Packet Sniffer or Similar Functionality

Posted on 2008-10-17
Last Modified: 2013-12-14
The DSL line in the office has been slammed lately.  I'm going through the process of increasing bandwidth, but I'd also like to identify the individuals in the office who are abusing the bandwidth.  Can I get away with software on one of the severs?  Or, should I look into a Cisco router that monitors activity by IP?  If I go with a Cisco router, should I go with a DSL router or splice in an Ethernet router between the DSL router and the switch?
Question by:jdana
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Expert Comment

by:Kamaraj Subramanian
ID: 22745487

Accepted Solution

pzozulka earned 100 total points
ID: 22745488
Free packet sniffer: WireShark
Could be a little too complex for the job you need.

Some of the great tools I've used in the past are: CAIN, and WebSence
LVL 15

Assisted Solution

wingatesl earned 100 total points
ID: 22745715
I would recommend the Cisco router. Possibly the 871 model. Leave the dsl modem in place but set it to bridge mode. Then you can configure a netflow monitor like scrutinizer ( and tell exactly where your bandwidth is going.
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.


Author Comment

ID: 22745813
Two following questions
1) Can I configure a packet sniffer to collect ALL DSL traffic?  (And exclude local traffic?)
2) wingatesl - Unfortunately, Qwest (my ISP) doesn't allow transparent bridging on DSL routers connected to their lines.  (I've been told it simply doesn't work.)  Is there a Cisco DSL router that does effectively the same thing?
LVL 15

Expert Comment

ID: 22745925
You can get dsl models of the 800 series.. Like the 877
You can configure the filters on a packet sniffer to exclue local network traffic. It will be difficult to determine bandwidth from the data that is presented though. What type of DSL router are you currently using?

Author Comment

ID: 22745959
It aint much, an ActionTec GT701.
LVL 15

Expert Comment

ID: 22745969
no snmp support on that one.

Assisted Solution

russell124 earned 100 total points
ID: 22745990
Are you sure you can't transparent bridge with your qwest?  It might vary from region to region, but I'm in the pacific NW, and have set up a number of qwest dsl lines with transparent bridging to routers.  

You might try calling tech support again, and make sure you get past the Tier 1 support that just reads you scripted answers.

Author Comment

ID: 22746041
It couldn't hurt to call them.
LVL 12

Assisted Solution

hfraser earned 100 total points
ID: 22746494
If you're able to sniff the traffic to/from the router, "ntop" will track activity by IP address, protocol, etc. and provide historical trending as well. This can be used to identify bandwidth hogs.
LVL 23

Assisted Solution

Mysidia earned 100 total points
ID: 22747043
I have to second the  Cisco 87x suggestion.  The DSL line being slammed does not necessarily mean an abuse of bandwidth is occuring.

Although it is frequent that (for example), a trojan/virus on the LAN may be pegging the DSL link,  using all available bandwidth to send spam, or  infected machines in the course of launching DDoS attacks against victim servers on the internet.

Another possible choice might be say an Cisco 1812.   Depending on how much bandwidth you eventually need.
In either case, be sure to get a unit that allows you to have an  advanced security image, i.e. say  c 871-sec-k9.

With the QoS  capabilities on these units,  you can do better than merely identifying the bandwidth (with netflow or ip accounting features)

You can actually police traffic, and limit certain types of outbound traffic.

For example, you can identify important traffic, and allow the important
traffic unlimited use of the connection.

While giving all other traffic a lower priority,  and limiting it to a certain
amount of bandwidth.

With "Soft QoS";  the limit varies  depending on important traffic, and
the lower priority traffic  can still use much bandwidth, as long as
the important traffic is flowing.

With "Hard QoS";  you can impose a hard rate limit on unimportant traffic.

For example, you could construct policies that will classify file sharing traffic,
and limit it to  100 kilobits,   even when the link is otherwise completely idle.

So not only does  some  managable  routing equipment better enable you
to detect the bandwidth sources:

it also provides some tools  that allow you to define  network routing policies
in order to reduce  the negative effect  of  excessive  non-business-critical

LVL 15

Expert Comment

ID: 22747063
The #1 benefit of the 1812 is the ability to add a second ISP whenever you need it.

Author Closing Comment

ID: 31507320
pzozulka - Thanks for the WireShark info.  I'm experimenting with it.
russell124 - You were right.  You can transparent bridge with Qwest.
wingatesl - Thanks for the Cisco 871 and 877 advice.  
Mysidia - Thanks for the QoS info.

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 95
Hit router interface limit 7 75
Price for Fiber 13 88
Access points not passing on DHCP, because of Draytek PoE Switch (VLAN related) 18 81
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question