How to best monitor IP traffic in Cisco 1811 router

kmorrison65
kmorrison65 used Ask the Experts™
on
Our network is built on a Cisco 1811 router and two Catalyst 2960 switches.  We have a need to monitor all web traffic that hits the WAN based on IP or Mac address of our users. I'm familiar with Cisco's IP accounting and have been reading up on various solutions: SNMP Traffic Grapher, Netflow reporters, using a mirrored port on one of the switches( tough because we use 2 48 hole switches) and using something like Network Probe or Colasoft Capsa to sift through the traffic.  We're a small company of about 60 users.  I need this to be a low cost solution, easily implemented and easily interpreted.  Basically, they want to be able to see who's spending how much time on what websites.  Suggestions, please.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Do you know what the rough throughput is of the WAN (internet) facing interfaces for each switch in your office?  If the throughput is not significant, you can use a port to mirror the vlan that the internet traffic is on and have it exported to a vacant switch port.  There is then a free tool called Ethereal (or wireshark) that will allow you to sort the information based on conversations between hosts and web servers.  Although a free tool, it has a significant feature set.  We use it to troubleshoot a variety of issues at our office all the time.

If the throughput is too high, you may need to look at getting a professional grade traffic analyzer appliance to record the data.  Another consideration - you may overwhelm your switches resources by using the mirror port functionality if the throughput is high.  Let us know the throughput and we can let you know if it will be safe to mirror the port traffic.

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

I advise Ntop, which is free: ntop.org

Author

Commented:
Thanks for the input, sorry for the delay in response.

I don't know the rough throughput but would imagine it to be fairly significant with around 30 users per switch.  Our company uses a lot of internet(wholesale/retail operation with web based back office) plus the typical in house file transfers, print jobs , etc.

I've used wireshark a good bit, wasn't sure if it is the right tool for this job.  It seems a bit backwards to mirror port ALL the network data just so we can view a tiny percentage of it, maybe I'm looking at it wrong.

Checking out Ntop now.
What about utilizing netflow and then something like the solarwinds netflow analyzer to pull and sort the data?
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
try prtg if you use mirroring:

http://www.paessler.com/prtg/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial