Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 479
  • Last Modified:

Packet Sniffer or Similar Functionality

The DSL line in the office has been slammed lately.  I'm going through the process of increasing bandwidth, but I'd also like to identify the individuals in the office who are abusing the bandwidth.  Can I get away with software on one of the severs?  Or, should I look into a Cisco router that monitors activity by IP?  If I go with a Cisco router, should I go with a DSL router or splice in an Ethernet router between the DSL router and the switch?
5 Solutions
Kamaraj SubramanianApplication Support AnalystCommented:
Free packet sniffer: WireShark
Could be a little too complex for the job you need.

Some of the great tools I've used in the past are: CAIN, and WebSence
I would recommend the Cisco router. Possibly the 871 model. Leave the dsl modem in place but set it to bridge mode. Then you can configure a netflow monitor like scrutinizer (www.plixer.com) and tell exactly where your bandwidth is going.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

jdanaAuthor Commented:
Two following questions
1) Can I configure a packet sniffer to collect ALL DSL traffic?  (And exclude local traffic?)
2) wingatesl - Unfortunately, Qwest (my ISP) doesn't allow transparent bridging on DSL routers connected to their lines.  (I've been told it simply doesn't work.)  Is there a Cisco DSL router that does effectively the same thing?
You can get dsl models of the 800 series.. Like the 877
You can configure the filters on a packet sniffer to exclue local network traffic. It will be difficult to determine bandwidth from the data that is presented though. What type of DSL router are you currently using?
jdanaAuthor Commented:
It aint much, an ActionTec GT701.
no snmp support on that one.
Are you sure you can't transparent bridge with your qwest?  It might vary from region to region, but I'm in the pacific NW, and have set up a number of qwest dsl lines with transparent bridging to routers.  

You might try calling tech support again, and make sure you get past the Tier 1 support that just reads you scripted answers.
jdanaAuthor Commented:
It couldn't hurt to call them.
Hugh FraserConsultantCommented:
If you're able to sniff the traffic to/from the router, "ntop" will track activity by IP address, protocol, etc. and provide historical trending as well. This can be used to identify bandwidth hogs.
I have to second the  Cisco 87x suggestion.  The DSL line being slammed does not necessarily mean an abuse of bandwidth is occuring.

Although it is frequent that (for example), a trojan/virus on the LAN may be pegging the DSL link,  using all available bandwidth to send spam, or  infected machines in the course of launching DDoS attacks against victim servers on the internet.

Another possible choice might be say an Cisco 1812.   Depending on how much bandwidth you eventually need.
In either case, be sure to get a unit that allows you to have an  advanced security image, i.e. say  c 871-sec-k9.

With the QoS  capabilities on these units,  you can do better than merely identifying the bandwidth (with netflow or ip accounting features)

You can actually police traffic, and limit certain types of outbound traffic.

For example, you can identify important traffic, and allow the important
traffic unlimited use of the connection.

While giving all other traffic a lower priority,  and limiting it to a certain
amount of bandwidth.

With "Soft QoS";  the limit varies  depending on important traffic, and
the lower priority traffic  can still use much bandwidth, as long as
the important traffic is flowing.

With "Hard QoS";  you can impose a hard rate limit on unimportant traffic.

For example, you could construct policies that will classify file sharing traffic,
and limit it to  100 kilobits,   even when the link is otherwise completely idle.

So not only does  some  managable  routing equipment better enable you
to detect the bandwidth sources:

it also provides some tools  that allow you to define  network routing policies
in order to reduce  the negative effect  of  excessive  non-business-critical

The #1 benefit of the 1812 is the ability to add a second ISP whenever you need it.
jdanaAuthor Commented:
pzozulka - Thanks for the WireShark info.  I'm experimenting with it.
russell124 - You were right.  You can transparent bridge with Qwest.
wingatesl - Thanks for the Cisco 871 and 877 advice.  
Mysidia - Thanks for the QoS info.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now