Sniffing Network Traffic

I am running a w2k3 AD Domain with WinXP SP2 across the board. I want to set up a box specifically for monitoring the network traffic for peaks and valleys etc. I know if the workstation I want to use is on a switch, the switch is going to give me just "my" traffic. I have a virtual stack of two hp procurve 2650 POE switches that provide me with the capabilities for port monitoring. Can I use this switch feature to coiside with a box setup for monitoring? I set up the workstation on a specific port on the switch and enable monitoring, what sniffer would be best suited for the capabilities I am looking for? And will I be able to change between protocols?
armitdeptAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
Ethereal http://www.ethereal.com/                            Packet capture
Packetizer http://www.paglo.com/opensource           Packet capture
Cacti http://www.cacti.net/                                         Your best bet

These should be able to get you what you need

eb
0
newborn1281Commented:
One of the best sniffers on the market is wireshark you could monitor sniff remote computers but for that you need ISA server which has full version of packet scanner from microsoft.
0
armitdeptAuthor Commented:
How am I going to set this up on the hardware side? Can I do what I mentioned and hook a workstation up to a specified port and let er rip?
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Erik BjersPrincipal Systems AdministratorCommented:
If all you need is traffic statistics then you want to use CACTI as this will give you nice graphs

What type of switches/ routers do you want to monitor?  You would need to setup an SNMP community and then have CACTI read the SNMP data to produce it's graphs.

eb

 
0
Erik BjersPrincipal Systems AdministratorCommented:
BTW all three I have recomended are free and will work on windows or linux (execpt packetizer is only windows)

eb
0
armitdeptAuthor Commented:
I would like to monitor an HP Procurve 7102dl SR and a virtual stack of two HP Procurve 2650 switches. I have the snmp communities already setup.
0
Erik BjersPrincipal Systems AdministratorCommented:
Good then CACTI should work perfict for you...
If you also want to monitor the health of your servers you can check out groundworks open source (google will find it for you) but this is much more complicated.

Please tell me spacificaly what you want to monitor and I will give you details on how to configure

eb
0
armitdeptAuthor Commented:
first and foremost my biggest concern will be port 80 and web site capture. Second I would like to capture email using port 25 and port 110 if possible. And in the future IM traffic on MSN Live messenger
0
Erik BjersPrincipal Systems AdministratorCommented:
well cacti will only give you overall traffic statistics, it will not break out howmuch is going to each port.  The packet capture software will capture all packets sent across the network but will not give you that much in statistics.

eb
0
armitdeptAuthor Commented:
So can you give me basic setup criteria, for overall network analysis?
0
Erik BjersPrincipal Systems AdministratorCommented:
cacti can give you statistics on your network utilization and some other information on your windows hosts (CPU, MEM, Page file usage)

Download cacti from http://cacti.net and install it according to the instructions they should be fairly easy to follow.
Once you have cacti installed you access it through a web page

You can then add devices using the built in templates or you can search for spacific templates on google (search "cacti template 'device'") then after about 5 - 15 minutes you should start seeing graphs.  

It is all very streight forward and there is plenty of configuration help on http://cactiusers.org.

eb
0
armitdeptAuthor Commented:
I have downloaded. Can I possibly leave this thread open for the rest of today and tomorrow and I will touch base back on thursday. This will give me time to configure and familiarize.

Thanks,
0
Erik BjersPrincipal Systems AdministratorCommented:
Leave it open as long as you want

eb
0
armitdeptAuthor Commented:
Got it up and running now how to capture the data?
0
Erik BjersPrincipal Systems AdministratorCommented:
So I'm assuming you can get to the web site correct?

This link should give you good configuration tips: http://www.cacti.net/downloads/docs/html/graph_howto.html

eb
0
armitdeptAuthor Commented:
I followed the config to the "T" and cacti sees the switches but not pulling or "polling" any data. Any advice?
0
Erik BjersPrincipal Systems AdministratorCommented:
Did you configure graphs for the devices?  There should be an add Graph button when you select a device.

How long did you wait? It takes a bout 5 - 15 minutes before data is availabel

Are you running Cacti on a linux or Windows host?

Make sure you hit all the steps in this doc if you installed on windows http://www.cacti.net/downloads/docs/html/install_windows.html

This can be a little dificult to get it all working but once you do it is worth it...

Also please post some screen shots showing the device list in cacti.

eb
0
armitdeptAuthor Commented:
This is a windows Host and we've been waiting for about an hour.
cacti-probs.doc
0
Erik BjersPrincipal Systems AdministratorCommented:
OK I think you need to schedule the poller.  Give me some time to setup a test environment and I will give you more details.

eb
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
armitdeptAuthor Commented:
i have created the scheduled task for the poller already. I think it might come down to directory permissions of the rrd directort for creating the files. I will let you know. Your lab would be very helpful.

thanks
0
Erik BjersPrincipal Systems AdministratorCommented:
Having some problems with my home computer... VMWare crashed it and I'm having to rebuild from a backup so it may take me a day or 2 to get it tested.

In the mean time there should be an SNMP walk utility that will report SNMP traffic from a device, should be under tools or utilities on the side menu.

Also check your hosts and make sure they are allowed to send SNMP traps to the IP of the computer you have cacti on.

eb
0
armitdeptAuthor Commented:
no, need my friend. We got it fixed. It was indeed the task scheduler. It was created, but not properly. It is now. Let the monitoring begin!!

Enjoy the points, you earned them.

Thanks,
0
armitdeptAuthor Commented:
Nice work, thanks again!!
0
Erik BjersPrincipal Systems AdministratorCommented:
hope you like it and spread the word.

BTW there are many excelent plugins for Cacti including a syslog collector (collect all your syslogs in one place) they can all be found at cactiusers.org

eb
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.