• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 740
  • Last Modified:

Monitor Internet Traffic (LAN Users)

Hi there,

I need some method to monitor internet traffic. I biggest problem is that sometimes, our bandwidth is complete stressed and I have no way to find out what user/machines is causing the heavy load.

I can look at the firewall logs, but it is not clear exactly which mahcines is causing the heavy load.

I am using SonicWall (NSA 3500 ) as my network firewall. I would really like to get a realt-time interface that shows me this information or if you can help with a procedure for me to track this activity in some other manner.

Third party tools would also be of interest to me, if not too expensive.

Thanks in advance.

FN

0
fasuln
Asked:
fasuln
  • 7
  • 3
  • 2
  • +5
2 Solutions
 
tuxnaniCommented:
you can use wireshark, and its very easy and comfortable to use it.
http://www.wireshark.org/
see there and there are pretty good number of tutorials available over net. It can be used on most OS environments.
0
 
1oo4Commented:
best way to do this is to use SNMP graphing tool

http://www.softpedia.com/get/Network-Tools/Bandwidth-Tools/PRTG-Paessler-Router-Traffic-Grapher.shtml

Allow SNMP sonnection to you firewall first.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
fasulnAuthor Commented:
Hi 1oo4:,

I already use the PRTG tool and i think it's great, but it shows me network wide level traffic and I can see that they is heavy load, but I cannot see which machines/user or IP is causing the heavy load. Maybe I have not set it up correctly, so if you can suggest how best to get this info out..

Hi sabk,

can you please tell me what kind of info 'SYSLOG' gives me. So far, I am not too impressed with the reporting on SonicWall, a screenshot would be great and I assume that this info has to be passed on to another server, from what I can see in the setting. Can you explain how this is setup.

Hi tuxnani:
I had a quick look at this tool and it looks like a packet capture tool, and although it like using this type of tool for my admin taks, it does not produce and kind of good reporting for my manager. Is there no software that can show me that (userA) is currently on a (webiste) or (downloading something ) etc..

GUI is important and reporting is even more important. I am looking to monitor employee internet activity.

Thanks,
0
 
1oo4Commented:
If your clients are connected directly to your firewall then you should poll for the  traffic on a specific interface on the firewall. If they are connected to a switch then use PRTG to SNMP poll the switch for the traffic on the corresponding interface. You will have to modify the OID (or MIB) in PRTG accordingly.
0
 
fasulnAuthor Commented:
Hi 1oo4,

the setup here is as follows:

1. All users are connected to network switches
2. The firewall is connected into the switch as a gateway.
3. I have PRTG installed on a XP machine.

I have attached a screenshot of what I see now, when I launch PRTG. As you can see, if gives me network snapshot, which is great, but I need to get a breakdown of IP address also.

I am not sure how to setup what you have suggested. It would be great if you acn details exactly what I need to do.

Thanks in advance.
FN
 PRTG Screenshot
0
 
lrmooreCommented:
NTOP can tell you what you need to know
http://www.ntop.org

Run NTOP on a PC with 2 NIC's in it. One NIC connected to a mirror port on the switch that mirrors all traffic in/out of the firewall. Use the other NIC to access the web interface/GUI from your workstation.

Else, try Manageengine's FirewallAnalyzer - http://www.manageengine.com/products/firewall/
It is simple setup and config. Install it on a server and point the firewall's syslogs to it and that's about all you have to do.
0
 
1oo4Commented:
Log in to the switches and allow SNMP polling from the IP that belongs to PRTG.
Then add the swithches as devices to PRTG
Then add the necessary interfaces on the switches as SNMP traffic probes.
0
 
HofpadCommented:
Dear fasuln

If you activate "View Point Reporting" (you should have at least a 30-day trial) on your NSA3500, you will be able to setup up a virtual-appliance (download from MySonicWALL.com) where you can graph the usage of different protocols and the (web-)usage of different internal IPs (or users).

You will need to redirect the SonicWALLs Syslog-Traffic to that virtual-appliance. After that, you have "near-real-time" graphs, depending on your summarizer-interval on the ViewPoint-Virtual-Appliance.
0
 
MintarCommented:
I am using a program named "WFilter Enterprise", it can show you the real-time connections and bandwidth of every ip address.

Since you have a manageable switch, it is easy to setup. You only need to connect the WFilter computer to a mirroring port of your switch.

http://www.imfirewall.us
0
 
fasulnAuthor Commented:
Hi everyone,

just to confirm to you all. I do not have a managed switch.

can you tell me what my options are without a managed switch.

Thanks,
FN
0
 
HofpadCommented:
ViewPoint Reporting from SonicWALL. You find Documentation here:
http://www.sonicwall.com/us/support/3340.html
And you should have a 30 day trial.
0
 
fasulnAuthor Commented:
Hi Guys,

Thanks for all your advise. I am not a big fan of Viewpoint. I  do not use a managed switch, so if there any other good solutins or software?

I like the PRTG software, but it's not clear how to setup IP level reporting.

Any other advise of step by setp on PRTG would be great.

FN
0
 
MintarCommented:
There're three methods to monitor your network without a manageable switch.
1. Using a broadcasted Hub
2. Windows Gateway, Proxy Server or Bridge
3. ARP Spoofing

http://blog.imfirewall.us/Why+A+Port+Mirroring+Switch+Is+Required+To+Monitor+My+Network+How+To+Monitor+Internet+Usage+Without+A+Manageable+Switch.aspx
0
 
fasulnAuthor Commented:
Hi Mintar;,

Your second option might be the best solution. What is a good proxy server software?

Thanks,
0
 
sabkCommented:
the sonicwall syslog captures & reports all log activity and include source & destination addresses, no of bytes transferred and IP servcie. Syslog support does require that you have a syslog server running on your network and that the syslog daemon is running on UDP 514 port. you can use a log analyzer such as SoniWALL's Viewpoint software or WebTrends firewall Suite to analyse and graph the logged data. The sonic wall appliances can support up to 3 syslog servers at time
0
 
fasulnAuthor Commented:
Hi sabk,

Thanks for the info. I do not have a syslog server setup, but I will set one up and give your method a try and report back tomorow.

Thanks
0
 
fasulnAuthor Commented:
I will use the Viewpoint software for now, but it does not give me all the info I need.

It is however a partial solution for the short term.

Thanks everyone for your help and comments
0
 
modus_operandiCommented:
fasuln,
 
I have reopened your question and started the process of closing it with a split amongst two or more Experts, as that outcome seems more equitable than your original disposition.
 
modus_operandi
EE Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 7
  • 3
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now