HOW to monitor network flows ?!?

[chronodekar]

Need to monitor LAN flow traffic. Like, what's the total up/down speed in use by a local PC/laptop (near real-time logs) I'm looking for hardware options. My knowledge is limited, but from what I understand, I'll need a hardware solution for this. At the moment, my (office) network is connected to the outside world with this,

Linksys RV042

Cost is a big consideration, but for the moment, I just want to know what options I've got. Googling around just gives me some software links, and I doubt if it will help me.

I've tried using SNMP, but all that does is tell me what interface is hogging the network. It's handy to narrow my search for hogs, but I need a bit more fine-grained monitoring.

Frustrated,
-chronodekar

 

[stlcardinals]

If you want to upgrade your firewall, you can go with a Cisco ASA 5505. The ASDM can give you an interface that will show the bandwidth being used by any interface. It can also show you the amount of packets or bytes used for the Top 10 Services, Sources, and Destinations for the last hour, 8 hours, and 24 hours. Sources being both inside and outside IP addresses.

It's simple enough that I use it to see who's hogging the bandwidth. If you need something more complex than that, you'll probably have to look at one of the fancier SNMP software packages.

 

[chronodekar]

Top 10 sources/destinations per interface sounds nice. But, I don't need a firewall. Heck, the only REAL work my RV042 does is establish a VPN connection between 2 other offices.

Will SNMP do what I want? I tried flashing DD-WRT on a Linksys WRT54GL Wifi router I have and tried reading the SNMP data from it, but ... its lacking. SNMP tells me what interface is transferring the most data (in near real-time), but, I need to know who (or which LAN IP) is doing the transferring. And to whom.

I read somewhere that netflow-based devices might be able to do what I want. Do you think it would? For that matter, how expensive would a netflow-enabled device cost?

-chronodekar

 

[imagoon]

To do Netflow, you need a netflow device (Cisco 1800 series routers would work) and a receiver for the Netflow data. The routers just send a stream on information and leave it to a program line Orion to actually do the work on it. Netflow switches tend to be big $$ because it is CPU intensive so the cheap switches rarely have the power to handle it.

Now depending on what you need to monitor, a monitor on an RMON port might be sufficient.

 

[chronodekar]

Now depending on what you need to monitor, a monitor on an RMON port might be sufficient.

Forgive my ignorance, but what do you mean by "monitor on an RMON" port? Is that another device/protocol?

Ouch! I just looked at the prices of the Cisco 1800 devices. Didn't realize it would go beyond $1000 !!!

-chronodekar

 

[sactwnguy]

You can only get netflow statistics from routed traffic on Cisco devices. ASA 5505 should be able to export to netflow with 8.3 code. We use an Opnet Acelive being fed from a span port to track our switched traffic but it might be a little out of your price range. Either way you are going to need something more than a linksys to track individual flows.

 

[imagoon]

Forgive my ignorance, but what do you mean by "monitor on an RMON" port? Is that another device/protocol?

Ouch! I just looked at the prices of the Cisco 1800 devices. Didn't realize it would go beyond $1000 !!!

-chronodekar

Good monitoring equipment is big $$. RMON is "Remote Monitor" basically you mirror ports on a switch so they export everything the switch sees on a port by port basis. The computer attached to the port then can read, monitor and digest that information to give you a pretty little graph. Typically you mirror uplink ports for day to day monitoring, or specific ports when troubleshooting or if the security level requires it. However "all" typically will be inaccurate if the rmon port cannot handle the entire load of the switch.

 

[Nothinman]

To do Netflow, you need a netflow device (Cisco 1800 series routers would work) and a receiver for the Netflow data. The routers just send a stream on information and leave it to a program line Orion to actually do the work on it. Netflow switches tend to be big $$ because it is CPU intensive so the cheap switches rarely have the power to handle it.

Now depending on what you need to monitor, a monitor on an RMON port might be sufficient.

And sadly Netflow analysis software tends to come in 3 varieties: good and very expensive, annoying limited and free, totally free but some assembly required.

 

[ViviTheMage]

Sounds like you should start off with, what's your budget?

 

[chronodekar]

Sounds like you should start off with, what's your budget?

At the moment, nothing. You see, I want to propose this to my superior and I need information first. But, as a baseline, buying the RV042 for around $200 was a decision.

-chronodekar

 

[Pheran]

Is the router connected to a switch that will allow you to create a mirror port (e.g. Cisco SPAN)? If so you can mirror the uplink to the router and plug in a Linux box loaded with something like ntop to get a good view of your traffic utilization.

 

[James Bond]

And sadly Netflow analysis software tends to come in 3 varieties: good and very expensive, annoying limited and free, totally free but some assembly required.

ManageEngine isn't so bad. You can monitor two interfaces for free I believe.

 

[James Bond]

Do the Cisco 800 series routers support NetFlow? I want to say yes.

You could get the lowest of the low end for a little above $250...

http://www.amazon.com/Cisco-Ethernet.../dp/B000A439QS

Supports up to 5 VPN tunnels.

 

[Nothinman]

ManageEngine isn't so bad. You can monitor two interfaces for free I believe.

I would consider that annoyingly limited...

 

[jlazzaro]

ManageEngine isn't so bad. You can monitor two interfaces for free I believe.

scrutinizer netflow has no interface limit, but flow information is only kept in the db for 24 hours. you can still generate reports and save specific data for as long as you desire.

 

[chronodekar]

Do the Cisco 800 series routers support NetFlow? I want to say yes.

You could get the lowest of the low end for a little above $250...

http://www.amazon.com/Cisco-Ethernet.../dp/B000A439QS

Supports up to 5 VPN tunnels.

This one looks interesting. Can someone confirm what kind of NetFlow support it has?

jlazzaro,

For my needs the past 24hours would suffice. So scruntinizer would be fine. Is this what you refer to ? ,
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

The scruntinizer video is interesting. It mentions other technologies like - sFlow, IPFIX or Netstream. Would these do flow analysis on internal networks as well?

-chronodekar