4 Replies Latest reply on Jan 22, 2010 8:12 AM by ecklerwr1

    Network traffic

      Hi all,

      We are a small to medium business that has 5 servers and about 30 workstations (PC's & Mac's), over the past week we have experience dramatic deterioration in our network/internet performance. I am trying to find a program that can be deployed and then scan the network to find where the traffic is coming from.

      Is anyone able to recommend some software and also tell me what requirements/setup process for implementing this.

       

        • Re: Network traffic
          jswan

          The quickest way to do this on a small network is to capture a bunch of traffic with Wireshark (free), and look at the traffic statistics available under the "statistics" menu.

          If you have a router that supports NetFlow, the free Solarwinds Real-Time NetFlow Analyzer tool might also be useful, as would the NetFlow top-talkers command-line tools on the router:

          http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/cfg_nflow_top_talk.html

          The reason I recommend Wireshark as a first step for small networks is that NetFlow is only going to give you statistical information for routed traffic, whereas on a small network there are lots of problems that could be occurring with bridged or broadcast traffic.

          • Re: Network traffic
            ecklerwr1

            Also you are going to need to find a place where you plug the wireshark machine in where you can see all the traffic on your network.  Possibly a span port.

            jswan is right though if you get plugged in where you can see all the traffic wireshark will show all the conversations going on and you'll get layer 2 information also.  When you setup the machine for example a pc to run wireshark make sure you have an adapter that can go into promiscuous mode.  Some laptop adapters won't do it.

              • Re: Network traffic

                Thanks for that guys.

                 

                Can this run from any workstation connected to the network? I'm not entirely sure what a span port is (sorry).

                How do I connect to remote devices to monitor this?

                I was hoping to use an application to connect to our Cisco PIX 506E and filter the traffic through that? Really just need to know what IP address is dominating the network bandwith.

                 

                Al

                  • Re: Network traffic
                    ecklerwr1

                    Hello Al-

                    In modern switched LAN's when you plug your pc into a regular switch port you will only see your conversations to / from your pc and broadcast traffic (to everyone).  Do you know what kind of switches are being used for your LAN there.  If they are cisco the best thing to do is find a place to plug the wireshark machine where you are close to the core of the network and configure a SPAN port to plug into.  SPAN stands for Switch Port Analyzer.  You can configure the switch to copy all of the traffic from specific ports or VLANs to the port you plug the analyzer into.  This way you will see all the conversations between clients/servers/etc.  Here's a link to configuring span ports for cisco switches in this case a 2975:

                    http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/configuration/guide/swspan.html

                    You're probaby going to just want local span port configured.  You may want to work with who'ever you work with that configures the LAN switches there.  If they are not cisco switches then you will need something similar.  Wireshark can be run on any computer... it just need to be plugged into a port that's configured to see all the traffic you want to look at.