Tool to monitor LAN Traffic

Posted on 2006-05-17
Medium Priority
Last Modified: 2013-11-30
Hi All,
I have a corporate network with 40 computers connected to a domain controller. It is a Windows based network. We have an ADSL router from an ISP that gives the internet connection. From the router, the connection goes to a Netscreen 5GT firewall and from there it connects to the LAN. Sometimes due to virus and other problem, few machines fire heavy traffic on the network. This causes the entire LAN speed and internet speed to drop. Since the firewall is from our Head Office, me as an Administrator doesnt have access to it. Even the ISP cant see the local computers on the router. So its very difficult to identify which computer is causing the problem or causing this high traffic.
Now i need help. I need to use some software that could tell me the LAN traffic by individual computers on my lan- either as a graph or through any figures. I need to find which computer is causing all the trouble. Now wht i do is to unplug one by one LAN cable and observe the traffic. This is really cumbersome..
Can anyone help.
Thanks in advance
Question by:kelpere

Expert Comment

ID: 16699032
Try using a sniffer, Etherreal is one of them.  Theres a ton out there.  Also, have you ever thought that possibly your firewall is causing some disruptions? It would be wise if the head office would give you enough authorization to check for that possibility.

Expert Comment

ID: 16699264

However, I must warn you.  If you run ethereal on machine 1 which is plugged to a router, and you attempt to monitor machine 2 which is also on the router, it wont work....    The reason is that the router stops a lot of the traffic.

You have 2 options...

Run ethereal on every machine (easy unless you have a lot of them)


Take out the router, put in a standard HUB (not a switch) and link it to the router.   This making all the traffic go over the hub frist.   Then you could monitor all the comptuers at one time since a hub doens't block anything.   A Switch will though so you have to make sure it is a old style hub which is becoming difficult to find.  

I woud do option one.  Look at the switch or router lights and see which one has the most blinking going on, and run ethereal on that comptuer to check it.

Hope this helps!

Expert Comment

ID: 16699415
You should configure your 5GT to send network activity logs to a syslog server on your network. Also, on the router you may view network stats. It is abnormal as network administrator to not have access to your security equipment.  Ask the head office to create an account on the firewall. Even a restricted account with access privilege to logs will be most helful.
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 14

Expert Comment

ID: 16699767
Many managed switches have the capability to mirror traffic to a port for the purpose of monitoring/ or packet sniffing.  Once you enable that feature and mirror traffic to it, the ethereal product (or any other product) will work nicely and will not require multiple copies to be installed on to each PC.

Otherwise, maybe not as cumbersome but just as tedious, check out performance monitoring; it comes with every build of windows; it won't give you things down to the packet level to see the types of traffic, but you can use it to determine the amount of traffic per PC.  Once you narrowed down your suspect PCs, you can go to the next step and use a sniffer or monitoring app to see the packet transactions either from a mirrored (sniffer) port or directly on the PC.

LVL 79

Accepted Solution

lrmoore earned 120 total points
ID: 16699823

Author Comment

ID: 16707089
Thanks for all the comments...but i find Ethereal is confusing me little. I will try NTOP. The thing is that the Firewall is creating a VPN tunnel to our UK offiice and the same has been programmed by our hosting center. This is the reason why they dont give us permission over the firewall...im really helpless here as it is the Hosting Centre policy.

Now i think i can ask them to provide me atleast access to the log files.

Let me try NTOP meanwhile i will post back my feedback.


Author Comment

ID: 16782405
NTOP is really good and so SNIFFER PORTABLE. Sniffer gives me a much better pic of the total traffic.

Friends....any working experience on SNiffer....??? Suggestions pls

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question