I need to know which machine is taking all the network bandwith.
It's there a tool I can use to monitor my local network and know which machine is taking all the LAN bandwith?
What do you think about Zenmap ?
I need to know which machine is taking all the network bandwith.
It's there a tool I can use to monitor my local network and know which machine is taking all the LAN bandwith?
What do you think about Zenmap ?
What about the old email to staff@?
"I just bought a monitoring tool that will tell me who's using up the bandwidth. Here's a link to the paragraph in the employee handbook that explains the policy on internet use. I will be installing it tomorrow. You've been warned. Thanks."
Might work, and if not, you've got some suggestions from the nice people here for actually following through on the threat.
We use MRTG (free) http://oss.oetiker.ch/mrtg/ to monitor traffic on our routers and switches. This will only work if you are using managed switches that support SNMP.
If you find switching to a Hubbed network temporarily unacceptable or find the other approaches too time consuming, You can use the tried and true tactic of ARP poisoning and sniffing their traffic (The caveat with this approach is that you WILL bottleneck your connection with your NIC/Cabling speed and will dramatically slow down, perhaps DOS a large network. The second caveat is that your local IDS will complain, profusely.)
If you're with Cisco, You can SSH in and do show interface, provided you suspect that you're in the switch whose access ports are connnected to the culprit.
If you're with Juniper, I believe the command show interfaces detail is applicable in the above scenario.
You are probably on a switched network. The practical way you can sniff/capture all the traffic is to set up a mirror port on that switch. You then can put a computer into that mirror port running wireshark to capture all the traffic.
Yup, you can do it a few ways. You can measure it directly off either the internal or external port of your router that gets your LAN to the internet. Then, your router has to support something like NetFlow or similar technologies, and you also need a computer running software to capture that.
You could also install a proxy server (in a number of ways) that supports the sort of report you're looking for.
There are several. For proper analysis you'll want a tool that interfaces with your networking equipment, such as NetFlow Analyzer:
If your router supports netflow then it likely supports a top-talker capability which will give you the top bandwidth hogs at the command line if you don't need graphs and fancy reports. Also if you don't have access to the router but you do have access to the LAN switches you could mirror the port leading to the router or an entire vlan and analyze the traffic with a packet sniffer like Wireshark
As Kyle said, you're probably on a switched network (almost everyone does nowadays); a sniffer will not help you here, because a computer connected to a switch port can only see traffic to/from itself and broadcasts.
If your switch supports it, set up a monitor port and connect a sniffer to that (WireShark is truly great for this); if it doesn't, you'll have to find some other way...
If what bothers you is Internet bandwidth, you can put a small hub (not a switch, a true hub) between your router and your main switch, and connect a sniffer there; it will be able to sniff all traffic flowing through the hub's ports.
Similar to what Massimo suggests, I have a small hub between our firewall and the "main" internal switch. I have a linux VM running ntop also plugged into that hub and this allows me to monitor all inbound/outbound traffic easily.
If necessary I can move the hub around to monitor various segments, but I've found most "omg the network is slow" issues are directly traced to someone moving large amounts of data to or from the internet.
I use Smoothwall for our firewall and it has what you need built in. i.e. There's a display page that shows the bandwidth being used by IP address. It appears to refresh about every second, which is near enough real time for my purposes. Cross reference the IP address with the proxy logs and you can get a pretty good idea of what they're up to as well.