Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Network/Router Traffic Analysis Tool

Posted on 2013-01-26
Medium Priority
Last Modified: 2013-12-29
Quite often we are asked to find the source of speed problems on customer's networks.  Most are small businesses that do not have any kind of advanced router that gives any kind of detail on what is happening on the network at any given time, nor the ability to monitor anything.

What I am wondering is what people are using that works well to monitor just this sort of network problem?  We would like something that is inexpensive and preferably open-source.

I am not opposed to building a dedicated box for something like this.  In fact my preference would be to use a Debian based Linux box for something like this.  We frequently setup this type of server and are quite familiar with the usage.
Question by:bdhtechnology
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 17

Accepted Solution

TimotiSt earned 668 total points
ID: 38822201
You'll need at least some kind of managed network device to be able to monitor usage.
SNMP bandwidth monitoring is a good start, with MRTG monitoring swithport/router traffic. For a small customer, you can easily track back the user from a switchport.
Better options would be sFlow monitoring, or a dedicated monitor port on a switch with wireshark/snort.

If you absolutely don't have any managed device, you could run wireshark/tcpdump/snort on a laptop/PC, plugged to a normal switchport. It'll mostly only pick up broadcast/multicast traffic, but bad apples have a tendency of using excessive broadcast/multicast anyway, so it might help.


Author Comment

ID: 38822208
Most of the time there are not any managed devices at all.  That is why I thought of building a Linux box to insert between the router and rest of the network to monitor just this sort of thing.
LVL 17

Expert Comment

ID: 38822215
If you can insert a Linux box in-between, that would be nice.
You can use a bridged config with 2 NICs, so you don't have to reconfig anything at the client site.
Run tcpdump on the bridge interface (be prepared with a lot of harddrive space :) ), and analyze the dumps later with wireshark.
Don't forget, you'll be capturing sensitive/secure data this way, you might want to tell your client beforehand, to avoid any lawsuits.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 57

Expert Comment

ID: 38824663
You may want to look at something like:


Small enough to be place just about anywhere.  You can setup 2 NIC's in bridge mode and 1 for management.

Author Comment

ID: 38856418
I am more looking for something that I can run at a specific time or whose output can be logged and or graphed with mrtg or similar program.

I just found jnettop: jnettop.kubs.info which seems like it will do just that in real time.  Seems to be exactly what I need for 'live' monitoring.

Any suggestions on what useful things can be done to log the traffic over time to see which internal hosts are using the most bandwidth over time?

Those look like very interesting boxes indeed.  Have you used one for at all or for any length of time?  I am curious what replacement hardware would run and the availability would be down the road.
LVL 57

Assisted Solution

giltjr earned 664 total points
ID: 38856706
I have not used one of these.  I have built a PC that does the same thing, however I don't have to lug it from site to site.  I might have to move it from room to room in my building, but not site to site.

If I am just looking at performance problems I don't capture the full frame, only the first 128 bytes.  If I need to capture the full frame, typically it is because I'm looking at a application level issue so I can filter the capture by IP address.

So I normally don't have to worry about large files.  Especially since it is difficult to look at large files (200MB or larger) in Wireshark.

Assisted Solution

elit2007 earned 668 total points
ID: 38869791
I use a computer with 2 nic, and a switch (8 port with management)
I connect the switch between the costumers switch and firewall, and mirror the port connected to the firewall to another port where my pc is listening.
I connect the second nic of the pc either to the costumer net or some other net where I can access it.
hp and cisco small business has inexpensive switchs that can be used.

That way if my pc crashes or something they don't loose connection.

I usually use ntop to analyse  traffic.

I have also used darkstat in the past.
LVL 57

Expert Comment

ID: 38870140
I just happen to have a 1 Gig bypass dual port NIC that I use to put the computer in-line.

If the OS locks up or the PC crashes, the NIC acts like a transparent bridge.  Just fewer things I need to plug into an outlet,

Although if I did not have that, I would use a small managed switch.

Author Comment

ID: 38913353
Thanks for all the suggestion, I will check them all out and see what works well for us!

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question