Monitoring data / internet traffic

Customer has a LAN with a few PCs and some tabs/phones that connect to Internet via their LAN (partly wireless). Internet access is through a 4G mobile modem (other options not available). This has worked well for nearly a year.

Lately they have experienced a lot more data traffic. Since they pay per GB to the mobile operator they try to find what is causing the increased data usage. I have checked the wireless LAN, but can't see anything wrong. Also changed the encryption key.

Question is - is there a way to easily monitor the traffic from the LAN to the 4G network. A packet sniffer might do the job, but results are quite difficult to analyze. Is there an easier way? Thinking of monitoring each LAN IP and traffic to/from the 4G router.
Olaf BerliAsked:
Who is Participating?
 
ajohnson30Connect With a Mentor Network ManagerCommented:
I like setting up a netgear GS105 switch  with one of the ports in "mirror" mode.  They are fairly inexpensive but work like a charm for this.  Place it  in-line between your network and the internet device on the monitored port, then use a PC with two network interfaces (you can use a usb Ethernet dongle in a pinch) with one on the mirrored port.  

Run wireshark on the PC and watch the traffic.  There are also guides out there for using wireshark's "ring buffer" mode, to run a "rolling capture", to save data to files continuously so you can go to the PC at your leisure and see what's going on.  

There's a command line utility with wireshark also that you can use for this called dumpcap.  An example would be:
dumpcap -i <interface> -w <file.cap> -b filesize:32768 -b files:128

Hope this helps
0
 
Pushpakumara MahagamageVPCommented:
if you have fair PC with 2 or more network interfaces, you can have a gateway between 4G and LAN. pfsense https://www.pfsense.org/  is good linux firewall/gateway software. then you can use plugin such as  BandwithD http://bandwidthd.sourceforge.net/    Darkstat https://unix4lyfe.org/darkstat/ on pfsense.

There is somany step by step installation configuration guides to follow.
0
 
Olaf BerliAuthor Commented:
Thanks for the response.
After looking at this it seems like a good solution, but will require learning a bit about Unix, setting up a PC etc. To cover this project it just seems too much for me to do. However, it made me start looking at this in a slightly different way....

Have looked at using a Mikrotik box (www.mikrotik.com). It has a Graphing function and a Queue function that may do the job. Since I'm already  using these boxes (routers) it seems like an easier path.
Thanks anyway
1
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Olaf BerliAuthor Commented:
Thanks

Been thinking of WireShark. Used it a long time ago.
Seem to recall that it has a promiscous mode that makes it work even connected to a switch?
May look into it again. A bit challenging to understad the logs, but maybe the filter function could do it...?
0
 
ajohnson30Network ManagerCommented:
Wireshark does a little of that, but can't override too much.  It really depends on the switch, which is why I recommended that netgear GS105.  It's not really a managed swich, but it does come with software (which you can download from their website if you don't have it handy) that you can use to upgrade it's firmware, set vlans, and most importantly - set up port mirroring.  I generally set up one of these switches with port #1 as the capture port (put the internet there) and port #5 as the mirror port (put the monitor pc there) and put a label on those ports and on the switch saying "Monitoring switch" or something like that.  That way whenever I need to do a port capture I have it handy.

Wireshark has gotten very user friendly with it's protocol debugging.  It shows pretty much everything so you can tell what ip is going where and using what protocol.  There's menu options so you can quickly determine what machine has sent the most packets or bytes, so you can see who's hogging the pipe, then you can look at the conversations and see where they're going
0
 
masnrockConnect With a Mentor Commented:
Having a mirror port, regardless of the model of switch, is ideal. That way you're sure that everything is getting though to your monitor, be it Wireshark or something else. Not sure what type of router you have, otherwise, I'd suggest seeing if there's a way to at least see what sites are getting visited based on built in capabilities.

In the scheme of it all, I'm willing to bet someone is doing a lot of streaming or downloading.
0
 
Olaf BerliAuthor Commented:
Thanks for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.