Solved

Packet Sniffer or Similar Functionality

Posted on 2008-10-17
13
463 Views
Last Modified: 2013-12-14
The DSL line in the office has been slammed lately.  I'm going through the process of increasing bandwidth, but I'd also like to identify the individuals in the office who are abusing the bandwidth.  Can I get away with software on one of the severs?  Or, should I look into a Cisco router that monitors activity by IP?  If I go with a Cisco router, should I go with a DSL router or splice in an Ethernet router between the DSL router and the switch?
0
Comment
Question by:jdana
13 Comments
 
LVL 23

Expert Comment

by:Kamaraj Subramanian
ID: 22745487
0
 
LVL 8

Accepted Solution

by:
pzozulka earned 100 total points
ID: 22745488
Free packet sniffer: WireShark
Could be a little too complex for the job you need.

Some of the great tools I've used in the past are: CAIN, and WebSence
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 100 total points
ID: 22745715
I would recommend the Cisco router. Possibly the 871 model. Leave the dsl modem in place but set it to bridge mode. Then you can configure a netflow monitor like scrutinizer (www.plixer.com) and tell exactly where your bandwidth is going.
Shawn
0
 

Author Comment

by:jdana
ID: 22745813
Two following questions
1) Can I configure a packet sniffer to collect ALL DSL traffic?  (And exclude local traffic?)
2) wingatesl - Unfortunately, Qwest (my ISP) doesn't allow transparent bridging on DSL routers connected to their lines.  (I've been told it simply doesn't work.)  Is there a Cisco DSL router that does effectively the same thing?
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 22745925
You can get dsl models of the 800 series.. Like the 877
You can configure the filters on a packet sniffer to exclue local network traffic. It will be difficult to determine bandwidth from the data that is presented though. What type of DSL router are you currently using?
0
 

Author Comment

by:jdana
ID: 22745959
It aint much, an ActionTec GT701.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Expert Comment

by:wingatesl
ID: 22745969
no snmp support on that one.
0
 
LVL 8

Assisted Solution

by:russell124
russell124 earned 100 total points
ID: 22745990
Are you sure you can't transparent bridge with your qwest?  It might vary from region to region, but I'm in the pacific NW, and have set up a number of qwest dsl lines with transparent bridging to routers.  

You might try calling tech support again, and make sure you get past the Tier 1 support that just reads you scripted answers.
0
 

Author Comment

by:jdana
ID: 22746041
It couldn't hurt to call them.
0
 
LVL 12

Assisted Solution

by:hfraser
hfraser earned 100 total points
ID: 22746494
If you're able to sniff the traffic to/from the router, "ntop" will track activity by IP address, protocol, etc. and provide historical trending as well. This can be used to identify bandwidth hogs.
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 100 total points
ID: 22747043
I have to second the  Cisco 87x suggestion.  The DSL line being slammed does not necessarily mean an abuse of bandwidth is occuring.

Although it is frequent that (for example), a trojan/virus on the LAN may be pegging the DSL link,  using all available bandwidth to send spam, or  infected machines in the course of launching DDoS attacks against victim servers on the internet.


Another possible choice might be say an Cisco 1812.   Depending on how much bandwidth you eventually need.
In either case, be sure to get a unit that allows you to have an  advanced security image, i.e. say  c 871-sec-k9.


With the QoS  capabilities on these units,  you can do better than merely identifying the bandwidth (with netflow or ip accounting features)

You can actually police traffic, and limit certain types of outbound traffic.

For example, you can identify important traffic, and allow the important
traffic unlimited use of the connection.

While giving all other traffic a lower priority,  and limiting it to a certain
amount of bandwidth.

With "Soft QoS";  the limit varies  depending on important traffic, and
the lower priority traffic  can still use much bandwidth, as long as
the important traffic is flowing.


With "Hard QoS";  you can impose a hard rate limit on unimportant traffic.

For example, you could construct policies that will classify file sharing traffic,
and limit it to  100 kilobits,   even when the link is otherwise completely idle.


So not only does  some  managable  routing equipment better enable you
to detect the bandwidth sources:

it also provides some tools  that allow you to define  network routing policies
in order to reduce  the negative effect  of  excessive  non-business-critical
usage.

0
 
LVL 15

Expert Comment

by:wingatesl
ID: 22747063
The #1 benefit of the 1812 is the ability to add a second ISP whenever you need it.
0
 

Author Closing Comment

by:jdana
ID: 31507320
pzozulka - Thanks for the WireShark info.  I'm experimenting with it.
russell124 - You were right.  You can transparent bridge with Qwest.
wingatesl - Thanks for the Cisco 871 and 877 advice.  
Mysidia - Thanks for the QoS info.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now