Solved

Monitor Internet Traffic (LAN Users)

Posted on 2010-11-15
21
700 Views
Last Modified: 2012-06-22
Hi there,

I need some method to monitor internet traffic. I biggest problem is that sometimes, our bandwidth is complete stressed and I have no way to find out what user/machines is causing the heavy load.

I can look at the firewall logs, but it is not clear exactly which mahcines is causing the heavy load.

I am using SonicWall (NSA 3500 ) as my network firewall. I would really like to get a realt-time interface that shows me this information or if you can help with a procedure for me to track this activity in some other manner.

Third party tools would also be of interest to me, if not too expensive.

Thanks in advance.

FN

0
Comment
Question by:fasuln
  • 7
  • 3
  • 2
  • +5
21 Comments
 
LVL 1

Expert Comment

by:tuxnani
ID: 34135229
you can use wireshark, and its very easy and comfortable to use it.
http://www.wireshark.org/
see there and there are pretty good number of tutorials available over net. It can be used on most OS environments.
0
 
LVL 5

Expert Comment

by:sabk
ID: 34135287
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34135304
best way to do this is to use SNMP graphing tool

http://www.softpedia.com/get/Network-Tools/Bandwidth-Tools/PRTG-Paessler-Router-Traffic-Grapher.shtml

Allow SNMP sonnection to you firewall first.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:fasuln
ID: 34135595
Hi 1oo4:,

I already use the PRTG tool and i think it's great, but it shows me network wide level traffic and I can see that they is heavy load, but I cannot see which machines/user or IP is causing the heavy load. Maybe I have not set it up correctly, so if you can suggest how best to get this info out..

Hi sabk,

can you please tell me what kind of info 'SYSLOG' gives me. So far, I am not too impressed with the reporting on SonicWall, a screenshot would be great and I assume that this info has to be passed on to another server, from what I can see in the setting. Can you explain how this is setup.

Hi tuxnani:
I had a quick look at this tool and it looks like a packet capture tool, and although it like using this type of tool for my admin taks, it does not produce and kind of good reporting for my manager. Is there no software that can show me that (userA) is currently on a (webiste) or (downloading something ) etc..

GUI is important and reporting is even more important. I am looking to monitor employee internet activity.

Thanks,
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34135617
If your clients are connected directly to your firewall then you should poll for the  traffic on a specific interface on the firewall. If they are connected to a switch then use PRTG to SNMP poll the switch for the traffic on the corresponding interface. You will have to modify the OID (or MIB) in PRTG accordingly.
0
 

Author Comment

by:fasuln
ID: 34135719
Hi 1oo4,

the setup here is as follows:

1. All users are connected to network switches
2. The firewall is connected into the switch as a gateway.
3. I have PRTG installed on a XP machine.

I have attached a screenshot of what I see now, when I launch PRTG. As you can see, if gives me network snapshot, which is great, but I need to get a breakdown of IP address also.

I am not sure how to setup what you have suggested. It would be great if you acn details exactly what I need to do.

Thanks in advance.
FN
 PRTG Screenshot
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34135780
NTOP can tell you what you need to know
http://www.ntop.org

Run NTOP on a PC with 2 NIC's in it. One NIC connected to a mirror port on the switch that mirrors all traffic in/out of the firewall. Use the other NIC to access the web interface/GUI from your workstation.

Else, try Manageengine's FirewallAnalyzer - http://www.manageengine.com/products/firewall/
It is simple setup and config. Install it on a server and point the firewall's syslogs to it and that's about all you have to do.
0
 
LVL 4

Expert Comment

by:1oo4
ID: 34136146
Log in to the switches and allow SNMP polling from the IP that belongs to PRTG.
Then add the swithches as devices to PRTG
Then add the necessary interfaces on the switches as SNMP traffic probes.
0
 
LVL 3

Assisted Solution

by:Hofpad
Hofpad earned 25 total points
ID: 34136404
Dear fasuln

If you activate "View Point Reporting" (you should have at least a 30-day trial) on your NSA3500, you will be able to setup up a virtual-appliance (download from MySonicWALL.com) where you can graph the usage of different protocols and the (web-)usage of different internal IPs (or users).

You will need to redirect the SonicWALLs Syslog-Traffic to that virtual-appliance. After that, you have "near-real-time" graphs, depending on your summarizer-interval on the ViewPoint-Virtual-Appliance.
0
 
LVL 3

Expert Comment

by:Mintar
ID: 34143651
I am using a program named "WFilter Enterprise", it can show you the real-time connections and bandwidth of every ip address.

Since you have a manageable switch, it is easy to setup. You only need to connect the WFilter computer to a mirroring port of your switch.

http://www.imfirewall.us
0
 

Author Comment

by:fasuln
ID: 34143691
Hi everyone,

just to confirm to you all. I do not have a managed switch.

can you tell me what my options are without a managed switch.

Thanks,
FN
0
 
LVL 3

Expert Comment

by:Hofpad
ID: 34143755
ViewPoint Reporting from SonicWALL. You find Documentation here:
http://www.sonicwall.com/us/support/3340.html
And you should have a 30 day trial.
0
 

Author Comment

by:fasuln
ID: 34179229
Hi Guys,

Thanks for all your advise. I am not a big fan of Viewpoint. I  do not use a managed switch, so if there any other good solutins or software?

I like the PRTG software, but it's not clear how to setup IP level reporting.

Any other advise of step by setp on PRTG would be great.

FN
0
 
LVL 3

Expert Comment

by:Mintar
ID: 34185001
There're three methods to monitor your network without a manageable switch.
1. Using a broadcasted Hub
2. Windows Gateway, Proxy Server or Bridge
3. ARP Spoofing

http://blog.imfirewall.us/Why+A+Port+Mirroring+Switch+Is+Required+To+Monitor+My+Network+How+To+Monitor+Internet+Usage+Without+A+Manageable+Switch.aspx
0
 

Author Comment

by:fasuln
ID: 34186141
Hi Mintar;,

Your second option might be the best solution. What is a good proxy server software?

Thanks,
0
 
LVL 5

Accepted Solution

by:
sabk earned 25 total points
ID: 34204711
the sonicwall syslog captures & reports all log activity and include source & destination addresses, no of bytes transferred and IP servcie. Syslog support does require that you have a syslog server running on your network and that the syslog daemon is running on UDP 514 port. you can use a log analyzer such as SoniWALL's Viewpoint software or WebTrends firewall Suite to analyse and graph the logged data. The sonic wall appliances can support up to 3 syslog servers at time
0
 

Author Comment

by:fasuln
ID: 34212822
Hi sabk,

Thanks for the info. I do not have a syslog server setup, but I will set one up and give your method a try and report back tomorow.

Thanks
0
 

Author Closing Comment

by:fasuln
ID: 34523321
I will use the Viewpoint software for now, but it does not give me all the info I need.

It is however a partial solution for the short term.

Thanks everyone for your help and comments
0
 
LVL 1

Expert Comment

by:modus_operandi
ID: 34662178
fasuln,
 
I have reopened your question and started the process of closing it with a split amongst two or more Experts, as that outcome seems more equitable than your original disposition.
 
modus_operandi
EE Admin
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question