Sniffing Network Traffic

I am running a w2k3 AD Domain with WinXP SP2 across the board. I want to set up a box specifically for monitoring the network traffic for peaks and valleys etc. I know if the workstation I want to use is on a switch, the switch is going to give me just "my" traffic. I have a virtual stack of two hp procurve 2650 POE switches that provide me with the capabilities for port monitoring. Can I use this switch feature to coiside with a box setup for monitoring? I set up the workstation on a specific port on the switch and enable monitoring, what sniffer would be best suited for the capabilities I am looking for? And will I be able to change between protocols?
armitdeptAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Erik BjersConnect With a Mentor Principal Systems AdministratorCommented:
OK I think you need to schedule the poller.  Give me some time to setup a test environment and I will give you more details.

eb
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Ethereal http://www.ethereal.com/                            Packet capture
Packetizer http://www.paglo.com/opensource           Packet capture
Cacti http://www.cacti.net/                                         Your best bet

These should be able to get you what you need

eb
0
 
newborn1281Commented:
One of the best sniffers on the market is wireshark you could monitor sniff remote computers but for that you need ISA server which has full version of packet scanner from microsoft.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
armitdeptAuthor Commented:
How am I going to set this up on the hardware side? Can I do what I mentioned and hook a workstation up to a specified port and let er rip?
0
 
Erik BjersPrincipal Systems AdministratorCommented:
If all you need is traffic statistics then you want to use CACTI as this will give you nice graphs

What type of switches/ routers do you want to monitor?  You would need to setup an SNMP community and then have CACTI read the SNMP data to produce it's graphs.

eb

 
0
 
Erik BjersPrincipal Systems AdministratorCommented:
BTW all three I have recomended are free and will work on windows or linux (execpt packetizer is only windows)

eb
0
 
armitdeptAuthor Commented:
I would like to monitor an HP Procurve 7102dl SR and a virtual stack of two HP Procurve 2650 switches. I have the snmp communities already setup.
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Good then CACTI should work perfict for you...
If you also want to monitor the health of your servers you can check out groundworks open source (google will find it for you) but this is much more complicated.

Please tell me spacificaly what you want to monitor and I will give you details on how to configure

eb
0
 
armitdeptAuthor Commented:
first and foremost my biggest concern will be port 80 and web site capture. Second I would like to capture email using port 25 and port 110 if possible. And in the future IM traffic on MSN Live messenger
0
 
Erik BjersPrincipal Systems AdministratorCommented:
well cacti will only give you overall traffic statistics, it will not break out howmuch is going to each port.  The packet capture software will capture all packets sent across the network but will not give you that much in statistics.

eb
0
 
armitdeptAuthor Commented:
So can you give me basic setup criteria, for overall network analysis?
0
 
Erik BjersPrincipal Systems AdministratorCommented:
cacti can give you statistics on your network utilization and some other information on your windows hosts (CPU, MEM, Page file usage)

Download cacti from http://cacti.net and install it according to the instructions they should be fairly easy to follow.
Once you have cacti installed you access it through a web page

You can then add devices using the built in templates or you can search for spacific templates on google (search "cacti template 'device'") then after about 5 - 15 minutes you should start seeing graphs.  

It is all very streight forward and there is plenty of configuration help on http://cactiusers.org.

eb
0
 
armitdeptAuthor Commented:
I have downloaded. Can I possibly leave this thread open for the rest of today and tomorrow and I will touch base back on thursday. This will give me time to configure and familiarize.

Thanks,
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Leave it open as long as you want

eb
0
 
armitdeptAuthor Commented:
Got it up and running now how to capture the data?
0
 
Erik BjersPrincipal Systems AdministratorCommented:
So I'm assuming you can get to the web site correct?

This link should give you good configuration tips: http://www.cacti.net/downloads/docs/html/graph_howto.html

eb
0
 
armitdeptAuthor Commented:
I followed the config to the "T" and cacti sees the switches but not pulling or "polling" any data. Any advice?
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Did you configure graphs for the devices?  There should be an add Graph button when you select a device.

How long did you wait? It takes a bout 5 - 15 minutes before data is availabel

Are you running Cacti on a linux or Windows host?

Make sure you hit all the steps in this doc if you installed on windows http://www.cacti.net/downloads/docs/html/install_windows.html

This can be a little dificult to get it all working but once you do it is worth it...

Also please post some screen shots showing the device list in cacti.

eb
0
 
armitdeptAuthor Commented:
This is a windows Host and we've been waiting for about an hour.
cacti-probs.doc
0
 
armitdeptAuthor Commented:
i have created the scheduled task for the poller already. I think it might come down to directory permissions of the rrd directort for creating the files. I will let you know. Your lab would be very helpful.

thanks
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Having some problems with my home computer... VMWare crashed it and I'm having to rebuild from a backup so it may take me a day or 2 to get it tested.

In the mean time there should be an SNMP walk utility that will report SNMP traffic from a device, should be under tools or utilities on the side menu.

Also check your hosts and make sure they are allowed to send SNMP traps to the IP of the computer you have cacti on.

eb
0
 
armitdeptAuthor Commented:
no, need my friend. We got it fixed. It was indeed the task scheduler. It was created, but not properly. It is now. Let the monitoring begin!!

Enjoy the points, you earned them.

Thanks,
0
 
armitdeptAuthor Commented:
Nice work, thanks again!!
0
 
Erik BjersPrincipal Systems AdministratorCommented:
hope you like it and spread the word.

BTW there are many excelent plugins for Cacti including a syslog collector (collect all your syslogs in one place) they can all be found at cactiusers.org

eb
0
All Courses

From novice to tech pro — start learning today.