Deb, If your boss is looking for DOS attacks, those will be painfully obvious on MRTG.
In order to determine that something is statistically significant, you need to define not just a mean (an 'average value'), but also a standard deviation. Say I've got a link that carries 100K of traffic on average. Is it normal to see 300K on that link? Sure, if the normal range is 0-400K. If the normal range is 50-150, then yeah, I'd be raising an eyebrow at 300K, but not if up to 400K is in my normal range. What I'm saying is that you need to establish not just what is average, but what falls within normal ranges. To do that. go back through your archived information and look at your weekly and monthly averages, and draw a few data points from that. I wish I could help you more on this. Every link on every network has slightly different norm ranges -- some may have a small range and a high average, others may have a small average and a huge range. The latter is common if your traffic is 'bursty'. The only way to pin down what is normal for any given link is to monitor over a period of time (which you've done) and plot out a series of data points to establish a known range. Once you've done that, then I believe there is a way to set thresholds. Can someone else advise? HTH, Andi -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:48 PM To: Bigelow, Andrea L. Subject: RE: [mrtg] Re: Network Bandwidth Thanks Andi: I have been monitoring our branch sites for ages, and each branch site utilization is different....how do I detect that Pittsburgh is out of the norm from the day before.???? Deb "Bigelow, Andrea L." <[EMAIL PROTECTED]> 06/03/2004 03:45 PM To"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc SubjectRE: [mrtg] Re: Network Bandwidth > Can someone advise or help me on the following question from > my boss, what > would be the best way to monitor this? > "Deb, have you made any progress in detecting bandwidth usage > outside a > norm?" Sure, but you have to know what you're looking for. You can't detect anything outside of a "norm" if you don't know what that norm is. Trace the bandwidth patterns over a period of time, preferably a month or two at least, and that will give you a good baseline, but find out from your boss how he defines 'norm'. Andi L. Bigelow Dyncorp EOS - Network Engineering Group bigelowa{at}sec{dot}gov (202) 942-4368 "Every man dies, but not every man really lives." -- Braveheart -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
