Network bandwith\traffic Analyser


I'm looking at a good tool to monitor traffic on my network, particularly traffic on my 2mb lease line to my ISP.  I'd like to know what IP addresses are taking up the bandwith, or if it's more servers etc

Can anyone recommend a good easy to use low cost solution ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Etherreal is a great packet sniffer ... and it's free !!
stevendunneAuthor Commented:
Will it do what I'm looking for ?  Has it got a nice graphical real time display ?

Thats ideally what I'm looking for.

What model of router is connected to your ISP that you want to monitor?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

PRTG from looks pretty cool.  It advertises that it can find who is using the bandwidth and is also really cheap - $49.95 to start for 25 different checks.  Here is their pricing page:

Also, it has the nice graphical interface you requested as well.

Hope this helps.
stevendunneAuthor Commented:
This looks cool but it says you need to run the SNMP service on machines you want to monitor.  For workstations & servers running the SNMP service is a bit of a seceurity risk isn't it ?
SNMP can be secured by limiting communities to Read Only and using "strong" community names.  MRTG essentially does the same thing as PRTG but it's free:
There is a nice tool to look at specific computers on a LAN. the utility is called Look @ Lan
It is nice if you want to see what protocols the network is using and such. try it out, it is free and you might like it. Here is the link

there are other network analyzers that seem to be feature packed and very awesome looking.

Peace and Luck ;)
It can be.  SNMP itself is not secure anyway since most nodes always have 'public' as their community string.  You could mediate this a bit by assigning another community string to your computers and routers.  However, that is still unsecure since someone could guess this new community string and retrieve SNMP values once again.  Other larger corporate packages such as Dell's OpenManage run via SNMP.

While someone could read certain settings of a node with SNMP enabled, I don't worry as much about that as long as no one from the outside can read these items - i.e. don't allow it through your firewall to the LAN.  I don't think it's the largest gaping hole in a network's security.

You may be surprised at how many devices already have SNMP enabled in your domain.
Shoot, yegs beat me to it with the "strong" community string names.  I started my post before my meeting and just finished it.  But he is right, stronger names will give you more security than the standard 'public'.
what i use here is a combination of cacti:

and nagios:

if you want to get granular as far as managing multiple devices, and tracking down the media streaming purpetrator, use this:

this combination of 3 programs will let you see a historical overview of the usage, trending on every interface, and then netdisco will help you find the ip associated with each switch's port.  its what i use here.  if somebody is streaming, it takes about 1 minute to find them :)

QoS is always your friend too, though.  Its nice for when you're not available to always be monitoring the network to know that the people streaming music arent interrupting services.
Zerofield, this sounds very cool.  Though I'm not the originator of this thread, I would still be interested in exactly how you use these tools to monitor and also have a "here's how I find the culprit" walk-through, if you would be willing to do that. :-)
Specifically, we recently had an infected laptop enter the network and I would like to have been able to find who it was that was creating the extra traffic - specifically, traffic trying to exploit the LSASS vulnerability.
stevendunneAuthor Commented:
LSASS vulnerability ??

I've got a server with LSASS taking up around 50mb and dllhost.exe taking up 150mb

Anything to be concerned about ?
LSASS vulnerability:

If this server were being attacked by this vulnerability, it would be rebooting with a message stating that LSASS had stopped.  There would also be about a 50 second countdown to the reboot.
stevendunneAuthor Commented:
I've got that patch installed

What about DLLHOST.exe taking up 150mb on my domain controller ?
zerofieldCommented:  login guest pass expertsexchange

this isnt all of the servers/etc here btw, i just started not too long ago.  anything thats here, i have to physically or logically find it, etc.  there's been a lot to do, this is just what i've done so far!

that said, if you click on the switches, you can see which port is consuming a lot of bandwidth.  this is a primitive hands-on required way of doing it.  the easiest way of doing it is to run something such as SNORT or analyze a mirrored port on a switch so that you can very directly see who's responsible for the traffic.  worst case, you could send the syslog of the pix to a linux machine like i do, and tail -f the output debug log.

so anyway, say user on port 26 is flooding with traffic.  i head to netdisco and (now i cant give you access to my netdisco!) click on the switch containing the flooding user:

click on:
admin panel (at the bottom) -> device inventory -> the device type you're seeking (in my case it'd be 2980G's, but on the demo you can click on a 3550 or any other switch type)
then click on "show all ports"

right there you get a diagnosis of that particular port.  now if a user is sending a lot of LAN traffic, this may not help a hell of a lot.  you can be FAR FAR more advanced than this, this is just a simplistic way of doing it.
dllhost mem usage is not necessrily an alarm.  If you are worried about the server being fully patched, try running the Microsoft Baseline Security Analyzer against that server.
stevendunneAuthor Commented:
I'm up to date on my patches on the server which dllhost.exe is taking 150mb.  I ran the latest version of the MBSA the day alongside GFI LanGuard scanner.  I've also run virus scan's using two different engines and checked for nasties with spyware checkers etc

I'm sure it something Windows is doing, I've got a small 200mb SQL database running alongside IIS if this helps anyone ?
Excellent, zerofield.  I will try this and see what it can do for me in my network (totally Win32 - Linux is a bad word here - not to me, but to those that don't understand it).
Must be a Windows 2000 server since its IIS uses the dllhost process.  How much web traffic does it receive?
If you'd like to contact me, i can walk you through setting up cacti in aroudn 10 minutes, literally.  It's very easy to setup.  The other two programs are much more involved, but just having SNMP trending on the interfaces will help you get somewhere with it.

Pasdargent: most companies right now regard Linux as a forbidden fruit.  They're interested and intrigued, but scared to do it.  The last 3 companies I've worked with were scared to even bring in the first server, and now the companies and their IT depts love it.  The cliche "people fear what they do not understand" is very true in regards to opensource in IT depts right now.  A lot of the time I just set it up and show them, as opposed to any pre-justification steps.
stevendunneAuthor Commented:


We have it enabled on a couple of servers for monitoring\reporting.  The stats then get sent from the servers via port 443 to a server hosted outside of our domain.  We can then view the status of our servers via a secure (HTTPS) site on the web.

However we don't allow any SNMP connections into our LAN through the firewall.

Is this ok ?

That sounds like a very sound and secure way of doing it.  However, if you don't want your stats sitting somewhere off-site, you could have the external web server use a virtual directory from a web server within your domain.  That way, the external server would appear as if it had the stats locally, but they actually come from a place you have direct control of.
stevendunneAuthor Commented:
The stats are only things like disk space, CPU usage, SWAP usage, connectivity, services status etc etc

Also the box the stats are sent to is a Linux\Unix type system, although I haven't seen or configured it, Im told it's fairly secure & reliable ?
Then I wouldn't worry about the virtual directory.  It sounds like a rather good way of collecting and displaying the information.  And you're right - those type of stats aren't something to worry about anyway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevendunneAuthor Commented:
Ok cool,

Thanks Pasdargent  

You are most welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.