Looking for a nice sniffing app to add to my network

Posted on 2005-03-17
Medium Priority
Last Modified: 2013-12-04

I run a network with 300+ users across the country. All users roll their internet traffic through the corporate office. I'm looking for a utility to tell me in REAL-TIME who is doing what. I want to know if people are pumping enormous amounts of data across the lines, who they are, what type of data it is (MP3s, etc).

Any recommendation on what to use and where to place it and how to get it up and running?

Question by:Avi-Solomon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 38

Accepted Solution

Rich Rumble earned 1000 total points
ID: 13569676
Sort of... it's harder to tell what file extensions are being copied, such as mp3's or avi's etc... but you can easily track how much bandwidth they are using for certain protocols, such as SMTP, FTP, SSL, ICMP, SMB, or even Kazaa
Ntop is a great product for this. The new version may not be as updated for windows as it is for Linux- here are the two links:
Linux: http://www.ntop.org/overview.html
Win32 http://www.openxtra.co.uk/products/ntop-xtra.php (i've not used this one in awhile)

Using a product like Snort you can look at the contents of all the communication very easily- espically if you write your own rules, as the snort rules are cartered more to abuse or network intrusion (like exploits, or possible scanning behaviour etc...)
LVL 38

Expert Comment

by:Rich Rumble
ID: 13569727
Typically to sniff all that traffic, you will need to find the point or port rather, that they all connect through. When you have such a port, you span that port to another. Spanning, is like cc'ing everypacket to another interface, so that this sort of thing can happen. With cisco this is the command (the span must be on the same switch) for a catalyst 4000 series (same for 5000 or 6000 series)
set span 2/4 3/4
port 2/4 is the source, or the port that all the traffic is going out to the internet, and port 3/4 is the port that the snort or ntop box is sniffing on. You can do the same sort of thing with a hub, but I don't recommend it. If you have remote sites, and there is traffic that stays internal, then you may need to have multiple nic's, or multiple sniffing boxes.
We have most of our users connecting to us via a frame-relay network, that terminates to one router. That router only has one connection to our switch, and that's the port you span to another to sniff. VPN is the same, users connect to the vpn concentrator via the internet, then the concentrator has a single connection to our switch, that is another port that is spanned to our snot/ntop server. We have 6 nic's in the snort/ntop server, and each entry point (5 of them) has a spanned session to one of those nic's. The 6th nic is not spanned, it is just like any other nic, providing us a way to get on the box and administer it remotely.

Author Comment

ID: 13602268
Well, I don't use a cisco switch - I use watchguard for my VPN. I guess my question then becomes, how do I hook up a PC in such a way as to be able to investigate the traffic without making it succeptible to attack from the outside. I was thinking of putting a hub on my public side with a PC that can see the traffic, but how do I make sure it doesn't get hacked?
LVL 38

Expert Comment

by:Rich Rumble
ID: 13603179
You cannot hack an interface with no ip... the sniffing interfaces are just there to listen, they send no traffic, they only read the traffic. There are DOS's for most of the IDS's out there, but they are able to compensate for this- and keeping up2date with patches will keep DOS'ing of your IDS down. Basically most DOS's try to fill the DB log's of the IDS or produce an exception in the TCP/IP inspection engines-

Most switches are able to do the spanning function. HP calls it mirroring
http://support.3com.com/infodeli/tools/switches/ss3/management/ug/cli_mg7a.htm 3com calls it port-monitoring
A hub will work, but it's sort of "gerry-rigging" in my opinon. your switch should be able to do it, unless it's a real el` cheap-o one.

Expert Comment

ID: 13745922
Free sniffer:



Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month11 days, 4 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question