Measure bandwidth/traffic

How can I measure bandwidth for a network?  I'm familiar with ethereal and a couple other network sniffers but after sampling the traffice I have no idea if it's high, low, is there a limit, etc..  I sample the results and save them so that I can compare with problems in the future but I seriously look at the results and it's like DUH! I have no idea what is high or low.

Is there any rule or way to measure and know what is the exact saturation point of a LAN?  We have 70 users and nine servers on an ethernet LAN.  5 100 swithes for the users and 2 GB switches for the server room.  A GB trunk links all switches.

I've noticed that our network might hit 150 to 200 packets per second.  Again I can't say how large they are so I have no idea if this is horrible or not.

Thanks in advance!
Who is Participating?
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
Look into MRTG - you are trying to compare how much traffic is flowing compared to the size of your pipe (internet connection)
I am not sure if you mean to measure a data transfer(network traffic) or something else but if it's like that than give a try to dumeter [ ]
Lee W, MVPTechnology and Business Process AdvisorCommented:
Though typically, your switches need to be managed in order to do monitoring of this info.  Otherwise, you could setup a Windows server that would require all traffic to pass through it and then use network monitor to gauge the % of the connection utilized.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

zenportafinoAuthor Commented:
We're running ISA yet the reports seem to be of little help offering web site usage but nothing in regards to available bandwidth vs. used.  Any thrid party items that can do so?
have you tried "Performance" found in control panel/ administrative tools.... and than adding counter "Network Interface" (Performance Object) is that helpful to you in any means?
zenportafinoAuthor Commented:
Yes I've used performance monitor too.  It creates a large graph that doesn't tell me if I should be concerned or not.  I find spikes at 200 bytes per second.  Is that high or low?
I am not sure to call it high or low but what sense to me is that it is determined by the hardware(and you) if your hardware is 100mbps (megabits per/second) than 200 bytes per second is low and 90+ M.B per second is high, don't know what else to say ? and what you are specifically want to know!!!
It is always helpful to know specifically what you are looking for, particularly with network traffic which is such an abstract subject.

If you would like to have just the info "condensed" without concerning for measuring it all yourself, I can recommend you Agilent's solutions, which are just plain excellent and have neat understandable graphics, but most of these solutions are hardware based and thus, at least I, find it rather difficult to feel the return on your investment, for they are quite pricey. They are more oriented for an exhaustive debug, rather than simple traffic probing.

If on the other hand you want to go for it yourself I can only recommend you to setup a monitoring port on the switch that hosts your ISA server, plug a machine in such monitoring port (configurable through the CLI or admin console in most switches) and run Ethereal.

I'd use a filter to capture only plain traffic going to ISA server by using:

ether host 00:00:00:00:00:00

Ethereal comes with several spiffy tools to analyze traffic. You could use HTTP in the Statistics menu to count how many packets from the total captured are HTTP (tcp 80), and then manually think of the percentage this represents versus the total packets captured. Say, if you capture 1500 packets, and Ethereal counts 750 as HTTP, you could say half traffic is used for viewing websites only. However, this does not resemble nor mean that half your bandwidth is used for Internet, since you do not know the exact bit length of each HTTP packet, it could be 90% or 10% of bandwidth (hence, the complexity of bandwidth measuring).

Hope this helps to at least set you in a direction.

.......forgot to note, 00:00:00:00:00:00 would be replaced with the MAC address of your ISA's server network adapter

Since you are having a Switched network everything would be switched. That means each port on the 100MB switch would give 100MB to each of the 70 PC's. The uplink is 1GB so only time these would be saturated is if all 70 USers are doing more that 1GB or traffic or 10 users are each doing more than 100MB traffic. this is most unlikely in your case except during a virus attack.

Here's a simple solution I would use in your case (their's other solutions much more complex)

1. Determine what ports the uplink is for the 5 switches to the 2 gigabit switches.
2. Now locate where the servers are connected on the Gigabit switch
3. Use MRTG to graph (in 5 min intervals) traffic on the UPLINK ports of the 5 switches and the servers.  
4. After about couple of days you can start to see the pattern on your network and whether the network is saturated.
5. If you want, you can graph each of the 70 ports identified by PC or user to better see who is doing a lot of traffic.

Also if you can invest get Network Observer Suite. That can monitor and graph switches and indicate a lot of problems near realtime but be warned, their software is costly. The above MRTG solution is easy to setup and check. But you would need to have managed switches (SNMP for monitoring) if not you will need a software like Network Observer to do what you want.
Another vote for MRTG! Can't go wrong. It's free easy and your bosses will love looking at the graphs for hours on end.
I dont know why people keep recomending MRTG when "Cacti" is so much easier to use and you get the same kind of graphs. Its a frontend for RRDTOOL - mrtg v2 if you like.

Anyway - regarding the problem:

First - Dont trust the "packets pr second" measure in windows. I've seen sub-optimum drivers falsly report numbers there with several tens of thousands packets pr second. Yet actual sniffing revealed low-traffic.

To measure actual bandwidth-statistics (with Cacti or DUmeter or other tools) on a network, you'll need to collect statistics from more than one location since its switched. High traffic between two nodes doesent mean the network got high load...

I'd monitor the network-interface of (a few representative) workstations, key servers and suspected bottlenecks like switch-uplinkports and compare the graphs to available bandwidth. If the network peaks, it will clearly show up in the Cacti graphs.

Try to identify bottlenecks like switch-uplinks and servers. If bandwidth is not an issue (your graphs are nowhere near peaks even during hard use) - yet network performance is unacceptable - you should probably use a sniffer at a key location (uplink to the server/WAN) and examine any unusual tendecies - like excessive arp, odd protocols, hosts maintaining MANY connections etc.etc.

... which is what an IDS (Intrusion Detection System) should pick up, but thats another story.

If the workstations and servers and switches really turn out to be loaded with legit traffic, there is only one thing to do: Upgrade.
Gigabit all the way or switches with higher backplane bandwidth (internal bandwidth in the switch itself)
Subnet and isolate the HIGH volume servers/workstatons.
zenportafinoAuthor Commented:
Sorry that I have not responded in a while.  I will give MRTG and others a shot.  All of our switches are managed dell powerconnects with completly useless diagnostic tools built right in.

I've been told by Dell techs that there a tons of problems with them and that the 1024's are often rendered useless and must be replaced when trying to do a firmware upgrade so I have not ruled out that it could be the switches themselves.

I don't believe at all that our network is saturated and I'm just trying to find a firm answer that I can prove and show to the boss.  

By the way, could the fact that my problem user has an open vpn connection, liveperson, IE, Enterprise manager, local intranet, and sometimes other apps that use the NIC be a problem???
All Courses

From novice to tech pro — start learning today.