• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

Network/Router Traffic Analysis Tool

Quite often we are asked to find the source of speed problems on customer's networks.  Most are small businesses that do not have any kind of advanced router that gives any kind of detail on what is happening on the network at any given time, nor the ability to monitor anything.

What I am wondering is what people are using that works well to monitor just this sort of network problem?  We would like something that is inexpensive and preferably open-source.

I am not opposed to building a dedicated box for something like this.  In fact my preference would be to use a Debian based Linux box for something like this.  We frequently setup this type of server and are quite familiar with the usage.
0
bdhtechnology
Asked:
bdhtechnology
  • 3
  • 3
  • 2
  • +1
3 Solutions
 
TimotiStCommented:
You'll need at least some kind of managed network device to be able to monitor usage.
SNMP bandwidth monitoring is a good start, with MRTG monitoring swithport/router traffic. For a small customer, you can easily track back the user from a switchport.
Better options would be sFlow monitoring, or a dedicated monitor port on a switch with wireshark/snort.

If you absolutely don't have any managed device, you could run wireshark/tcpdump/snort on a laptop/PC, plugged to a normal switchport. It'll mostly only pick up broadcast/multicast traffic, but bad apples have a tendency of using excessive broadcast/multicast anyway, so it might help.

Tamas
0
 
bdhtechnologyAuthor Commented:
Most of the time there are not any managed devices at all.  That is why I thought of building a Linux box to insert between the router and rest of the network to monitor just this sort of thing.
0
 
TimotiStCommented:
If you can insert a Linux box in-between, that would be nice.
You can use a bridged config with 2 NICs, so you don't have to reconfig anything at the client site.
Run tcpdump on the bridge interface (be prepared with a lot of harddrive space :) ), and analyze the dumps later with wireshark.
Don't forget, you'll be capturing sensitive/secure data this way, you might want to tell your client beforehand, to avoid any lawsuits.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
giltjrCommented:
You may want to look at something like:

http://www.littlepc.com/minipc/multiport/

Small enough to be place just about anywhere.  You can setup 2 NIC's in bridge mode and 1 for management.
0
 
bdhtechnologyAuthor Commented:
I am more looking for something that I can run at a specific time or whose output can be logged and or graphed with mrtg or similar program.

I just found jnettop: jnettop.kubs.info which seems like it will do just that in real time.  Seems to be exactly what I need for 'live' monitoring.

Any suggestions on what useful things can be done to log the traffic over time to see which internal hosts are using the most bandwidth over time?

@giltjr:
Those look like very interesting boxes indeed.  Have you used one for at all or for any length of time?  I am curious what replacement hardware would run and the availability would be down the road.
0
 
giltjrCommented:
I have not used one of these.  I have built a PC that does the same thing, however I don't have to lug it from site to site.  I might have to move it from room to room in my building, but not site to site.

If I am just looking at performance problems I don't capture the full frame, only the first 128 bytes.  If I need to capture the full frame, typically it is because I'm looking at a application level issue so I can filter the capture by IP address.

So I normally don't have to worry about large files.  Especially since it is difficult to look at large files (200MB or larger) in Wireshark.
0
 
elit2007Commented:
I use a computer with 2 nic, and a switch (8 port with management)
I connect the switch between the costumers switch and firewall, and mirror the port connected to the firewall to another port where my pc is listening.
I connect the second nic of the pc either to the costumer net or some other net where I can access it.
hp and cisco small business has inexpensive switchs that can be used.

That way if my pc crashes or something they don't loose connection.

I usually use ntop to analyse  traffic.
http://www.ntop.org/products/ntop/


I have also used darkstat in the past.
http://unix4lyfe.org/darkstat/
0
 
giltjrCommented:
I just happen to have a 1 Gig bypass dual port NIC that I use to put the computer in-line.

If the OS locks up or the PC crashes, the NIC acts like a transparent bridge.  Just fewer things I need to plug into an outlet,

Although if I did not have that, I would use a small managed switch.
0
 
bdhtechnologyAuthor Commented:
Thanks for all the suggestion, I will check them all out and see what works well for us!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now