Network monitoring

Hi There,

When you say you want to monitor the network, is it the LAN, WAN or both?

If its the WAN then you need to look at something like SolarWinds NTA which takes flow data from routers and some switches which support features like NetFlow. This flow data can then be used to show peaks in network usage.

If you are looking to monitor the LAN and you don't have flow data available then you need to look at setting up a SPAN or mirror port and use nProbe which can convert the packet capture data to flow which can then be used by NTA. Another option is to use a third party product like LANGuardian which also plugs into a SPAN\Mirror port and its output can be displayed within Orion.

Darragh

If you want to do something like this with LEM, you can use the network traffic events generated from your firewall, but it's generally going to be looking for anomalies in a somewhat limited way:

• Frequency of events - an excessive count of occurrences/hits from a specific host, to a specific host, on specific ports, or with proxy servers, to specific sites or hosts
• Single events in unexpected ways - a host that shouldn't connect to another host, ports that shouldn't be used, websites/categories that shouldn't be visited

As for straight up bandwidth usage, LEM is not going to be great, but some firewalls and proxy servers do include this detail in their events and you might be able to search for it.

If you want to limit to just web activity, you can tell a LOT by frequency of events - if you report on web traffic by source machine (or user name), you can fairly easily see the most common offenders, though you'd need to weed out stuff like internal sites if those also route through your proxy, or sites that you expect people to visit like salesforce, for example.

LEM can also do some basic top talkers-style flow analysis with netflow/sflow data, but it's nowhere near what NTA can do.

With what intention/focus in mind? If you are concerned about the network performance itself, go for NPM, if your concern is, who does eat up your bandwidth, go for NTA, either way, you will get comprehensive information about the network. If you need to identify, who or what is causing the spikes, you should rule out all genuine traffic first and deal with what is left.

Hey nicole pauls, what specifically are the capabilities of LEM with regard to netflow/sflow?  Is this documented somewhere?

The only flow capabilities in LEM right now are to collect flows and display top talker info (by bytes or packets per host or port). There hasn't been much drive to utilize flow data further, and some question of what would be more well suited to do in NTA/NPM and raise to LEM so the systems can work better together.

Awesome, thanks for the quick response Nicole!