Network/Router Traffic Analysis Tool

Posted on 2013-01-26
Last Modified: 2013-12-29
Quite often we are asked to find the source of speed problems on customer's networks.  Most are small businesses that do not have any kind of advanced router that gives any kind of detail on what is happening on the network at any given time, nor the ability to monitor anything.

What I am wondering is what people are using that works well to monitor just this sort of network problem?  We would like something that is inexpensive and preferably open-source.

I am not opposed to building a dedicated box for something like this.  In fact my preference would be to use a Debian based Linux box for something like this.  We frequently setup this type of server and are quite familiar with the usage.
Question by:bdhtechnology
  • 3
  • 3
  • 2
  • +1
LVL 17

Accepted Solution

TimotiSt earned 167 total points
ID: 38822201
You'll need at least some kind of managed network device to be able to monitor usage.
SNMP bandwidth monitoring is a good start, with MRTG monitoring swithport/router traffic. For a small customer, you can easily track back the user from a switchport.
Better options would be sFlow monitoring, or a dedicated monitor port on a switch with wireshark/snort.

If you absolutely don't have any managed device, you could run wireshark/tcpdump/snort on a laptop/PC, plugged to a normal switchport. It'll mostly only pick up broadcast/multicast traffic, but bad apples have a tendency of using excessive broadcast/multicast anyway, so it might help.


Author Comment

ID: 38822208
Most of the time there are not any managed devices at all.  That is why I thought of building a Linux box to insert between the router and rest of the network to monitor just this sort of thing.
LVL 17

Expert Comment

ID: 38822215
If you can insert a Linux box in-between, that would be nice.
You can use a bridged config with 2 NICs, so you don't have to reconfig anything at the client site.
Run tcpdump on the bridge interface (be prepared with a lot of harddrive space :) ), and analyze the dumps later with wireshark.
Don't forget, you'll be capturing sensitive/secure data this way, you might want to tell your client beforehand, to avoid any lawsuits.
LVL 57

Expert Comment

ID: 38824663
You may want to look at something like:

Small enough to be place just about anywhere.  You can setup 2 NIC's in bridge mode and 1 for management.
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.


Author Comment

ID: 38856418
I am more looking for something that I can run at a specific time or whose output can be logged and or graphed with mrtg or similar program.

I just found jnettop: which seems like it will do just that in real time.  Seems to be exactly what I need for 'live' monitoring.

Any suggestions on what useful things can be done to log the traffic over time to see which internal hosts are using the most bandwidth over time?

Those look like very interesting boxes indeed.  Have you used one for at all or for any length of time?  I am curious what replacement hardware would run and the availability would be down the road.
LVL 57

Assisted Solution

giltjr earned 166 total points
ID: 38856706
I have not used one of these.  I have built a PC that does the same thing, however I don't have to lug it from site to site.  I might have to move it from room to room in my building, but not site to site.

If I am just looking at performance problems I don't capture the full frame, only the first 128 bytes.  If I need to capture the full frame, typically it is because I'm looking at a application level issue so I can filter the capture by IP address.

So I normally don't have to worry about large files.  Especially since it is difficult to look at large files (200MB or larger) in Wireshark.

Assisted Solution

elit2007 earned 167 total points
ID: 38869791
I use a computer with 2 nic, and a switch (8 port with management)
I connect the switch between the costumers switch and firewall, and mirror the port connected to the firewall to another port where my pc is listening.
I connect the second nic of the pc either to the costumer net or some other net where I can access it.
hp and cisco small business has inexpensive switchs that can be used.

That way if my pc crashes or something they don't loose connection.

I usually use ntop to analyse  traffic.

I have also used darkstat in the past.
LVL 57

Expert Comment

ID: 38870140
I just happen to have a 1 Gig bypass dual port NIC that I use to put the computer in-line.

If the OS locks up or the PC crashes, the NIC acts like a transparent bridge.  Just fewer things I need to plug into an outlet,

Although if I did not have that, I would use a small managed switch.

Author Comment

ID: 38913353
Thanks for all the suggestion, I will check them all out and see what works well for us!

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VPN 101 - how and which protocol? 9 66
Cisco Switch Password ---Urgent 3 39
Network Config 9 58
EIGRP Multicast vs Unicast 7 44
Transparency shows that a company is the kind of business that it wants people to think it is.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now