You can make your own 10/100 taps - instructions are at snort.org.  But for
commercial use, I'd recommend a commercial tap.  It's a little neater than
wiring your own.  And may work better - mostly because your probably don't
own the tools to check it for multipath and leakage.

Tapping the WAN links will give you a good picture of the local-remote flow.

As was indicated previously (Nathan, Chris and James), it's more difficult
to get a good picture of the LAN.  That's basically just a function of
switches doing their proper function and switching traffic.  Where to place
the LAN monitors takes a lot of knowledge of your network and what you want
to monitor.

-----Burton

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Andrew Smith
Sent: Tuesday, April 25, 2006 1:40 PM
To: [email protected]
Subject: RE: [Ntop] Were to placing Ntop on the network

Thanks to everyone for all the advice given.

Basically we've recently turned SNMP on our routers and been monitoring this
with a eval version of SolarWinds Orian (which we think is great but very
expensive, if anyone can recommend another product - maybe one that does
SNMP monitoring and top talkers, I would be grateful!) Anyway SNMP is
telling us that at certain times of the day our routers at certain sites and
varying times are running really high. Now what we would like to do is be
able to see who is generating this traffic.

This is really were we are coming from by testing Ntop. We don't really look
after the routers so we can't simply get on there and make changes or view
stats so we need a third party product.

>From what everyone is saying, I don't think requesting having NetFlow
turned in is a good idea for us.

One thing we thought could work (and I'd appreciate any thoughts on
this) is maybe purchase an "Ethernet tap" such as:

http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4
&Section=products&menuitem=1

and then plug our router, switch and Ntop server into this.

Do you think that doing this would give us an indication of who was using
our WAN traffic?

Thanks again for all the help so far

Andrew
www.purenetworking.net
 
 

-----Original Message-----
From: Gary Gatten [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 25, 2006 4:36 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: Re: [Ntop] Were to placing Ntop on the network

Trying to do what you want in a fully switched environment is not as easy as
you might think.  If you have common aggregation points, such as uplinks to
server farms, WAN routers, etc. you can start there and catch most
everything "important",  but you still won't see "all" traffic an end node
might be involved in - such as PtP with another end node on the LAN.

Netflow / xflow / IPFix / whatever might work OK if your equipment supports
it.  Not all classes of cisco switches do.  Trying to SPAN/RSPAN EVERY port
would be problematic at best.  You can also try implementing RMON and using
the feature therein, such as Topn.  Yet another option would be configuring
RMON alerts and events on each port based on throughput and/or doing SNMP
collections on each port using Openview, MRTG, or any of the other ten
thousand SNMP utils out there.

I personally use a combination of most everything I mentioned.  Each
approach accomplishes a slightly different goal - it seems to work OK. 
Guess it all depends on exactly what you want to accomplish.  Define your
goals and implement the best solution(s).

Gary


>>> [EMAIL PROTECTED] 4/25/2006 5:09:46 AM >>>
Hello


We are running a fully switched Cisco network and want to be able to see who
are the top talkers both on our site and on remote sites.

Now I've just set Ntop up had it running for a few hours. Its looks to

be gathering info. We don't have NetFlow or anything like that configured on
our routers. So Ntop is really just running in its default config.

Would I be right in think that:

a) Ntop is only reporting traffic that is on the LAN segment, it can't

tell what is going on at a remote site

b) The traffic is sees is only stuff that come though its network interface.
So its not really giving me a true reflection of how busy the LAN is?


_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop



_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to