[kwlug-disc] Monitoring network spikes (redux?)

L.D. Paniak ldpaniak at fourpisolutions.com
Sat Sep 22 12:44:20 EDT 2012

On pfsense and Linux gateways, I've had some luck with bandwidthd.  It
gives a web interface that shows in/out data usage over
day/week/month/year per IP address for each of tcp, http, UDP (eg
VoIP,Skype)...  It works best if your address pool is relatively
static.  What it does not do is give information on the remote
source/destination of packets.  I found this is not too much of a
shortcoming as you can use other tools already mentioned to get this
info once you know the IP address of the potential scofflaw.

pfTop is good for showing numbers of connections which is an easy way to
spot potential torrent users.

On routers, I recommend the Gargoyle front-end for OpenWRT:


It allows for traffic monitoring, throttling and quotas with a pleasant
and easy to use web interface.

On 09/21/2012 01:51 PM, Paul Nijjar wrote:
> So our network is going crazy with traffic and I don't know why. 
> I am looking for some (preferably FLOSS) tool that will be able to
> offer some clues. Overall, I want to answer the question "why is the
> network getting clogged up and what can I do to fix it?"
> Ideally I would be able to get pie charts or bar charts for
> things like:
> - The IP addresses that are using the most traffic (both source and
>   destination)
> - Ideally, some indication of what that traffic is (but it all goes
>   over port 80, so determining the specific traffic is probably deep
>   packet inspection stuff)
> - I do not mind logging stuff so I can see how the traffic is changing
>   over time, but snapshot information is important too
> I have some tools that I currently use: 
> - Cacti can show me which interfaces are going crazy, but can't tell
>   me specific IPs and cannot tell me much detail about what the
>   traffic is
> - pfSense has a "pfTop" tool that shows me some information about the
>   hoggiest users, but I don't know how to make it tally numbers
> - Wireshark can tell me what is going to a particular machine, but it
>   does not help if a lot of machines are DDOSing my network with small
>   requests
> - There is a proprietary Windows tool called "TCPView" which can show 
>   some information about a single machine (including a bit of process
>   information) but has the same kind of limitations as Wireshark
> I tried installing ntop on my pfSense box but that did not work too
> well. Is ntop the software I am looking for? Something else?
> - Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20120922/54a9dba0/attachment.bin>

More information about the kwlug-disc mailing list