CoXeY

Hi all,

We run a number of bandwidth monitoring tools (namely PRTG) to monitor bandwith utilization going through our switches but I need to understand the bandwidth usage by protocol for a specific server.

The server is running Windows 2003 and I cannot for the life of me get a breakdown of the server's bandwidth utilization on a protocol by protocol basis. Any ideas how i can get this info?

Thanks
Dan.

internetod

I suggest using something such as Netflow if your switch/router supports it. This will log the usage, protocol, destination and source for deeper analysis.

i.e. Cisco

Global Conf
(global)ip flow-export IPADDDRESS version 5
Where IP is the IP of the Netflow Monitoring System

Interface Conf
(interface) ip route-cache flow
Required on all interfaces to be monitored.

__________________
Some people are mugs...

CoXeY

The switches are 2950t's so i don't think netflow is going to be possible.

Are there any software tools that will do this for me?

I know Ethereal and Network Monitor Service can analyze data on a packet by packet basis but they seem to lack the ability to display the bandwidth used for a particular protocol.

internetod

I guess you're not routing your own network either?

If not, does your provider offer you any tools for monitoring?

__________________
Some people are mugs...

SynergyWorks

The only last option you have if you don't route your own network and your provider can't help is to setup a "monitoring or probe port" and packet watch it - although its not really a good solution as your using up a port and it'll be quite CPU intensive.

__________________
Robert Bentley

SynergyWorks.co.uk - AS41659
Dedicated Servers - Virtual Servers - South East / Kent Colocation & Rackspace - IP Transit
T: +44 (0)1622 808 420 / F: +44 (0)1622 808 422 / E: r.bentley [at] synergyworks.co.uk
VAT #: GB 913 4306 53

CoXeY

Sorry my fault for not explaining the problem in full.

Routing is managed by Verizon who provide a tool called "Application Insight" in order for us to see a breakdown of our entire network traffic on a protocol by protocol basis. Application Insight has shown that VPN traffic has increased to be nearly 60% of our entire network utilization over the past couple of months! I have tracked this down to a server but am intrieged to see what is being transferred via the VPN to require so much bandwidth.

Application Insight reports the traffic as being IPSec but the VPN connection is to a perimeter PIX firewall. Beyond this point the traffic is not encrypted by IPSec and it is here that I want to perform the analysis (either on the switch or the server iteself).

Any help or pointers will be much appreciated.

Dan.

Schumie

That gets rather more complex as far as I am aware, the PIX won't export Netflow data and Highlight from NetEvidence requires Netflow data for its details.

With regard to the traffic, do you have any monitoring of the switch ports that may help identify which swichports traffic level has increased greatly over the past months, and narrow it down to a specific system?

Then maybe actually take a look what that system is doing to generate the traffic.

__________________
Steve Wright
DediPower Managed Hosting | Support with Passion
NEWS: British not-for-profit online knowledge base selects DediPower Managed Hosting

goscombtech

put an ntop box on a SPAN... that will give you what you want

__________________
Goscomb Technologies Limited - www.goscomb.net / AS39326

E: sales@goscomb.net P: +44 (0) 203 129 4400 F: +44 (0) 203 129 4410

Free IPv4/IPv6 Dialup! p: 08456043047 u: dial@goscomb.net.uk p: dial
IP Transit :: Colocation :: Dedicated Servers :: Leased Lines :: DSL
Registered in England and Wales No. 05672987 - VAT Registration No. 853 7954 80

CoXeY

Schumie, i've already narrowed it down to a single box so now i want to analyse its activity.

And i had a horrible feeling someone hugely technical would come along and recommend a unix / linux solution! I'm not too linux savy but if that's the only solution out there then so be it!! Thanks goscombtech.

Before i steam into this are there any other recommendations?

goscombtech

if you want a quick way... http://www.ntop.org/nBox86.html

all done for you as an appliance of sorts, just need to config the switch and plug it in then

__________________
Goscomb Technologies Limited - www.goscomb.net / AS39326

E: sales@goscomb.net P: +44 (0) 203 129 4400 F: +44 (0) 203 129 4410

Free IPv4/IPv6 Dialup! p: 08456043047 u: dial@goscomb.net.uk p: dial
IP Transit :: Colocation :: Dedicated Servers :: Leased Lines :: DSL
Registered in England and Wales No. 05672987 - VAT Registration No. 853 7954 80

Antho

Or CactiEZ perhaps...doddle to setup

__________________
Anthony Bennett - Sales Director Hi-Velocity
Colocation - IP Transit - Interconnects - Leased Lines - SDSL - ADSL- Wholesale DSL
www.hi-velocity.net

CoXeY

I'm actually using Netlimiter at the moment and i seem to have tracked the problem down to SQL traffic. Further investigation has found a DTS package that uploads a 200MB database to our network every few minutes!!

I've actaully used Netlimiter to restrict this traffic and am currently in talks with those responsible as to why so much traffic must be uploaded so frequently

You're recommendations have been taken onboard though, and i will investigate them in time, there's obviously a need for us to be running this kind of analysis on an ongoing basis...


Thanks again

Dan.