We help IT Professionals succeed at work.

Sniffing Network Traffic

Medium Priority
1,460 Views
Last Modified: 2012-08-14
I am running a w2k3 AD Domain with WinXP SP2 across the board. I want to set up a box specifically for monitoring the network traffic for peaks and valleys etc. I know if the workstation I want to use is on a switch, the switch is going to give me just "my" traffic. I have a virtual stack of two hp procurve 2650 POE switches that provide me with the capabilities for port monitoring. Can I use this switch feature to coiside with a box setup for monitoring? I set up the workstation on a specific port on the switch and enable monitoring, what sniffer would be best suited for the capabilities I am looking for? And will I be able to change between protocols?
Comment
Watch Question

Erik BjersPrincipal Systems Administrator

Commented:
Ethereal http://www.ethereal.com/                            Packet capture
Packetizer http://www.paglo.com/opensource           Packet capture
Cacti http://www.cacti.net/                                         Your best bet

These should be able to get you what you need

eb
One of the best sniffers on the market is wireshark you could monitor sniff remote computers but for that you need ISA server which has full version of packet scanner from microsoft.

Author

Commented:
How am I going to set this up on the hardware side? Can I do what I mentioned and hook a workstation up to a specified port and let er rip?
Erik BjersPrincipal Systems Administrator

Commented:
If all you need is traffic statistics then you want to use CACTI as this will give you nice graphs

What type of switches/ routers do you want to monitor?  You would need to setup an SNMP community and then have CACTI read the SNMP data to produce it's graphs.

eb

 
Erik BjersPrincipal Systems Administrator

Commented:
BTW all three I have recomended are free and will work on windows or linux (execpt packetizer is only windows)

eb

Author

Commented:
I would like to monitor an HP Procurve 7102dl SR and a virtual stack of two HP Procurve 2650 switches. I have the snmp communities already setup.
Erik BjersPrincipal Systems Administrator

Commented:
Good then CACTI should work perfict for you...
If you also want to monitor the health of your servers you can check out groundworks open source (google will find it for you) but this is much more complicated.

Please tell me spacificaly what you want to monitor and I will give you details on how to configure

eb

Author

Commented:
first and foremost my biggest concern will be port 80 and web site capture. Second I would like to capture email using port 25 and port 110 if possible. And in the future IM traffic on MSN Live messenger
Erik BjersPrincipal Systems Administrator

Commented:
well cacti will only give you overall traffic statistics, it will not break out howmuch is going to each port.  The packet capture software will capture all packets sent across the network but will not give you that much in statistics.

eb

Author

Commented:
So can you give me basic setup criteria, for overall network analysis?
Erik BjersPrincipal Systems Administrator

Commented:
cacti can give you statistics on your network utilization and some other information on your windows hosts (CPU, MEM, Page file usage)

Download cacti from http://cacti.net and install it according to the instructions they should be fairly easy to follow.
Once you have cacti installed you access it through a web page

You can then add devices using the built in templates or you can search for spacific templates on google (search "cacti template 'device'") then after about 5 - 15 minutes you should start seeing graphs.  

It is all very streight forward and there is plenty of configuration help on http://cactiusers.org.

eb

Author

Commented:
I have downloaded. Can I possibly leave this thread open for the rest of today and tomorrow and I will touch base back on thursday. This will give me time to configure and familiarize.

Thanks,
Erik BjersPrincipal Systems Administrator

Commented:
Leave it open as long as you want

eb

Author

Commented:
Got it up and running now how to capture the data?
Erik BjersPrincipal Systems Administrator

Commented:
So I'm assuming you can get to the web site correct?

This link should give you good configuration tips: http://www.cacti.net/downloads/docs/html/graph_howto.html

eb

Author

Commented:
I followed the config to the "T" and cacti sees the switches but not pulling or "polling" any data. Any advice?
Erik BjersPrincipal Systems Administrator

Commented:
Did you configure graphs for the devices?  There should be an add Graph button when you select a device.

How long did you wait? It takes a bout 5 - 15 minutes before data is availabel

Are you running Cacti on a linux or Windows host?

Make sure you hit all the steps in this doc if you installed on windows http://www.cacti.net/downloads/docs/html/install_windows.html

This can be a little dificult to get it all working but once you do it is worth it...

Also please post some screen shots showing the device list in cacti.

eb

Author

Commented:
This is a windows Host and we've been waiting for about an hour.
cacti-probs.doc
Principal Systems Administrator
Commented:
OK I think you need to schedule the poller.  Give me some time to setup a test environment and I will give you more details.

eb

Author

Commented:
i have created the scheduled task for the poller already. I think it might come down to directory permissions of the rrd directort for creating the files. I will let you know. Your lab would be very helpful.

thanks
Erik BjersPrincipal Systems Administrator

Commented:
Having some problems with my home computer... VMWare crashed it and I'm having to rebuild from a backup so it may take me a day or 2 to get it tested.

In the mean time there should be an SNMP walk utility that will report SNMP traffic from a device, should be under tools or utilities on the side menu.

Also check your hosts and make sure they are allowed to send SNMP traps to the IP of the computer you have cacti on.

eb

Author

Commented:
no, need my friend. We got it fixed. It was indeed the task scheduler. It was created, but not properly. It is now. Let the monitoring begin!!

Enjoy the points, you earned them.

Thanks,

Author

Commented:
Nice work, thanks again!!
Erik BjersPrincipal Systems Administrator

Commented:
hope you like it and spread the word.

BTW there are many excelent plugins for Cacti including a syslog collector (collect all your syslogs in one place) they can all be found at cactiusers.org

eb

Explore More ContentExplore courses, solutions, and other research materials related to this topic.