Monitoring data / internet traffic

Customer has a LAN with a few PCs and some tabs/phones that connect to Internet via their LAN (partly wireless). Internet access is through a 4G mobile modem (other options not available). This has worked well for nearly a year.

Lately they have experienced a lot more data traffic. Since they pay per GB to the mobile operator they try to find what is causing the increased data usage. I have checked the wireless LAN, but can't see anything wrong. Also changed the encryption key.

Question is - is there a way to easily monitor the traffic from the LAN to the 4G network. A packet sniffer might do the job, but results are quite difficult to analyze. Is there an easier way? Thinking of monitoring each LAN IP and traffic to/from the 4G router.
Olaf BerliOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pushpakumara MahagamageVPCommented:
if you have fair PC with 2 or more network interfaces, you can have a gateway between 4G and LAN. pfsense https://www.pfsense.org/  is good linux firewall/gateway software. then you can use plugin such as  BandwithD http://bandwidthd.sourceforge.net/    Darkstat https://unix4lyfe.org/darkstat/ on pfsense.

There is somany step by step installation configuration guides to follow.
0
Olaf BerliOwnerAuthor Commented:
Thanks for the response.
After looking at this it seems like a good solution, but will require learning a bit about Unix, setting up a PC etc. To cover this project it just seems too much for me to do. However, it made me start looking at this in a slightly different way....

Have looked at using a Mikrotik box (www.mikrotik.com). It has a Graphing function and a Queue function that may do the job. Since I'm already  using these boxes (routers) it seems like an easier path.
Thanks anyway
1
ajohnson30Network ManagerCommented:
I like setting up a netgear GS105 switch  with one of the ports in "mirror" mode.  They are fairly inexpensive but work like a charm for this.  Place it  in-line between your network and the internet device on the monitored port, then use a PC with two network interfaces (you can use a usb Ethernet dongle in a pinch) with one on the mirrored port.  

Run wireshark on the PC and watch the traffic.  There are also guides out there for using wireshark's "ring buffer" mode, to run a "rolling capture", to save data to files continuously so you can go to the PC at your leisure and see what's going on.  

There's a command line utility with wireshark also that you can use for this called dumpcap.  An example would be:
dumpcap -i <interface> -w <file.cap> -b filesize:32768 -b files:128

Hope this helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Olaf BerliOwnerAuthor Commented:
Thanks

Been thinking of WireShark. Used it a long time ago.
Seem to recall that it has a promiscous mode that makes it work even connected to a switch?
May look into it again. A bit challenging to understad the logs, but maybe the filter function could do it...?
0
ajohnson30Network ManagerCommented:
Wireshark does a little of that, but can't override too much.  It really depends on the switch, which is why I recommended that netgear GS105.  It's not really a managed swich, but it does come with software (which you can download from their website if you don't have it handy) that you can use to upgrade it's firmware, set vlans, and most importantly - set up port mirroring.  I generally set up one of these switches with port #1 as the capture port (put the internet there) and port #5 as the mirror port (put the monitor pc there) and put a label on those ports and on the switch saying "Monitoring switch" or something like that.  That way whenever I need to do a port capture I have it handy.

Wireshark has gotten very user friendly with it's protocol debugging.  It shows pretty much everything so you can tell what ip is going where and using what protocol.  There's menu options so you can quickly determine what machine has sent the most packets or bytes, so you can see who's hogging the pipe, then you can look at the conversations and see where they're going
0
masnrockCommented:
Having a mirror port, regardless of the model of switch, is ideal. That way you're sure that everything is getting though to your monitor, be it Wireshark or something else. Not sure what type of router you have, otherwise, I'd suggest seeing if there's a way to at least see what sites are getting visited based on built in capabilities.

In the scheme of it all, I'm willing to bet someone is doing a lot of streaming or downloading.
0
Olaf BerliOwnerAuthor Commented:
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mobile

From novice to tech pro — start learning today.