?
Solved

Network/Router Traffic Analysis Tool

Posted on 2013-01-26
9
Medium Priority
?
312 Views
Last Modified: 2013-12-29
Quite often we are asked to find the source of speed problems on customer's networks.  Most are small businesses that do not have any kind of advanced router that gives any kind of detail on what is happening on the network at any given time, nor the ability to monitor anything.

What I am wondering is what people are using that works well to monitor just this sort of network problem?  We would like something that is inexpensive and preferably open-source.

I am not opposed to building a dedicated box for something like this.  In fact my preference would be to use a Debian based Linux box for something like this.  We frequently setup this type of server and are quite familiar with the usage.
0
Comment
Question by:bdhtechnology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 17

Accepted Solution

by:
TimotiSt earned 668 total points
ID: 38822201
You'll need at least some kind of managed network device to be able to monitor usage.
SNMP bandwidth monitoring is a good start, with MRTG monitoring swithport/router traffic. For a small customer, you can easily track back the user from a switchport.
Better options would be sFlow monitoring, or a dedicated monitor port on a switch with wireshark/snort.

If you absolutely don't have any managed device, you could run wireshark/tcpdump/snort on a laptop/PC, plugged to a normal switchport. It'll mostly only pick up broadcast/multicast traffic, but bad apples have a tendency of using excessive broadcast/multicast anyway, so it might help.

Tamas
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38822208
Most of the time there are not any managed devices at all.  That is why I thought of building a Linux box to insert between the router and rest of the network to monitor just this sort of thing.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38822215
If you can insert a Linux box in-between, that would be nice.
You can use a bridged config with 2 NICs, so you don't have to reconfig anything at the client site.
Run tcpdump on the bridge interface (be prepared with a lot of harddrive space :) ), and analyze the dumps later with wireshark.
Don't forget, you'll be capturing sensitive/secure data this way, you might want to tell your client beforehand, to avoid any lawsuits.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 57

Expert Comment

by:giltjr
ID: 38824663
You may want to look at something like:

http://www.littlepc.com/minipc/multiport/

Small enough to be place just about anywhere.  You can setup 2 NIC's in bridge mode and 1 for management.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38856418
I am more looking for something that I can run at a specific time or whose output can be logged and or graphed with mrtg or similar program.

I just found jnettop: jnettop.kubs.info which seems like it will do just that in real time.  Seems to be exactly what I need for 'live' monitoring.

Any suggestions on what useful things can be done to log the traffic over time to see which internal hosts are using the most bandwidth over time?

@giltjr:
Those look like very interesting boxes indeed.  Have you used one for at all or for any length of time?  I am curious what replacement hardware would run and the availability would be down the road.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 664 total points
ID: 38856706
I have not used one of these.  I have built a PC that does the same thing, however I don't have to lug it from site to site.  I might have to move it from room to room in my building, but not site to site.

If I am just looking at performance problems I don't capture the full frame, only the first 128 bytes.  If I need to capture the full frame, typically it is because I'm looking at a application level issue so I can filter the capture by IP address.

So I normally don't have to worry about large files.  Especially since it is difficult to look at large files (200MB or larger) in Wireshark.
0
 
LVL 1

Assisted Solution

by:elit2007
elit2007 earned 668 total points
ID: 38869791
I use a computer with 2 nic, and a switch (8 port with management)
I connect the switch between the costumers switch and firewall, and mirror the port connected to the firewall to another port where my pc is listening.
I connect the second nic of the pc either to the costumer net or some other net where I can access it.
hp and cisco small business has inexpensive switchs that can be used.

That way if my pc crashes or something they don't loose connection.

I usually use ntop to analyse  traffic.
http://www.ntop.org/products/ntop/


I have also used darkstat in the past.
http://unix4lyfe.org/darkstat/
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38870140
I just happen to have a 1 Gig bypass dual port NIC that I use to put the computer in-line.

If the OS locks up or the PC crashes, the NIC acts like a transparent bridge.  Just fewer things I need to plug into an outlet,

Although if I did not have that, I would use a small managed switch.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38913353
Thanks for all the suggestion, I will check them all out and see what works well for us!
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Transparency shows that a company is the kind of business that it wants people to think it is.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question