I want to analyze my network traffic

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

Our data centre claims me that our overseas traffic bandwidth exceeds our
limit. I have logged all the traffic packet. Can you recommend me a best
tool to analyze the traffic packet. I want to know:

1) which IP the traffic comes from
2) how much bandwidth for the incoming and outgoing traffic
3) which port generate the traffic
4) the source IP address

Chris
 
What kind of firewall do you have? Or is it for a website? You are saying
that you logged the traffic - do you mean you captured the traffic with a
sniffer?
 
This is the second post like this that I heard in a while. I'd like to grab
"data center people" like this and slap them accross the head (sorry, a
moment of excitement). If they are smart enought to think this is true of
you, and have the tools that (accuarately?) tells them this,....then they
should be able to answer these questions for you:

1. How much bandwidth are we using?
2. Where is it going?
3. What is the traffic profile? (Protocols, From where, To where)
4. If you can not answer #1-#3, then how do you really know our bandwidth is
too high?
5. Why is our limit so low?,...and why haven't you raised it? (this isn't
the dark ages anymore).
6. Why hasn't there been "traffic shaping" devices been put in place to
throttle bandwidth so that it is not possible to exceed a particular set
limit so that you don't have to bother me with your complaints of my alleged
bandwidth excesses.

I don't know what kind of answers you get,...but it's sure be fun to ask.

There is no such tool that will do all that and put all the right
information in front of you nice and neat and clean. It takes a lot of work
and usually more than one tool and the accuarcy is always questionable
(hence #4 above). In fact that is why "traffic shaping" devices (that
actually work correctly) cost $$$$$$$$.
 
Sorry, forgot to mention....

Etherreal is probably the most popular network "sniffer" out there, although
it may go by a new name now. Just use any Search Engine,...you'll find it.
 
Until we hear the whole story I wouldn't blame the datacenter people. Maybe
they do have traffic shaping but they allow bursts (and chances are the
"bursts" are now "normal"). Probably the best way to measure the bandwidth
use would be MRTG (http://oss.oetiker.ch/mrtg/) and many datacenters use
that. But, beyond MRTG, traffic analysis is an expensive exercise and is not
part of a normal hosting offer (so in order to tell who is using the
bandwidth one would need some additional software/services - web traffic is
an exception as many hosting companies are including traffic reports in
their hosting packages).

--
Adrian Grigorof
www.eventid.net


Phillip Windell said:
This is the second post like this that I heard in a while. I'd like to
grab "data center people" like this and slap them accross the head (sorry,
a moment of excitement). If they are smart enought to think this is true
of you, and have the tools that (accuarately?) tells them this,....then
they should be able to answer these questions for you:

1. How much bandwidth are we using?
2. Where is it going?
3. What is the traffic profile? (Protocols, From where, To where)
4. If you can not answer #1-#3, then how do you really know our bandwidth
is too high?
5. Why is our limit so low?,...and why haven't you raised it? (this isn't
the dark ages anymore).
6. Why hasn't there been "traffic shaping" devices been put in place to
throttle bandwidth so that it is not possible to exceed a particular set
limit so that you don't have to bother me with your complaints of my
alleged bandwidth excesses.

I don't know what kind of answers you get,...but it's sure be fun to ask.

There is no such tool that will do all that and put all the right
information in front of you nice and neat and clean. It takes a lot of
work and usually more than one tool and the accuarcy is always
questionable (hence #4 above). In fact that is why "traffic shaping"
devices (that actually work correctly) cost $$$$$$$$.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


Chris said:
Our data centre claims me that our overseas traffic bandwidth exceeds our
limit. I have logged all the traffic packet. Can you recommend me a
best tool to analyze the traffic packet. I want to know:

1) which IP the traffic comes from
2) how much bandwidth for the incoming and outgoing traffic
3) which port generate the traffic
4) the source IP address

Chris
Click to expand...
Click to expand...
 
Chris said:
1) which IP the traffic comes from
2) how much bandwidth for the incoming and outgoing traffic
3) which port generate the traffic
4) the source IP address
Click to expand...

Guy. Network Monitor.

Run it on the WAN interface behind your t1 rrouter or WAN bridge
device. If you don't have a computer like that, stick a hub inbetween
your router hardware and WAN bridge plus a laptop. Make sure it is
running in promiscuous mode (find it online if need be) and capture
everything comming down the wire for an hour or ten minutes or a day,
or what have you.

1. This will tell you.
2. Compare the size of the resulting file with the seconds duration of
trace, lol.
3. This will tell you (run the experts feature to break down traffic
usage).
4. This will tell you.
 
The tool of choice here is definitely PRTG. It's a native Windows
application and you will have to buy it (about $50 for the 50 sensor
version). It will collect and graph interface stats via snmp like MRTG, but
what you want is to determine which IP adress is generating the traffic.
PRTG will graph real-time and historical bandwidth usage down to the IP
address. You'll need a sensor for each address. There is also a free, one
sensor version. You could do it with that, although it would take more time.
You'd have to break your network in half, find out which half is generating
the traffic - break that half in half, etc until you narrowed it down to the
single IP address.

As an alternative, check out bandwidthd. This is a free Linux utility that
will do what PRTG does as far as graphing bandwidth usage by ip address. If
you have a reverse DNS zone, it will graph by hostname. If you have a decent
computer lying around that you can install Fedora 5 or something on,
bandwidthd has no restrictions as to the number of sensors. Like most Linux
applications, you'll configure it with a configuration file, and it's output
is web-based.

http://www.paessler.com/prtg/download

http://bandwidthd.sourceforge.net/

....kurt
 
Adrian Grigorof said:
Until we hear the whole story I wouldn't blame the datacenter people.
Maybe
Click to expand...

But it was a lot of fun,..and I felt better after. :-)
 
Back
Top