Traffic analyzer/statistics tool

Discussion in 'Cisco' started by Hoffa, Jul 16, 2008.

  1. Hoffa

    Hoffa Guest

    Hi all

    I'd like to hear what you folks use to analyze traffic. I've come to a
    point where I need, down to the minute, statistics of traffic flowing
    in and out of a GigE interface and since I've mostly worked with
    sniffers before I need some suggestions.
    I don't need to capture entire packets, I just need to know the source/
    destination IP along with the ports. My goal is to catch any bursting
    traffic that's currently causing buffer drops. Windows apps preferred.

    Best regards
    Fredrik
     
    Hoffa, Jul 16, 2008
    #1
    1. Advertising

  2. Hoffa

    Trendkill Guest

    On Jul 16, 4:56 am, Hoffa <> wrote:
    > Hi all
    >
    > I'd like to hear what you folks use to analyze traffic. I've come to a
    > point where I need, down to the minute, statistics of traffic flowing
    > in and out of a GigE interface and since I've mostly worked with
    > sniffers before I need some suggestions.
    > I don't need to capture entire packets, I just need to know the source/
    > destination IP along with the ports. My goal is to catch any bursting
    > traffic that's currently causing buffer drops. Windows apps preferred.
    >
    > Best regards
    > Fredrik


    You'll most likely need netflow, although it generally only runs on
    router ports which are much more likely to be bottlenecks than switch
    ports. I think the latest versions of switches support netflow, but
    in most cases, you can only run it on routers or switched virtual
    interfaces (aka vlans on routers). You would need to find a tool that
    you can use, and most cost money. You can check out ntop which is
    pretty good, but I think its only *nix based.

    For simple traffic monitoring, snmp is the best on switches as you can
    monitor the in/out of the specific port. But that only shows you
    bandwidth and utilization and does not show IP information. As soon
    as this becomes a requirement, a sniffer or netflow will be your only
    options. Of course you can turn on ip route cache flow on the router
    interface of that vlan/subnet and then do a show ip cache flow which
    will show you all the current flows. If you add in a '| include K',
    it will filter out the smaller flows and only focus on the very large
    flows (which will be in the thousands, and therefore will have the
    K). This will provide source & destination.
     
    Trendkill, Jul 16, 2008
    #2
    1. Advertising

  3. Hoffa

    Trendkill Guest

    On Jul 16, 7:20 am, Trendkill <> wrote:
    > On Jul 16, 4:56 am, Hoffa <> wrote:
    >
    > > Hi all

    >
    > > I'd like to hear what you folks use to analyze traffic. I've come to a
    > > point where I need, down to the minute, statistics of traffic flowing
    > > in and out of a GigE interface and since I've mostly worked with
    > > sniffers before I need some suggestions.
    > > I don't need to capture entire packets, I just need to know the source/
    > > destination IP along with the ports. My goal is to catch any bursting
    > > traffic that's currently causing buffer drops. Windows apps preferred.

    >
    > > Best regards
    > > Fredrik

    >
    > You'll most likely need netflow, although it generally only runs on
    > router ports which are much more likely to be bottlenecks than switch
    > ports.  I think the latest versions of switches support netflow, but
    > in most cases, you can only run it on routers or switched virtual
    > interfaces (aka vlans on routers).  You would need to find a tool that
    > you can use, and most cost money.  You can check out ntop which is
    > pretty good, but I think its only *nix based.
    >
    > For simple traffic monitoring, snmp is the best on switches as you can
    > monitor the in/out of the specific port.  But that only shows you
    > bandwidth and utilization and does not show IP information.  As soon
    > as this becomes a requirement, a sniffer or netflow will be your only
    > options.  Of course you can turn on ip route cache flow on the router
    > interface of that vlan/subnet and then do a show ip cache flow which
    > will show you all the current flows.  If you add in a '| include K',
    > it will filter out the smaller flows and only focus on the very large
    > flows (which will be in the thousands, and therefore will have the
    > K).  This will provide source & destination.


    Show netstat may also work on newer enterprise gear, although I don't
    think it shows size of the flows and therefore can be hard to gain
    context.
     
    Trendkill, Jul 16, 2008
    #3
  4. Hoffa

    Hoffa Guest

    On 16 Juli, 13:23, Trendkill <> wrote:
    > On Jul 16, 7:20 am, Trendkill <> wrote:
    >
    >
    >
    > > On Jul 16, 4:56 am, Hoffa <> wrote:

    >
    > > > Hi all

    >
    > > > I'd like to hear what you folks use to analyze traffic. I've come to a
    > > > point where I need, down to the minute, statistics of traffic flowing
    > > > in and out of a GigE interface and since I've mostly worked with
    > > > sniffers before I need some suggestions.
    > > > I don't need to capture entire packets, I just need to know the source/
    > > > destination IP along with the ports. My goal is to catch any bursting
    > > > traffic that's currently causing buffer drops. Windows apps preferred..

    >
    > > > Best regards
    > > > Fredrik

    >
    > > You'll most likely need netflow, although it generally only runs on
    > > router ports which are much more likely to be bottlenecks than switch
    > > ports.  I think the latest versions of switches support netflow, but
    > > in most cases, you can only run it on routers or switched virtual
    > > interfaces (aka vlans on routers).  You would need to find a tool that
    > > you can use, and most cost money.  You can check out ntop which is
    > > pretty good, but I think its only *nix based.

    >
    > > For simple traffic monitoring, snmp is the best on switches as you can
    > > monitor the in/out of the specific port.  But that only shows you
    > > bandwidth and utilization and does not show IP information.  As soon
    > > as this becomes a requirement, a sniffer or netflow will be your only
    > > options.  Of course you can turn on ip route cache flow on the router
    > > interface of that vlan/subnet and then do a show ip cache flow which
    > > will show you all the current flows.  If you add in a '| include K',
    > > it will filter out the smaller flows and only focus on the very large
    > > flows (which will be in the thousands, and therefore will have the
    > > K).  This will provide source & destination.

    >
    > Show netstat may also work on newer enterprise gear, although I don't
    > think it shows size of the flows and therefore can be hard to gain
    > context.


    Thanks for the answers but I was thinking more in the line of some
    application that analyzes SPANed traffic

    /Fredrik
     
    Hoffa, Jul 16, 2008
    #4
  5. Hoffa

    Trendkill Guest

    On Jul 16, 7:27 am, Hoffa <> wrote:
    > On 16 Juli, 13:23, Trendkill <> wrote:
    >
    >
    >
    > > On Jul 16, 7:20 am, Trendkill <> wrote:

    >
    > > > On Jul 16, 4:56 am, Hoffa <> wrote:

    >
    > > > > Hi all

    >
    > > > > I'd like to hear what you folks use to analyze traffic. I've come to a
    > > > > point where I need, down to the minute, statistics of traffic flowing
    > > > > in and out of a GigE interface and since I've mostly worked with
    > > > > sniffers before I need some suggestions.
    > > > > I don't need to capture entire packets, I just need to know the source/
    > > > > destination IP along with the ports. My goal is to catch any bursting
    > > > > traffic that's currently causing buffer drops. Windows apps preferred.

    >
    > > > > Best regards
    > > > > Fredrik

    >
    > > > You'll most likely need netflow, although it generally only runs on
    > > > router ports which are much more likely to be bottlenecks than switch
    > > > ports.  I think the latest versions of switches support netflow, but
    > > > in most cases, you can only run it on routers or switched virtual
    > > > interfaces (aka vlans on routers).  You would need to find a tool that
    > > > you can use, and most cost money.  You can check out ntop which is
    > > > pretty good, but I think its only *nix based.

    >
    > > > For simple traffic monitoring, snmp is the best on switches as you can
    > > > monitor the in/out of the specific port.  But that only shows you
    > > > bandwidth and utilization and does not show IP information.  As soon
    > > > as this becomes a requirement, a sniffer or netflow will be your only
    > > > options.  Of course you can turn on ip route cache flow on the router
    > > > interface of that vlan/subnet and then do a show ip cache flow which
    > > > will show you all the current flows.  If you add in a '| include K',
    > > > it will filter out the smaller flows and only focus on the very large
    > > > flows (which will be in the thousands, and therefore will have the
    > > > K).  This will provide source & destination.

    >
    > > Show netstat may also work on newer enterprise gear, although I don't
    > > think it shows size of the flows and therefore can be hard to gain
    > > context.

    >
    > Thanks for the answers but I was thinking more in the line of some
    > application that analyzes SPANed traffic
    >
    > /Fredrik


    None that i know of. Sniffers will look at individual packets, but
    there is no context of how much utilization when you are just looking
    at packets via a span. Netflow is what you are looking for, and the
    router will report to a netflow collector that analyzes traffic that
    is routed from one interface to another. It will tell you utilization
    (although there are some slight discrepancies on that too), source,
    destination, ports, etc, and organize by the heavy hitters. I don't
    know of any app that looks at sniffer traffic and has summary
    reporting. Something like OpNet (which is very expensive but a very
    nice tool) can use sniffer traces and sum up traffic between hosts
    (amount of send/receive, latency, etc), but it does not show overall
    interface utilization on the router or switch, it looks at it from a
    server perspective of traffic sent and received.
     
    Trendkill, Jul 16, 2008
    #5
  6. Take a look at "ntop" - www.ntop.org. Sounds like this will do what you
    want, it's opensource, and takes NetFlow v5 and 9 for analysis.


    Trendkill wrote:
    > On Jul 16, 7:27 am, Hoffa <> wrote:
    >> On 16 Juli, 13:23, Trendkill <> wrote:
    >>
    >>
    >>
    >>> On Jul 16, 7:20 am, Trendkill <> wrote:
    >>>> On Jul 16, 4:56 am, Hoffa <> wrote:
    >>>>> Hi all
    >>>>> I'd like to hear what you folks use to analyze traffic. I've come to a
    >>>>> point where I need, down to the minute, statistics of traffic flowing
    >>>>> in and out of a GigE interface and since I've mostly worked with
    >>>>> sniffers before I need some suggestions.
    >>>>> I don't need to capture entire packets, I just need to know the source/
    >>>>> destination IP along with the ports. My goal is to catch any bursting
    >>>>> traffic that's currently causing buffer drops. Windows apps preferred.
    >>>>> Best regards
    >>>>> Fredrik
    >>>> You'll most likely need netflow, although it generally only runs on
    >>>> router ports which are much more likely to be bottlenecks than switch
    >>>> ports. I think the latest versions of switches support netflow, but
    >>>> in most cases, you can only run it on routers or switched virtual
    >>>> interfaces (aka vlans on routers). You would need to find a tool that
    >>>> you can use, and most cost money. You can check out ntop which is
    >>>> pretty good, but I think its only *nix based.
    >>>> For simple traffic monitoring, snmp is the best on switches as you can
    >>>> monitor the in/out of the specific port. But that only shows you
    >>>> bandwidth and utilization and does not show IP information. As soon
    >>>> as this becomes a requirement, a sniffer or netflow will be your only
    >>>> options. Of course you can turn on ip route cache flow on the router
    >>>> interface of that vlan/subnet and then do a show ip cache flow which
    >>>> will show you all the current flows. If you add in a '| include K',
    >>>> it will filter out the smaller flows and only focus on the very large
    >>>> flows (which will be in the thousands, and therefore will have the
    >>>> K). This will provide source & destination.
    >>> Show netstat may also work on newer enterprise gear, although I don't
    >>> think it shows size of the flows and therefore can be hard to gain
    >>> context.

    >> Thanks for the answers but I was thinking more in the line of some
    >> application that analyzes SPANed traffic
    >>
    >> /Fredrik

    >
    > None that i know of. Sniffers will look at individual packets, but
    > there is no context of how much utilization when you are just looking
    > at packets via a span. Netflow is what you are looking for, and the
    > router will report to a netflow collector that analyzes traffic that
    > is routed from one interface to another. It will tell you utilization
    > (although there are some slight discrepancies on that too), source,
    > destination, ports, etc, and organize by the heavy hitters. I don't
    > know of any app that looks at sniffer traffic and has summary
    > reporting. Something like OpNet (which is very expensive but a very
    > nice tool) can use sniffer traces and sum up traffic between hosts
    > (amount of send/receive, latency, etc), but it does not show overall
    > interface utilization on the router or switch, it looks at it from a
    > server perspective of traffic sent and received.
     
    fugettaboutit, Jul 16, 2008
    #6
  7. Hoffa

    jw Guest

    The engineers toolkit from solarwinds has a pretty good netflow
    collector/analyzer.
    Of course, the device needs to support netflow, but it works very well.


    fugettaboutit wrote:
    > Take a look at "ntop" - www.ntop.org. Sounds like this will do what you
    > want, it's opensource, and takes NetFlow v5 and 9 for analysis.
    >
    >
    > Trendkill wrote:
    >> On Jul 16, 7:27 am, Hoffa <> wrote:
    >>> On 16 Juli, 13:23, Trendkill <> wrote:
    >>>
    >>>
    >>>
    >>>> On Jul 16, 7:20 am, Trendkill <> wrote:
    >>>>> On Jul 16, 4:56 am, Hoffa <> wrote:
    >>>>>> Hi all
    >>>>>> I'd like to hear what you folks use to analyze traffic. I've come
    >>>>>> to a
    >>>>>> point where I need, down to the minute, statistics of traffic flowing
    >>>>>> in and out of a GigE interface and since I've mostly worked with
    >>>>>> sniffers before I need some suggestions.
    >>>>>> I don't need to capture entire packets, I just need to know the
    >>>>>> source/
    >>>>>> destination IP along with the ports. My goal is to catch any bursting
    >>>>>> traffic that's currently causing buffer drops. Windows apps
    >>>>>> preferred.
    >>>>>> Best regards
    >>>>>> Fredrik
    >>>>> You'll most likely need netflow, although it generally only runs on
    >>>>> router ports which are much more likely to be bottlenecks than switch
    >>>>> ports. I think the latest versions of switches support netflow, but
    >>>>> in most cases, you can only run it on routers or switched virtual
    >>>>> interfaces (aka vlans on routers). You would need to find a tool that
    >>>>> you can use, and most cost money. You can check out ntop which is
    >>>>> pretty good, but I think its only *nix based.
    >>>>> For simple traffic monitoring, snmp is the best on switches as you can
    >>>>> monitor the in/out of the specific port. But that only shows you
    >>>>> bandwidth and utilization and does not show IP information. As soon
    >>>>> as this becomes a requirement, a sniffer or netflow will be your only
    >>>>> options. Of course you can turn on ip route cache flow on the router
    >>>>> interface of that vlan/subnet and then do a show ip cache flow which
    >>>>> will show you all the current flows. If you add in a '| include K',
    >>>>> it will filter out the smaller flows and only focus on the very large
    >>>>> flows (which will be in the thousands, and therefore will have the
    >>>>> K). This will provide source & destination.
    >>>> Show netstat may also work on newer enterprise gear, although I don't
    >>>> think it shows size of the flows and therefore can be hard to gain
    >>>> context.
    >>> Thanks for the answers but I was thinking more in the line of some
    >>> application that analyzes SPANed traffic
    >>>
    >>> /Fredrik

    >>
    >> None that i know of. Sniffers will look at individual packets, but
    >> there is no context of how much utilization when you are just looking
    >> at packets via a span. Netflow is what you are looking for, and the
    >> router will report to a netflow collector that analyzes traffic that
    >> is routed from one interface to another. It will tell you utilization
    >> (although there are some slight discrepancies on that too), source,
    >> destination, ports, etc, and organize by the heavy hitters. I don't
    >> know of any app that looks at sniffer traffic and has summary
    >> reporting. Something like OpNet (which is very expensive but a very
    >> nice tool) can use sniffer traces and sum up traffic between hosts
    >> (amount of send/receive, latency, etc), but it does not show overall
    >> interface utilization on the router or switch, it looks at it from a
    >> server perspective of traffic sent and received.
     
    jw, Jul 16, 2008
    #7
  8. Hoffa <> writes:

    >Hi all


    >I'd like to hear what you folks use to analyze traffic. I've come to a
    >point where I need, down to the minute, statistics of traffic flowing
    >in and out of a GigE interface and since I've mostly worked with
    >sniffers before I need some suggestions.
    >I don't need to capture entire packets, I just need to know the source/
    >destination IP along with the ports. My goal is to catch any bursting
    >traffic that's currently causing buffer drops. Windows apps preferred.


    >Best regards
    >Fredrik


    Argus (http://www.qosient.com/argus), or ipaudit (sourceforge
    somewhere). Both open source. Argus will run under cygwin on Windows but if
    your gig link is busy you will be far better off with linux with either
    pf-ring or Phil Wood's mmapped libpcap. Either will run off a span port
    (or better) a tap in the network and don't eat router resources as netflow
    does (Argus will also process netflow data if you insist ...).

    Peter Van Epp / Operations and Technical Support
    Simon Fraser University, Burnaby, B.C. Canada
     
    Peter Van Epp, Jul 18, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Omadon
    Replies:
    0
    Views:
    512
    Omadon
    Nov 6, 2005
  2. Trevor Smithson
    Replies:
    5
    Views:
    1,020
    Blinky the Shark
    May 25, 2005
  3. Trevor Smithson
    Replies:
    1
    Views:
    598
  4. Kue2

    msn search tool & plishing tool

    Kue2, Sep 2, 2005, in forum: Windows 64bit
    Replies:
    1
    Views:
    551
    Andre Da Costa
    Sep 2, 2005
  5. ppd

    JSP analyzer tool

    ppd, Aug 5, 2011, in forum: Software
    Replies:
    0
    Views:
    1,330
Loading...

Share This Page