packet sniffing / network monitoring

[floppyraid]

Greetings,

I have been watching traffic on our network with Wireshark, and its very detailed, but, I am wanting to do something rather simple and straightforward and I am not sure that wireshark is the best solution for what im trying to do.

I want to be able to easily see, at a whims notice, which host on our network is generating the most traffic (both up and down). we have limited bandwidth, and id like to be able to see if someone is having large sustained file transfers when the network gets slow.

using the IOGraph in wireshark, i can set up 5 filters to things like "ip.addr == 192.168.1.0/24" for example, so that i can see on a graph if it is the 192.168.1.x subnet that is saturating the network, but this doesnt give me a real idea of which node.

if I use the conversations or endpoints sections, they are very detailed and nice, but it takes some time--- if wireshark is up and running for over 10 minutes ill have well over 100,000 packets-- so if i then run conversations or endpoints, it takes some time to compile the statistics.

so for example, is there a plugin for wireshark that will export the statistics, live, to another node on the network which can sift through them easily in real time-- or, is there a different application that is free that you know of that will give a breakdown of individual hosts on a network, and which node is saturating the network?

 

[jet042]

We use SNMP to monitor the throughput on each of our managed devices. I've only used SolarWinds' Orion suite, but it's not free.

 

[IRudebwoy]

If you want free try nagios or cacti packages. Both use SNMP to query your devices (switches) and graph the results. I've use cacti for a while, it works but I'm curious to try out nagios.

 

[floppyraid]

yeah thanks for the info

i had set up zenoss and found it was a bit much for what i was looking to do, so i set up cacti and its nice and i definitely use it still, but i needed the stats to be closer to realtime than 2-5 minute polling so i set up ntop on the same linux box that cacti is on.

i find that between cacti's long term sql based information storage and ntops short term real time stats i get a very useful picture of where bandwidth is going

 

[lsjames]

You can try active wall traffic monitor. It's free and useful.

 

[PeterHurst]

For IRudebwoy - Nagios is more around monitoring and alarm gathering/notification (whatsupgold like) than Cacti in my limited experience.

We've set up Cacti and it's quite effective.

If you want to look at who top talkers are though you'll neet to look at something that can run in the heart of the network to capture as much data as possible. If you have a Cisco at the core see if it supports netflow, there are some packages which use that to good effect - Manage Engine netflow monitor

http://www.manageengine.com/products/netflow/

has a demo version which might be of use.

 

[floppyraid]

I ended up using both Cacti and ntop.

Since all of our web traffic passes through 1 server, I was able to just mirror that port on our core L3 switch/router and ntop passively sniffs the traffic as it goes through. It isn't 100% live, I'd say there is maybe a 10 second delay, but thats perfectly fine for what I was hoping to achieve.

Cacti is very beneficial for long term storage of raw statistics per device per port, it has been a real help.

Zenoss and Nagios are well made but for what we were trying to do they were a bit too much- they are comprehensive solutions but they didn't provide the statistics I was looking for in an easy to display way.

Netflow would have been the perfect solution but unfortunately our core isn't Cisco.

Thanks all