulnerability.
0
 

Author Comment

by:stevendunne
ID: 12200441
LSASS vulnerability ??

I've got a server with LSASS taking up around 50mb and dllhost.exe taking up 150mb

Anything to be concerned about ?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:Pasdargent
ID: 12200486
LSASS vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

If this server were being attacked by this vulnerability, it would be rebooting with a message stating that LSASS had stopped.  There would also be about a 50 second countdown to the reboot.
0
 

Author Comment

by:stevendunne
ID: 12200532
I've got that patch installed

What about DLLHOST.exe taking up 150mb on my domain controller ?
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12200543
http://63.243.98.115/cacti  login guest pass expertsexchange

this isnt all of the servers/etc here btw, i just started not too long ago.  anything thats here, i have to physically or logically find it, etc.  there's been a lot to do, this is just what i've done so far!

that said, if you click on the switches, you can see which port is consuming a lot of bandwidth.  this is a primitive hands-on required way of doing it.  the easiest way of doing it is to run something such as SNORT or analyze a mirrored port on a switch so that you can very directly see who's responsible for the traffic.  worst case, you could send the syslog of the pix to a linux machine like i do, and tail -f the output debug log.

so anyway, say user on port 26 is flooding with traffic.  i head to netdisco and (now i cant give you access to my netdisco!) click on the switch containing the flooding user:
http://www.netdisco.org/#demo

click on:
admin panel (at the bottom) -> device inventory -> the device type you're seeking (in my case it'd be 2980G's, but on the demo you can click on a 3550 or any other switch type)
then click on "show all ports"

right there you get a diagnosis of that particular port.  now if a user is sending a lot of LAN traffic, this may not help a hell of a lot.  you can be FAR FAR more advanced than this, this is just a simplistic way of doing it.
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12200814
dllhost mem usage is not necessrily an alarm.  If you are worried about the server being fully patched, try running the Microsoft Baseline Security Analyzer against that server.
0
 

Author Comment

by:stevendunne
ID: 12200855
I'm up to date on my patches on the server which dllhost.exe is taking 150mb.  I ran the latest version of the MBSA the day alongside GFI LanGuard scanner.  I've also run virus scan's using two different engines and checked for nasties with spyware checkers etc

I'm sure it something Windows is doing, I've got a small 200mb SQL database running alongside IIS if this helps anyone ?
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12200861
Excellent, zerofield.  I will try this and see what it can do for me in my network (totally Win32 - Linux is a bad word here - not to me, but to those that don't understand it).
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12200876
Must be a Windows 2000 server since its IIS uses the dllhost process.  How much web traffic does it receive?
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12201490
If you'd like to contact me, i can walk you through setting up cacti in aroudn 10 minutes, literally.  It's very easy to setup.  The other two programs are much more involved, but just having SNMP trending on the interfaces will help you get somewhere with it.

Pasdargent: most companies right now regard Linux as a forbidden fruit.  They're interested and intrigued, but scared to do it.  The last 3 companies I've worked with were scared to even bring in the first server, and now the companies and their IT depts love it.  The cliche "people fear what they do not understand" is very true in regards to opensource in IT depts right now.  A lot of the time I just set it up and show them, as opposed to any pre-justification steps.
0
 

Author Comment

by:stevendunne
ID: 12257535
Pasdargent,

Re SNMP

We have it enabled on a couple of servers for monitoring\reporting.  The stats then get sent from the servers via port 443 to a server hosted outside of our domain.  We can then view the status of our servers via a secure (HTTPS) site on the web.

However we don't allow any SNMP connections into our LAN through the firewall.

Is this ok ?

Thanks
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12257688
That sounds like a very sound and secure way of doing it.  However, if you don't want your stats sitting somewhere off-site, you could have the external web server use a virtual directory from a web server within your domain.  That way, the external server would appear as if it had the stats locally, but they actually come from a place you have direct control of.
0
 

Author Comment

by:stevendunne
ID: 12257720
The stats are only things like disk space, CPU usage, SWAP usage, connectivity, services status etc etc

Also the box the stats are sent to is a Linux\Unix type system, although I haven't seen or configured it, Im told it's fairly secure & reliable ?
0
 
LVL 3

Accepted Solution

by:
Pasdargent earned 375 total points
ID: 12257742
Then I wouldn't worry about the virtual directory.  It sounds like a rather good way of collecting and displaying the information.  And you're right - those type of stats aren't something to worry about anyway.
0
 

Author Comment

by:stevendunne
ID: 12257776
Ok cool,

Thanks Pasdargent  

:-)
0
 
LVL 3

Expert Comment

by:Pasdargent
ID: 12257809
You are most welcome.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now