Hi all
I'd like to hear what you folks use to analyze traffic. I've come to a point where I need, down to the minute, statistics of traffic flowing in and out of a GigE interface and since I've mostly worked with sniffers before I need some suggestions. I don't need to capture entire packets, I just need to know the source/ destination IP along with the ports. My goal is to catch any bursting traffic that's currently causing buffer drops. Windows apps preferred.
Best regards Fredrik
You'll most likely need netflow, although it generally only runs on router ports which are much more likely to be bottlenecks than switch ports. I think the latest versions of switches support netflow, but in most cases, you can only run it on routers or switched virtual interfaces (aka vlans on routers). You would need to find a tool that you can use, and most cost money. You can check out ntop which is pretty good, but I think its only *nix based.
For simple traffic monitoring, snmp is the best on switches as you can monitor the in/out of the specific port. But that only shows you bandwidth and utilization and does not show IP information. As soon as this becomes a requirement, a sniffer or netflow will be your only options. Of course you can turn on ip route cache flow on the router interface of that vlan/subnet and then do a show ip cache flow which will show you all the current flows. If you add in a '| include K', it will filter out the smaller flows and only focus on the very large flows (which will be in the thousands, and therefore will have the K). This will provide source & destination.
Show netstat may also work on newer enterprise gear, although I don't think it shows size of the flows and therefore can be hard to gain context.
Thanks for the answers but I was thinking more in the line of some application that analyzes SPANed traffic
/Fredrik
None that i know of. Sniffers will look at individual packets, but there is no context of how much utilization when you are just looking at packets via a span. Netflow is what you are looking for, and the router will report to a netflow collector that analyzes traffic that is routed from one interface to another. It will tell you utilization (although there are some slight discrepancies on that too), source, destination, ports, etc, and organize by the heavy hitters. I don't know of any app that looks at sniffer traffic and has summary reporting. Something like OpNet (which is very expensive but a very nice tool) can use sniffer traces and sum up traffic between hosts (amount of send/receive, latency, etc), but it does not show overall interface utilization on the router or switch, it looks at it from a server perspective of traffic sent and received.
Take a look at "ntop" -
Trendkill wrote:
The engineers toolkit from solarwinds has a pretty good netflow collector/analyzer. Of course, the device needs to support netflow, but it works very well.
fugettaboutit wrote:
Argus
Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.