Solved

Monitor gateway network traffic on Server 2008 R2

Posted on 2014-09-10
5
942 Views
Last Modified: 2014-09-29
Hello Experts,

I would like some recommendations for Network Gateway Monitoring Software that can record how much data has passed through a particular NIC for each IP / MAC address. If it records content, that could be helpful, but not essential.

I am willing to spend some money, but not a lot.

Whole story:

I am having some suspect activity on my Internet Hotspot Network.

My WiFi Gateway is recording excessive downloads to certain users connected to it, but unfortunately my Hotspot Gateway Software does not have the reporting abilities I need to find out what is going on.

Just this morning, 2 users were connected to the AP, had received an IP addresses from the DHCP server, but not logged into the hotspot server, and were transferring data thought the AP. Were not talking KB here, we are talking high MB, almost GB.

The server is Windows Server 2008 R2 running the Firstspot Hotspot Software. 1 NIC for WAN (internet) access and 1 NIC for LAN (hotspot). WiFi AP is a  Ubiquiti UniFi AC.

What I need to know: Is the data that is passing through the AP actually internet data (though the gateway), or something else?

For the meantime, I have just blocked the users MAC addresses on the AP.

Thanks,

Justin
0
Comment
Question by:Jpoppi
  • 2
  • 2
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 40317310
will be good if there is already some network device having the unified threat mgmt or next gen firewall module running on it or upgrade so that the app aware capability can be logged and visualised for a quick turn ard, else likely is to get proxy or tap the traffic to hear out what is in it (can be wireshark stype but may not be scalable and totally apps aware though). Like - You could install a bridge between the router and the internal network. All traffic would flow through the bridge allowing you to temporarily capture packets with something like Wireshark

Some candidates i am thinking of.

- NetFlow Traffic Analyzer - http://www.solarwinds.com/netflow-traffic-analyzer.aspx
- Smartview monitor (checkpoint if you happened to have it, and it has "Suspicious Activity Rules") - https://sc1.checkpoint.com/documents/R76/CP_R76_SmartViewMonitor_AdminGuide/index.html
- PRTG - http://www.paessler.com/manuals/prtg/bandwidth_monitoring_comparison.htm
- WhatsUp flow monitor (has alert for "Exposure of unauthorized applications, including file and music sharing") - http://www.whatsupgold.com/products/whatsup-gold-plugins/flow-monitor/
- (higher end) Cascade Sensor and Shark (Passively inspects packets from SPAN ports or taps) - http://www.riverbed.com/blogs/technical-overview-of-riverbeds-cascade.html

This article is overwhelming but can give you a quick snapshot summary list of toolkits (some are old and probably non-existence anymore, no need to read that in depth as I see ..but it is very network centric to OSI layer 4/5 at most then) - http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/index.html
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points
ID: 40317511
PRTG and some of the solarwinds stuff does snmp monitoring which works good for switches and routers. Basically it querries the device, gets total packets, does that again every few seconds and determines bandwidth. The devices have to support snmp (pretty much every router and switch you can login to)

The other side is flow monitoring (netflow, sflow, ipfix). Solarwinds has a few products that do that, my personal favorite is scrutinzer, but the device has to send the flows to your collector. Most brand name switches and routers can do this (sonicwall, cisco, brocade, dell, hp, etc...)
0
 
LVL 1

Author Comment

by:Jpoppi
ID: 40330175
Thanks experts for your suggestions. I am slowly working though all the options.

I havent compared them all yet, but do all these options work on SNMP? is SNMP the best way to go?

The only SNMP devices I have are the 4 modems I use for internet access -  Cisco SRP527W. (4 modems >>> load balancer >>> hotspot server >>> web managed switch.)
0
 
LVL 61

Expert Comment

by:btan
ID: 40330382
SNMP is the common (or 'traditional') mean but subjected to the MIB which sometimes may not reveal entirety for granular drilling to the stats, i kinda of see it a means for health checks. For more in depth details analysis, netflow, sflow, syslog etc can be very handy and in their combinations...some use case for below.

-SNMP can be used for real-time, collect CPU and memory utilization, facilitates capacity planning (including collect errors, per interface, CBQoS information including information available on IP SLA such as Jitter, MOS and latency)

-NetFlow tells you who and with what is consuming the bandwidth (probably much less data to deal with), characterize traffic applications and patterns e.g. plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.

depends what is need and wants as a quick thought
0
 
LVL 1

Author Closing Comment

by:Jpoppi
ID: 40350084
So I had a look at the sofware suggested, and after doing my own research, the best option appears to be PRTG. It has different "sensors" that don't rely on SNMP. I can install sensors on my server and collect the information I need. It has a free version that provides 10 sensors. The next version is US$440 for 500 sensors. It has the ability to monitor just about everything.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Read about achieving the basic levels of HRIS security in the workplace.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now