On Wed, Jul 1, 2009 at 07:46, Cameron Cooper<[email protected]> wrote: > Anyone use a good network monitor that we can use to watch all traffic and > analyze which user/computer is spiking our T1?
Butting in a little bit late... NTOP, MRTG/PRTG/nagios, and Wireshark/MS Netmon are three very different approaches to network monitoring, each useful and necessary, but aimed at solving different problems. NTOP: It's a hybrid layer 2/3 monitoring system that listens to all of the packets going by on its monitoring interface, and categorizes the traffic in very interesting and useful ways, including source and destination, some protocol analysis, and your top three talkers over the past 10 minutes, hour or 24 hours. You can use BPF filters to narrow the scope of what it looks at, but for it to be useful you need to pick a point in the network where it can see the traffic you want it to monitor. This usually means a mirror/span port on the switch into which your router is plugged, though it can also consume netflow/sflow data and display that, too. MRTG/PRTG/nagios/cricket/big sister/jffnms/opennms/etc.: These are mostly SNMP query tools, using RRDTool or other software to aggregate data and write graphs and raise alerts - you need a switch (and perhaps other equipment) that allows you to do SNMP queries of the networking OIDs (in this particular case). Unfortunately, these tools probably won't be your best bet, even if you have SNMP-enabled equipment, because all you'll get are raw byte counts, telling you nothing about source or destination, and T1 traffic is likely to be swamped in the noise of a LAN environment. Wireshark/MS Netmon: Raw packet capturing power, and incredibly useful, though this hammer is also perhaps not your best tool for this particular job, unless you know how to craft decent filters (hint: dest != 192.168.0.0/16 OR src != 192.168.0.0/16), and these (like NTOP) need a mirror/span switch into which your router is plugged, so that it can see all of the traffic. For this particular problem, NTOP is probably your very best fit. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
