Cacti IP Accounting
We're suffering from saturation of our internet connection at various times during the day.
We have Cacti monitoring the HP Procurve switch port that connects to the router coming in and can accurately determine the current bits/s for our 10mbit line.
We don't have access to the router on site (Affiniti) but whilst its all very useful for us to see our line is being shafted, it would be nice to see how much by which IPs over a period of time etc so we can narrow down whether anybody is being naughty or whatnot..
Any advice would be gratefully received.
Wrong tool. Use ntop on your firewall.
Not an option sadly, we literally only have control from this end before the router/firewall is upstream.
Thanks though :(
ok, put a linux box running as a layer 2 bridge inbetween your router and your network. Run ntop/iptraf/etc on that.
Posted via Mobile Devicesnoop on your network to sample the traffic.
Are you looking at the originating addresses within your own lan that are killing things?
Basically, I can see the switch port being shafted but have not done anything further.
I'm trying to see how much is coming through the particular switch port TO where on our internal network.
If its a procurve switch you could enable port mirroring on the router port and a pc connected to a monitoring port. This would allow the pc to see all the traffic going to and from the router (think hub v switch on those two ports).
Running wire shark on the pc at the times you are getting hammered would show you the source and destination of all the packets. Lots of data, but it would be there.
You will need quite a beefy machine to keep up with the traffic too. :)
How beefy realistically?
I had Scrutenizer recommended to me earlier today for traffic analysis.
Traffic Monitoring with Scrutinizer NetFlow & sFlow Analyzer form plixer International
Might be worth a try by using the 30 day demo.
Anything built within the last three years should be fine. Just bump up the ram to 2Gb. Also make sure you use decent network cards. I'd suggest the intel ether express 100 or 1000, dependant on your line speed.
Originally Posted by kmount