Solved

Measure bandwidth/traffic

Posted on 2004-10-27
494 Views
Last Modified: 2013-12-07
How can I measure bandwidth for a network?  I'm familiar with ethereal and a couple other network sniffers but after sampling the traffice I have no idea if it's high, low, is there a limit, etc..  I sample the results and save them so that I can compare with problems in the future but I seriously look at the results and it's like DUH! I have no idea what is high or low.

Is there any rule or way to measure and know what is the exact saturation point of a LAN?  We have 70 users and nine servers on an ethernet LAN.  5 100 swithes for the users and 2 GB switches for the server room.  A GB trunk links all switches.

I've noticed that our network might hit 150 to 200 packets per second.  Again I can't say how large they are so I have no idea if this is horrible or not.

Thanks in advance!
0
Question by:zenportafino
    13 Comments
     
    LVL 95

    Accepted Solution

    by:
    Look into MRTG - you are trying to compare how much traffic is flowing compared to the size of your pipe (internet connection)

    http://mrtg.hdl.com/mrtg.html
    0
     
    LVL 9

    Expert Comment

    by:imnajam
    I am not sure if you mean to measure a data transfer(network traffic) or something else but if it's like that than give a try to dumeter [ http://www.dumeter.com ]
    0
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Though typically, your switches need to be managed in order to do monitoring of this info.  Otherwise, you could setup a Windows server that would require all traffic to pass through it and then use network monitor to gauge the % of the connection utilized.
    0
     
    LVL 1

    Author Comment

    by:zenportafino
    We're running ISA yet the reports seem to be of little help offering web site usage but nothing in regards to available bandwidth vs. used.  Any thrid party items that can do so?
    0
     
    LVL 9

    Expert Comment

    by:imnajam
    have you tried "Performance" found in control panel/ administrative tools.... and than adding counter "Network Interface" (Performance Object) is that helpful to you in any means?
    0
     
    LVL 1

    Author Comment

    by:zenportafino
    Yes I've used performance monitor too.  It creates a large graph that doesn't tell me if I should be concerned or not.  I find spikes at 200 bytes per second.  Is that high or low?
    0
     
    LVL 9

    Expert Comment

    by:imnajam
    I am not sure to call it high or low but what sense to me is that it is determined by the hardware(and you) if your hardware is 100mbps (megabits per/second) than 200 bytes per second is low and 90+ M.B per second is high, don't know what else to say ? and what you are specifically want to know!!!
    0
     
    LVL 1

    Expert Comment

    by:alexai
    It is always helpful to know specifically what you are looking for, particularly with network traffic which is such an abstract subject.

    If you would like to have just the info "condensed" without concerning for measuring it all yourself, I can recommend you Agilent's solutions, which are just plain excellent and have neat understandable graphics, but most of these solutions are hardware based and thus, at least I, find it rather difficult to feel the return on your investment, for they are quite pricey. They are more oriented for an exhaustive debug, rather than simple traffic probing.

    If on the other hand you want to go for it yourself I can only recommend you to setup a monitoring port on the switch that hosts your ISA server, plug a machine in such monitoring port (configurable through the CLI or admin console in most switches) and run Ethereal.

    I'd use a filter to capture only plain traffic going to ISA server by using:

    ether host 00:00:00:00:00:00

    Ethereal comes with several spiffy tools to analyze traffic. You could use HTTP in the Statistics menu to count how many packets from the total captured are HTTP (tcp 80), and then manually think of the percentage this represents versus the total packets captured. Say, if you capture 1500 packets, and Ethereal counts 750 as HTTP, you could say half traffic is used for viewing websites only. However, this does not resemble nor mean that half your bandwidth is used for Internet, since you do not know the exact bit length of each HTTP packet, it could be 90% or 10% of bandwidth (hence, the complexity of bandwidth measuring).


    Hope this helps to at least set you in a direction.

    0
     
    LVL 1

    Expert Comment

    by:alexai
    .......forgot to note, 00:00:00:00:00:00 would be replaced with the MAC address of your ISA's server network adapter
    0
     
    LVL 2

    Expert Comment

    by:methabhaya

    Since you are having a Switched network everything would be switched. That means each port on the 100MB switch would give 100MB to each of the 70 PC's. The uplink is 1GB so only time these would be saturated is if all 70 USers are doing more that 1GB or traffic or 10 users are each doing more than 100MB traffic. this is most unlikely in your case except during a virus attack.

    Here's a simple solution I would use in your case (their's other solutions much more complex)

    1. Determine what ports the uplink is for the 5 switches to the 2 gigabit switches.
    2. Now locate where the servers are connected on the Gigabit switch
    3. Use MRTG to graph (in 5 min intervals) traffic on the UPLINK ports of the 5 switches and the servers.  
    4. After about couple of days you can start to see the pattern on your network and whether the network is saturated.
    5. If you want, you can graph each of the 70 ports identified by PC or user to better see who is doing a lot of traffic.

    Also if you can invest get Network Observer Suite. That can monitor and graph switches and indicate a lot of problems near realtime but be warned, their software is costly. The above MRTG solution is easy to setup and check. But you would need to have managed switches (SNMP for monitoring) if not you will need a software like Network Observer to do what you want.
    0
     
    LVL 4

    Expert Comment

    by:tmcguiness
    Another vote for MRTG! Can't go wrong. It's free easy and your bosses will love looking at the graphs for hours on end.
    0
     
    LVL 2

    Expert Comment

    by:DiCeR
    I dont know why people keep recomending MRTG when "Cacti" is so much easier to use and you get the same kind of graphs. Its a frontend for RRDTOOL - mrtg v2 if you like.

    http://www.cacti.net/

    Anyway - regarding the problem:

    First - Dont trust the "packets pr second" measure in windows. I've seen sub-optimum drivers falsly report numbers there with several tens of thousands packets pr second. Yet actual sniffing revealed low-traffic.

    To measure actual bandwidth-statistics (with Cacti or DUmeter or other tools) on a network, you'll need to collect statistics from more than one location since its switched. High traffic between two nodes doesent mean the network got high load...

    I'd monitor the network-interface of (a few representative) workstations, key servers and suspected bottlenecks like switch-uplinkports and compare the graphs to available bandwidth. If the network peaks, it will clearly show up in the Cacti graphs.

    Try to identify bottlenecks like switch-uplinks and servers. If bandwidth is not an issue (your graphs are nowhere near peaks even during hard use) - yet network performance is unacceptable - you should probably use a sniffer at a key location (uplink to the server/WAN) and examine any unusual tendecies - like excessive arp, odd protocols, hosts maintaining MANY connections etc.etc.

    ... which is what an IDS (Intrusion Detection System) should pick up, but thats another story.

    If the workstations and servers and switches really turn out to be loaded with legit traffic, there is only one thing to do: Upgrade.
    Gigabit all the way or switches with higher backplane bandwidth (internal bandwidth in the switch itself)
    Subnet and isolate the HIGH volume servers/workstatons.
    0
     
    LVL 1

    Author Comment

    by:zenportafino
    Sorry that I have not responded in a while.  I will give MRTG and others a shot.  All of our switches are managed dell powerconnects with completly useless diagnostic tools built right in.

    I've been told by Dell techs that there a tons of problems with them and that the 1024's are often rendered useless and must be replaced when trying to do a firmware upgrade so I have not ruled out that it could be the switches themselves.

    I don't believe at all that our network is saturated and I'm just trying to find a firm answer that I can prove and show to the boss.  

    By the way, could the fact that my problem user has an open vpn connection, liveperson, IE, Enterprise manager, local intranet, and sometimes other apps that use the NIC be a problem???
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Lean Six Sigma Project Manager Certification

    There are many schools of thought around successful project management, but few as highly regarded as the Six Sigma and Lean methods. With 37 hours of learning, this training will explain concrete processes for increasing efficiency and limiting wasted time and effort.

    Suggested Solutions

    Title # Comments Views Activity
    CDC audit 17 58
    Can i get internet activity or browsing history from my ISP 18 76
    ldap trouble shooting 6 47
    Sonicwall AP 3 22
    Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now