Network traffic analyzer software recommendation

I work at business that has several different smaller buildings on our campus. These buildings are connected back to the server room via Cisco switches and fiber trunk lines. From time to time I'll get users calling in about general network slowness (network, internet, etc).

I see we have plenty of bandwidth from our MRTG monitoring (netflow via the Cisco switches). When I check the properties of the trunk lines I see no collisions or deferred packets.

What I think I'm looking for is something like Wireshark in that it will capture network traffic, but I don't need it to store that information in an attempt to recreate it later. I need something that will capture the statistics of a large amount of packets so I can go back later (say after a week or so of capturing data) and see if there's any trends (dropped packets, congestion, etc).

I realize this could be one piece of software doing the collection and the analyzation, or two pieces, one for collection and one for analyzation. Any recommendations/clarifications are appreciated.
travisryanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

unrealized92Commented:
splunk would be great for this, or sumologic
0
travisryanAuthor Commented:
@unrealized92

Have you personally used either of these?
0
unrealized92Commented:
Yes we use splunk enterprise in our datacenter :) I love it, and we have more visibility into our network then ever.  I believe they have a free version too if you want to check it out.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

travisryanAuthor Commented:
It looks like Splunk would be way overkill for what I'm looking for. I don't need any syslog analysis. I'm really just looking for something that will log intranet traffic and run analysis on it later. Was there something you used before Splunk, something a bit more basic than it?
0
travisryanAuthor Commented:
I was looking at the Solarwinds network traffic analysis but that depends on netflow data which my switches can't provide.
0
unrealized92Commented:
You might want to search for a network analytics appliance. Most of them are able to take pcap data.
0
Ravi AgrawalCommented:
Just have a look at netbalancer.

I am not sure if it fits your purpose but it is pretty lightweight in resources.
0
PaulOffordCommented:
Hi,

I think you have two distinct approaches.  The first is to analyse the problem based on statistics, and the second is to analyse slow transactions.  The first option is the most common technique but can be pretty subjective, the second is more precise but a little more tricky.

If you want to go for a statistics based approach, the best thing would be to use an SNMP management tool to poll your switches for load and error metrics with an interval of say once per minute.  You would typically poll for metrics from all important links (ISLs, server ports, router connections, etc.).  I typed "free snmp monitoring tools" into Google and got loads of hits.  Perhaps someone else on EE can advise regarding a good one.

If you want to go the transaction analysis root, Wireshark is definitely your best bet.  I'm not sure what you meant about not needing a tool to "recreate it later" as that's not really what Wireshark is meant for.  To use Wireshark you would need to capture examples of slow performance and do some packet analysis.  This approach won't directly identify physical layer problems such as collisions (through duplex mismatch) or FCS errors.  Instead with Wireshark the approach is start at the top of the OSI stack and drill down into the problem.

You might find the video here useful.  It covers the use of Wireshark to analyse network and application performance problems.

Best regards...Paul
0
travisryanAuthor Commented:
Paul, currently I pull statistics for each one of the interfaces on the affected switches through SNMP to MRTG. I'm going over those now.

As far as transaction analysis goes, I've used wireshark before and what I'm looking for is a "headless" version of Wireshark, so to speak. Something I can put on a span/mirrored port, let it pull traffic statistics for a week or so, then analyze those statistics for any patterns where their network segment would bottlenecked/jammed up more than normal. In other words, if I can get an idea of what normal traffic patterns look like, then when the network is "slow" I can compare what I know to what it looks like currently.

Letting Wireshark for even an hour with a spanned port usually has any machine I use froze up. I'm really looking for something that could shove raw traffic statistics to a database to keep processing needs down.

I hope that makes sense.
0
PaulOffordCommented:
Hi,

Ok. I understand now.  Wireshark dumpcap can be used for long-term capture - we've used it to capture for literally months.

There's a guide to using dumpcap in this way on the TribeLab site at https://www.tribelabzero.com in the Network Trace Capture Guide.

Best regards...Paul
0
travisryanAuthor Commented:
Paul, dumpcap is exactly what I'm looking for collection-wise. Thank you very much for that, I'm playing around with it now. However, that's only the first part of the battle, the second part to this is data analysis. You said you used it to collect data for months, how did you chop up that information so you can analyze it?

I imagine if you throw more than a 1GB pcap file at wireshark it'll choke and 1GB doesn't cover a lot of traffic on a busy link. Do you have another program besides wireshark to process larger pcap files? Or do you need to chop it small so Wireshark can still process it?
0
PaulOffordCommented:
You could use TRANSUM (also on TribeLab).  Take a look at the first few pages of the TRANSUM User Guide and then have a look at the page on batch processing with Tshark.

The procedure will be:

* Capture the data
* Run Tshark with the TRANSUM plugin which will produce a CSV
* Pull the CSV into Excel and look for high TRANSUM RTE values (you'll understand this once you've looked at the TRANSUM manual)

Best regards...Paul
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
travisryanAuthor Commented:
Paul, that looks very interesting, I'll have to dig into it. More on my previous question, did you find an optimal capture file size that WireShark/t-shark can handle? Right now I have dumpcap creating a new cap file every hour of capture time for a 24 hour period just as a test. I'll be interested to see what the capture file size is.
0
PaulOffordCommented:
For analysis on Windows 64-bit use a file size of 200 MB.  This is covered in the dumpcap notes on TribeLab.
0
travisryanAuthor Commented:
Thank you so much for all of your help Paul. This sounds like exactly what I'm looking for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.