Monitor gateway network traffic on Server 2008 R2

Posted on 2014-09-10
Last Modified: 2014-09-29
Hello Experts,

I would like some recommendations for Network Gateway Monitoring Software that can record how much data has passed through a particular NIC for each IP / MAC address. If it records content, that could be helpful, but not essential.

I am willing to spend some money, but not a lot.

Whole story:

I am having some suspect activity on my Internet Hotspot Network.

My WiFi Gateway is recording excessive downloads to certain users connected to it, but unfortunately my Hotspot Gateway Software does not have the reporting abilities I need to find out what is going on.

Just this morning, 2 users were connected to the AP, had received an IP addresses from the DHCP server, but not logged into the hotspot server, and were transferring data thought the AP. Were not talking KB here, we are talking high MB, almost GB.

The server is Windows Server 2008 R2 running the Firstspot Hotspot Software. 1 NIC for WAN (internet) access and 1 NIC for LAN (hotspot). WiFi AP is a  Ubiquiti UniFi AC.

What I need to know: Is the data that is passing through the AP actually internet data (though the gateway), or something else?

For the meantime, I have just blocked the users MAC addresses on the AP.


Question by:Jpoppi
  • 2
  • 2
LVL 62

Accepted Solution

btan earned 250 total points
ID: 40317310
will be good if there is already some network device having the unified threat mgmt or next gen firewall module running on it or upgrade so that the app aware capability can be logged and visualised for a quick turn ard, else likely is to get proxy or tap the traffic to hear out what is in it (can be wireshark stype but may not be scalable and totally apps aware though). Like - You could install a bridge between the router and the internal network. All traffic would flow through the bridge allowing you to temporarily capture packets with something like Wireshark

Some candidates i am thinking of.

- NetFlow Traffic Analyzer -
- Smartview monitor (checkpoint if you happened to have it, and it has "Suspicious Activity Rules") -
- PRTG -
- WhatsUp flow monitor (has alert for "Exposure of unauthorized applications, including file and music sharing") -
- (higher end) Cascade Sensor and Shark (Passively inspects packets from SPAN ports or taps) -

This article is overwhelming but can give you a quick snapshot summary list of toolkits (some are old and probably non-existence anymore, no need to read that in depth as I see ..but it is very network centric to OSI layer 4/5 at most then) -
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points
ID: 40317511
PRTG and some of the solarwinds stuff does snmp monitoring which works good for switches and routers. Basically it querries the device, gets total packets, does that again every few seconds and determines bandwidth. The devices have to support snmp (pretty much every router and switch you can login to)

The other side is flow monitoring (netflow, sflow, ipfix). Solarwinds has a few products that do that, my personal favorite is scrutinzer, but the device has to send the flows to your collector. Most brand name switches and routers can do this (sonicwall, cisco, brocade, dell, hp, etc...)

Author Comment

ID: 40330175
Thanks experts for your suggestions. I am slowly working though all the options.

I havent compared them all yet, but do all these options work on SNMP? is SNMP the best way to go?

The only SNMP devices I have are the 4 modems I use for internet access -  Cisco SRP527W. (4 modems >>> load balancer >>> hotspot server >>> web managed switch.)
LVL 62

Expert Comment

ID: 40330382
SNMP is the common (or 'traditional') mean but subjected to the MIB which sometimes may not reveal entirety for granular drilling to the stats, i kinda of see it a means for health checks. For more in depth details analysis, netflow, sflow, syslog etc can be very handy and in their combinations...some use case for below.

-SNMP can be used for real-time, collect CPU and memory utilization, facilitates capacity planning (including collect errors, per interface, CBQoS information including information available on IP SLA such as Jitter, MOS and latency)

-NetFlow tells you who and with what is consuming the bandwidth (probably much less data to deal with), characterize traffic applications and patterns e.g. plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.

depends what is need and wants as a quick thought

Author Closing Comment

ID: 40350084
So I had a look at the sofware suggested, and after doing my own research, the best option appears to be PRTG. It has different "sensors" that don't rely on SNMP. I can install sensors on my server and collect the information I need. It has a free version that provides 10 sensors. The next version is US$440 for 500 sensors. It has the ability to monitor just about everything.

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Read about achieving the basic levels of HRIS security in the workplace.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question