Best way to track traffic

[cyberkatis]

If I have MRTG running and notice a huge rise in outgoing traffic during the night hours and I want to find out all about it (Source, Destination at least) what is the best way to handle this.

1) Sniffer-
Currently using Netmon and Ethereal, but the buffers get filled up too fast to run all night. Any ideas here?

2) Something else?

Thanks

Chris.

 

[wybnormal]

Sniffer will track the top 10 talkers and once you know that, you build a filter set to knock out the extra noise.

Solarwinds also does this in a nicer and easier to read report by using SNMP. Tag the servers and routers and you can build a map of what is being excessively used. I have found *hidden* backups kicking off this way and a few other surprises.


MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[javchang]

Hi Chris,

Since you're only after the source and destination addresses (for now), limit the packet size in Ethereal. Start with small packets (<100 bytes). Once you have a better idea, filter on specific IP addresses and capture full packets to determine the nature of the traffic.

J.