Monitor gateway network traffic on Server 2008 R2

Posted on 2014-09-10
Medium Priority
Last Modified: 2014-09-29
Hello Experts,

I would like some recommendations for Network Gateway Monitoring Software that can record how much data has passed through a particular NIC for each IP / MAC address. If it records content, that could be helpful, but not essential.

I am willing to spend some money, but not a lot.

Whole story:

I am having some suspect activity on my Internet Hotspot Network.

My WiFi Gateway is recording excessive downloads to certain users connected to it, but unfortunately my Hotspot Gateway Software does not have the reporting abilities I need to find out what is going on.

Just this morning, 2 users were connected to the AP, had received an IP addresses from the DHCP server, but not logged into the hotspot server, and were transferring data thought the AP. Were not talking KB here, we are talking high MB, almost GB.

The server is Windows Server 2008 R2 running the Firstspot Hotspot Software. 1 NIC for WAN (internet) access and 1 NIC for LAN (hotspot). WiFi AP is a  Ubiquiti UniFi AC.

What I need to know: Is the data that is passing through the AP actually internet data (though the gateway), or something else?

For the meantime, I have just blocked the users MAC addresses on the AP.


Question by:Jpoppi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 64

Accepted Solution

btan earned 500 total points
ID: 40317310
will be good if there is already some network device having the unified threat mgmt or next gen firewall module running on it or upgrade so that the app aware capability can be logged and visualised for a quick turn ard, else likely is to get proxy or tap the traffic to hear out what is in it (can be wireshark stype but may not be scalable and totally apps aware though). Like - You could install a bridge between the router and the internal network. All traffic would flow through the bridge allowing you to temporarily capture packets with something like Wireshark

Some candidates i am thinking of.

- NetFlow Traffic Analyzer - http://www.solarwinds.com/netflow-traffic-analyzer.aspx
- Smartview monitor (checkpoint if you happened to have it, and it has "Suspicious Activity Rules") - https://sc1.checkpoint.com/documents/R76/CP_R76_SmartViewMonitor_AdminGuide/index.html
- PRTG - http://www.paessler.com/manuals/prtg/bandwidth_monitoring_comparison.htm
- WhatsUp flow monitor (has alert for "Exposure of unauthorized applications, including file and music sharing") - http://www.whatsupgold.com/products/whatsup-gold-plugins/flow-monitor/
- (higher end) Cascade Sensor and Shark (Passively inspects packets from SPAN ports or taps) - http://www.riverbed.com/blogs/technical-overview-of-riverbeds-cascade.html

This article is overwhelming but can give you a quick snapshot summary list of toolkits (some are old and probably non-existence anymore, no need to read that in depth as I see ..but it is very network centric to OSI layer 4/5 at most then) - http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/index.html
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 500 total points
ID: 40317511
PRTG and some of the solarwinds stuff does snmp monitoring which works good for switches and routers. Basically it querries the device, gets total packets, does that again every few seconds and determines bandwidth. The devices have to support snmp (pretty much every router and switch you can login to)

The other side is flow monitoring (netflow, sflow, ipfix). Solarwinds has a few products that do that, my personal favorite is scrutinzer, but the device has to send the flows to your collector. Most brand name switches and routers can do this (sonicwall, cisco, brocade, dell, hp, etc...)

Author Comment

ID: 40330175
Thanks experts for your suggestions. I am slowly working though all the options.

I havent compared them all yet, but do all these options work on SNMP? is SNMP the best way to go?

The only SNMP devices I have are the 4 modems I use for internet access -  Cisco SRP527W. (4 modems >>> load balancer >>> hotspot server >>> web managed switch.)
LVL 64

Expert Comment

ID: 40330382
SNMP is the common (or 'traditional') mean but subjected to the MIB which sometimes may not reveal entirety for granular drilling to the stats, i kinda of see it a means for health checks. For more in depth details analysis, netflow, sflow, syslog etc can be very handy and in their combinations...some use case for below.

-SNMP can be used for real-time, collect CPU and memory utilization, facilitates capacity planning (including collect errors, per interface, CBQoS information including information available on IP SLA such as Jitter, MOS and latency)

-NetFlow tells you who and with what is consuming the bandwidth (probably much less data to deal with), characterize traffic applications and patterns e.g. plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.

depends what is need and wants as a quick thought

Author Closing Comment

ID: 40350084
So I had a look at the sofware suggested, and after doing my own research, the best option appears to be PRTG. It has different "sensors" that don't rely on SNMP. I can install sensors on my server and collect the information I need. It has a free version that provides 10 sensors. The next version is US$440 for 500 sensors. It has the ability to monitor just about everything.

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question