2

A customer has a rack with some 1U servers and Dell™ PowerConnect™ 2716 switch at ISP's server room. One port is uplink to the ISP. Some servers run ESX5 while one 1U server is a plain Windows 2008 R2 box with 2 nics.

The switch allows me to use web based interface but there are no mrtg style graphs available to monitor bandwidth (ab)usage.

There have been 2 occasions where the whole 100Mbps that we have given by the ISP, is fully under load and we have only our gut feeling to determine if the slowness is caused by the server or the network. So far we have been solving problems with this gut feeling but before we rush to the shop buying expensive Cisco gear, I'd like to know if I could take advantage of the switch's port mirror feature and mirror the uplink port to a port in switch from which I could pull a cable to the secondary nic on the physical plain Windows box and do some network traffic analysis on that plain box (by using promiscuous mode and some software to make statistics).

What would be the software that I could use on the box in order to easily see: 1) How big the total network load is on the uplink port. 2) How it is distributed among IPs/MACs

Khaled
  • 35,688
  • 8
  • 69
  • 98
Henno
  • 1,046
  • 5
  • 19
  • 33

2 Answers2

1

Have you considered putting in a decent switch / router and then use that? QUite obvious you have an unmanaged infrastructure - unless the switch allows SNMP, then your best bet would be to replace it with something like a nice MIcrotik CCR and use that to do things like measure bandwidth, connectivity, do firewalling, QOS etc.

Been in the same boat, and at the end, if you want to control your edge (network wise), put in a device that can do that.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • Could you refer to some screenshots etc of Mikrotik achieving the goals I set in the question? Why the port mirror and analysis of that mirrored port attacts me is that I am not constrained to the SNMP limits (i.e. I can even ngrep the mirrored port and sniff the traffic in real time). – Henno Feb 17 '13 at 15:13
  • Check the documentation. You can have traffic analysis from the connection tracking of the firewall. YOu have netflow analysis available. The CCR can route all it's ports at 1gbit, with firewall. THere should be no need at all to mirror a port - that in itself is mostly a failure to find the items at a higher level. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Connection_tracking can show you where the bandwidth is used. – TomTom Feb 17 '13 at 15:19
0

To answer your question directly, capture with wireshark, show relevant columns such as the packet size, export as .csv, open up in a spreadsheet, and perform some maths on the spreadsheet. Retrieving the average network load will be as easy as adding up all the packet sizes and dividing by the duration of the packet capture. You could sort on the IP/MAC address columns to get a good feel for which addresses are used the most and use some functions that are provided by your spreadsheet program (such as count()) to get a more detailed overview. You could even draw graphs if need be.

wookie919
  • 279
  • 3
  • 12
  • This was my plan B. I was hoping to get some software that would be more suitable for my goals (real time mrtg style graphs). – Henno Feb 20 '13 at 08:25