Solved

How to break down traffic in PRTG?

Posted on 2007-04-03
7
434 Views
Last Modified: 2009-12-16
I am using PRTG to monitor traffic coming off of a hub, just before the firewall.  While monitoring the traffic using the Packet Sniffer mode, viewing the graph, I obverve that at various times there is a huge spike in traffic for an extended period of time.  Then traffic goes back to normal.  

The traffic all falls in the "Other" category, and I can't tell where it's coming from.  Is there a way in PRTG to break this down so I know who is generating all the traffic, ideally by IP addresses?
0
Comment
Question by:lloydr1l
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Accepted Solution

by:
pkutter earned 500 total points
Comment Utility
I use MRTG, but have my solution may help as well. If your switches support SNMP just turn on SNMP and have PRTG monitor them as well, then you will find the port that is producing all of the traffic. A packet analyzer such as Ethereal may work well if it is a hub and not a switch, or if your switch has port mirroring. It just depends what hardware you have how you want to go about it.

http://www.ethereal.com/
0
 

Author Comment

by:lloydr1l
Comment Utility
The switches are unmanaged, so port mirroring, etc is off.  I do have a hub setup to capture traffic, and I have been using Wireshark (Ethereal) as well to capture.  But the problem I was having with that program was its graphing capability.  I would like to be able to monitor the traffic graphically and watch for spikes.  Then within those spikes narrow down what is causing it and where from.  I"ve  been researching this a little more and saw where someone suggested using NTOP.
0
 
LVL 3

Expert Comment

by:jasoncoleman
Comment Utility
With wireshark(ethereal) you can sort the conversations by bytes transmitted / received.  Go to statistics-> conversations and then click on the column you want to sort. That should help you narrow down where it is coming from. You can then narrow down the capture to traffic from that (those) device(s) and get more info.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:lloydr1l
Comment Utility
jasoncoleman
I've done that, but the problem with conversations, endpoints, etc is they don't show when the bytes transmitted or received takes place.
0
 
LVL 3

Expert Comment

by:jasoncoleman
Comment Utility
Usually I just run the capture right when the spike is happening and then I can sort out who is responsible at that time - it may not work for you though if the timing is unpredictable. Otherwise its tough without managed switches that you can get reporting from. I've never used ntop, it looks like it may do just what you'd like. Hopefully someone else out there can provide more info on it.
0
 

Author Comment

by:lloydr1l
Comment Utility
OK, just had to say, I've been playing with NTOP now for the last 20-30 minutes, and I really like the look of this program.  So if anyone ever comes across this post wondering the same thing, this looks like it might do the trick.  I'm still checking it out though.

I would still like to know if PRTG has some feature like this.  It seems that one could simply select an area of the graph with the mouse and dig in deeper to obtain more information.  Maybe not.  I know you can select an area in PRTG and it will automatically zoom in, but no more information is given.
0
 
LVL 7

Expert Comment

by:pkutter
Comment Utility
I'm sure you're probably already aware of this, but the managed switch at least, at the core of your network, would make this problem much easier to troubleshoot. I was able to justify to management the reason for purchasing a managed switch was to cut down the amount of time that I spent troubleshooting network issues, and also to prove to software vendors that we didn't have a "Network Problem" when it was really a bug in their software. Just some additional thoughts.

Good Luck
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now