Monitor gateway network traffic on Server 2008 R2

Posted on 2014-09-10
Last Modified: 2014-09-29
Hello Experts,

I would like some recommendations for Network Gateway Monitoring Software that can record how much data has passed through a particular NIC for each IP / MAC address. If it records content, that could be helpful, but not essential.

I am willing to spend some money, but not a lot.

Whole story:

I am having some suspect activity on my Internet Hotspot Network.

My WiFi Gateway is recording excessive downloads to certain users connected to it, but unfortunately my Hotspot Gateway Software does not have the reporting abilities I need to find out what is going on.

Just this morning, 2 users were connected to the AP, had received an IP addresses from the DHCP server, but not logged into the hotspot server, and were transferring data thought the AP. Were not talking KB here, we are talking high MB, almost GB.

The server is Windows Server 2008 R2 running the Firstspot Hotspot Software. 1 NIC for WAN (internet) access and 1 NIC for LAN (hotspot). WiFi AP is a  Ubiquiti UniFi AC.

What I need to know: Is the data that is passing through the AP actually internet data (though the gateway), or something else?

For the meantime, I have just blocked the users MAC addresses on the AP.


Question by:Jpoppi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 64

Accepted Solution

btan earned 250 total points
ID: 40317310
will be good if there is already some network device having the unified threat mgmt or next gen firewall module running on it or upgrade so that the app aware capability can be logged and visualised for a quick turn ard, else likely is to get proxy or tap the traffic to hear out what is in it (can be wireshark stype but may not be scalable and totally apps aware though). Like - You could install a bridge between the router and the internal network. All traffic would flow through the bridge allowing you to temporarily capture packets with something like Wireshark

Some candidates i am thinking of.

- NetFlow Traffic Analyzer -
- Smartview monitor (checkpoint if you happened to have it, and it has "Suspicious Activity Rules") -
- PRTG -
- WhatsUp flow monitor (has alert for "Exposure of unauthorized applications, including file and music sharing") -
- (higher end) Cascade Sensor and Shark (Passively inspects packets from SPAN ports or taps) -

This article is overwhelming but can give you a quick snapshot summary list of toolkits (some are old and probably non-existence anymore, no need to read that in depth as I see ..but it is very network centric to OSI layer 4/5 at most then) -
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points
ID: 40317511
PRTG and some of the solarwinds stuff does snmp monitoring which works good for switches and routers. Basically it querries the device, gets total packets, does that again every few seconds and determines bandwidth. The devices have to support snmp (pretty much every router and switch you can login to)

The other side is flow monitoring (netflow, sflow, ipfix). Solarwinds has a few products that do that, my personal favorite is scrutinzer, but the device has to send the flows to your collector. Most brand name switches and routers can do this (sonicwall, cisco, brocade, dell, hp, etc...)

Author Comment

ID: 40330175
Thanks experts for your suggestions. I am slowly working though all the options.

I havent compared them all yet, but do all these options work on SNMP? is SNMP the best way to go?

The only SNMP devices I have are the 4 modems I use for internet access -  Cisco SRP527W. (4 modems >>> load balancer >>> hotspot server >>> web managed switch.)
LVL 64

Expert Comment

ID: 40330382
SNMP is the common (or 'traditional') mean but subjected to the MIB which sometimes may not reveal entirety for granular drilling to the stats, i kinda of see it a means for health checks. For more in depth details analysis, netflow, sflow, syslog etc can be very handy and in their combinations...some use case for below.

-SNMP can be used for real-time, collect CPU and memory utilization, facilitates capacity planning (including collect errors, per interface, CBQoS information including information available on IP SLA such as Jitter, MOS and latency)

-NetFlow tells you who and with what is consuming the bandwidth (probably much less data to deal with), characterize traffic applications and patterns e.g. plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.

depends what is need and wants as a quick thought

Author Closing Comment

ID: 40350084
So I had a look at the sofware suggested, and after doing my own research, the best option appears to be PRTG. It has different "sensors" that don't rely on SNMP. I can install sensors on my server and collect the information I need. It has a free version that provides 10 sensors. The next version is US$440 for 500 sensors. It has the ability to monitor just about everything.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question