Monitor gateway network traffic on Server 2008 R2

Hello Experts,

I would like some recommendations for Network Gateway Monitoring Software that can record how much data has passed through a particular NIC for each IP / MAC address. If it records content, that could be helpful, but not essential.

I am willing to spend some money, but not a lot.

Whole story:

I am having some suspect activity on my Internet Hotspot Network.

My WiFi Gateway is recording excessive downloads to certain users connected to it, but unfortunately my Hotspot Gateway Software does not have the reporting abilities I need to find out what is going on.

Just this morning, 2 users were connected to the AP, had received an IP addresses from the DHCP server, but not logged into the hotspot server, and were transferring data thought the AP. Were not talking KB here, we are talking high MB, almost GB.

The server is Windows Server 2008 R2 running the Firstspot Hotspot Software. 1 NIC for WAN (internet) access and 1 NIC for LAN (hotspot). WiFi AP is a  Ubiquiti UniFi AC.

What I need to know: Is the data that is passing through the AP actually internet data (though the gateway), or something else?

For the meantime, I have just blocked the users MAC addresses on the AP.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
will be good if there is already some network device having the unified threat mgmt or next gen firewall module running on it or upgrade so that the app aware capability can be logged and visualised for a quick turn ard, else likely is to get proxy or tap the traffic to hear out what is in it (can be wireshark stype but may not be scalable and totally apps aware though). Like - You could install a bridge between the router and the internal network. All traffic would flow through the bridge allowing you to temporarily capture packets with something like Wireshark

Some candidates i am thinking of.

- NetFlow Traffic Analyzer -
- Smartview monitor (checkpoint if you happened to have it, and it has "Suspicious Activity Rules") -
- PRTG -
- WhatsUp flow monitor (has alert for "Exposure of unauthorized applications, including file and music sharing") -
- (higher end) Cascade Sensor and Shark (Passively inspects packets from SPAN ports or taps) -

This article is overwhelming but can give you a quick snapshot summary list of toolkits (some are old and probably non-existence anymore, no need to read that in depth as I see ..but it is very network centric to OSI layer 4/5 at most then) -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aaron TomoskySD-WAN SimplifiedCommented:
PRTG and some of the solarwinds stuff does snmp monitoring which works good for switches and routers. Basically it querries the device, gets total packets, does that again every few seconds and determines bandwidth. The devices have to support snmp (pretty much every router and switch you can login to)

The other side is flow monitoring (netflow, sflow, ipfix). Solarwinds has a few products that do that, my personal favorite is scrutinzer, but the device has to send the flows to your collector. Most brand name switches and routers can do this (sonicwall, cisco, brocade, dell, hp, etc...)
JustinAuthor Commented:
Thanks experts for your suggestions. I am slowly working though all the options.

I havent compared them all yet, but do all these options work on SNMP? is SNMP the best way to go?

The only SNMP devices I have are the 4 modems I use for internet access -  Cisco SRP527W. (4 modems >>> load balancer >>> hotspot server >>> web managed switch.)
btanExec ConsultantCommented:
SNMP is the common (or 'traditional') mean but subjected to the MIB which sometimes may not reveal entirety for granular drilling to the stats, i kinda of see it a means for health checks. For more in depth details analysis, netflow, sflow, syslog etc can be very handy and in their combinations...some use case for below.

-SNMP can be used for real-time, collect CPU and memory utilization, facilitates capacity planning (including collect errors, per interface, CBQoS information including information available on IP SLA such as Jitter, MOS and latency)

-NetFlow tells you who and with what is consuming the bandwidth (probably much less data to deal with), characterize traffic applications and patterns e.g. plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.

depends what is need and wants as a quick thought
JustinAuthor Commented:
So I had a look at the sofware suggested, and after doing my own research, the best option appears to be PRTG. It has different "sensors" that don't rely on SNMP. I can install sensors on my server and collect the information I need. It has a free version that provides 10 sensors. The next version is US$440 for 500 sensors. It has the ability to monitor just about everything.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.