Solved

Monitor Internet Traffic (LAN Users)

Posted on 2010-11-15
21
693 Views
Last Modified: 2012-06-22
Hi there,

I need some method to monitor internet traffic. I biggest problem is that sometimes, our bandwidth is complete stressed and I have no way to find out what user/machines is causing the heavy load.

I can look at the firewall logs, but it is not clear exactly which mahcines is causing the heavy load.

I am using SonicWall (NSA 3500 ) as my network firewall. I would really like to get a realt-time interface that shows me this information or if you can help with a procedure for me to track this activity in some other manner.

Third party tools would also be of interest to me, if not too expensive.

Thanks in advance.

FN

0
Comment
Question by:fasuln
  • 7
  • 3
  • 2
  • +5
21 Comments
 
LVL 1

Expert Comment

by:tuxnani
ID: 34135229
you can use wireshark, and its very easy and comfortable to use it.
http://www.wireshark.org/
see there and there are pretty good number of tutorials available over net. It can be used on most OS environments.
0
 
LVL 5

Expert Comment

by:sabk
ID: 34135287
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34135304
best way to do this is to use SNMP graphing tool

http://www.softpedia.com/get/Network-Tools/Bandwidth-Tools/PRTG-Paessler-Router-Traffic-Grapher.shtml

Allow SNMP sonnection to you firewall first.
0
 

Author Comment

by:fasuln
ID: 34135595
Hi 1oo4:,

I already use the PRTG tool and i think it's great, but it shows me network wide level traffic and I can see that they is heavy load, but I cannot see which machines/user or IP is causing the heavy load. Maybe I have not set it up correctly, so if you can suggest how best to get this info out..

Hi sabk,

can you please tell me what kind of info 'SYSLOG' gives me. So far, I am not too impressed with the reporting on SonicWall, a screenshot would be great and I assume that this info has to be passed on to another server, from what I can see in the setting. Can you explain how this is setup.

Hi tuxnani:
I had a quick look at this tool and it looks like a packet capture tool, and although it like using this type of tool for my admin taks, it does not produce and kind of good reporting for my manager. Is there no software that can show me that (userA) is currently on a (webiste) or (downloading something ) etc..

GUI is important and reporting is even more important. I am looking to monitor employee internet activity.

Thanks,
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34135617
If your clients are connected directly to your firewall then you should poll for the  traffic on a specific interface on the firewall. If they are connected to a switch then use PRTG to SNMP poll the switch for the traffic on the corresponding interface. You will have to modify the OID (or MIB) in PRTG accordingly.
0
 

Author Comment

by:fasuln
ID: 34135719
Hi 1oo4,

the setup here is as follows:

1. All users are connected to network switches
2. The firewall is connected into the switch as a gateway.
3. I have PRTG installed on a XP machine.

I have attached a screenshot of what I see now, when I launch PRTG. As you can see, if gives me network snapshot, which is great, but I need to get a breakdown of IP address also.

I am not sure how to setup what you have suggested. It would be great if you acn details exactly what I need to do.

Thanks in advance.
FN
 PRTG Screenshot
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34135780
NTOP can tell you what you need to know
http://www.ntop.org

Run NTOP on a PC with 2 NIC's in it. One NIC connected to a mirror port on the switch that mirrors all traffic in/out of the firewall. Use the other NIC to access the web interface/GUI from your workstation.

Else, try Manageengine's FirewallAnalyzer - http://www.manageengine.com/products/firewall/
It is simple setup and config. Install it on a server and point the firewall's syslogs to it and that's about all you have to do.
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34136146
Log in to the switches and allow SNMP polling from the IP that belongs to PRTG.
Then add the swithches as devices to PRTG
Then add the necessary interfaces on the switches as SNMP traffic probes.
0
 
LVL 3

Assisted Solution

by:Hofpad
Hofpad earned 25 total points
ID: 34136404
Dear fasuln

If you activate "View Point Reporting" (you should have at least a 30-day trial) on your NSA3500, you will be able to setup up a virtual-appliance (download from MySonicWALL.com) where you can graph the usage of different protocols and the (web-)usage of different internal IPs (or users).

You will need to redirect the SonicWALLs Syslog-Traffic to that virtual-appliance. After that, you have "near-real-time" graphs, depending on your summarizer-interval on the ViewPoint-Virtual-Appliance.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Expert Comment

by:Mintar
ID: 34143651
I am using a program named "WFilter Enterprise", it can show you the real-time connections and bandwidth of every ip address.

Since you have a manageable switch, it is easy to setup. You only need to connect the WFilter computer to a mirroring port of your switch.

http://www.imfirewall.us
0
 

Author Comment

by:fasuln
ID: 34143691
Hi everyone,

just to confirm to you all. I do not have a managed switch.

can you tell me what my options are without a managed switch.

Thanks,
FN
0
 
LVL 3

Expert Comment

by:Hofpad
ID: 34143755
ViewPoint Reporting from SonicWALL. You find Documentation here:
http://www.sonicwall.com/us/support/3340.html
And you should have a 30 day trial.
0
 

Author Comment

by:fasuln
ID: 34179229
Hi Guys,

Thanks for all your advise. I am not a big fan of Viewpoint. I  do not use a managed switch, so if there any other good solutins or software?

I like the PRTG software, but it's not clear how to setup IP level reporting.

Any other advise of step by setp on PRTG would be great.

FN
0
 
LVL 3

Expert Comment

by:Mintar
ID: 34185001
There're three methods to monitor your network without a manageable switch.
1. Using a broadcasted Hub
2. Windows Gateway, Proxy Server or Bridge
3. ARP Spoofing

http://blog.imfirewall.us/Why+A+Port+Mirroring+Switch+Is+Required+To+Monitor+My+Network+How+To+Monitor+Internet+Usage+Without+A+Manageable+Switch.aspx
0
 

Author Comment

by:fasuln
ID: 34186141
Hi Mintar;,

Your second option might be the best solution. What is a good proxy server software?

Thanks,
0
 
LVL 5

Accepted Solution

by:
sabk earned 25 total points
ID: 34204711
the sonicwall syslog captures & reports all log activity and include source & destination addresses, no of bytes transferred and IP servcie. Syslog support does require that you have a syslog server running on your network and that the syslog daemon is running on UDP 514 port. you can use a log analyzer such as SoniWALL's Viewpoint software or WebTrends firewall Suite to analyse and graph the logged data. The sonic wall appliances can support up to 3 syslog servers at time
0
 

Author Comment

by:fasuln
ID: 34212822
Hi sabk,

Thanks for the info. I do not have a syslog server setup, but I will set one up and give your method a try and report back tomorow.

Thanks
0
 

Author Closing Comment

by:fasuln
ID: 34523321
I will use the Viewpoint software for now, but it does not give me all the info I need.

It is however a partial solution for the short term.

Thanks everyone for your help and comments
0
 
LVL 1

Expert Comment

by:modus_operandi
ID: 34662178
fasuln,
 
I have reopened your question and started the process of closing it with a split amongst two or more Experts, as that outcome seems more equitable than your original disposition.
 
modus_operandi
EE Admin
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now