Network Traffic View Download
Kimbery Foxe
NetworkTrafficView is a network monitoring tool that captures the packets pass through your network adapter, and displays general statistics about your network traffic. The packets statistics is grouped by the Ethernet Type, IP Protocol, Source/Destination Addresses, and Source/Destination ports. For every statistics line, the following information is displayed: Ethernet Type (IPv4, IPv6, ARP), IP Protocol (TCP, UDP, ICMP), Source Address, Destination Address, Source Port, Destination Port, Service Name (http, ftp, and so on), Packets Count, Total Packets Size, Total Data Size, Data Speed, Maximum Data Speed, Average Packet Size, First/Last Packet Time, Duration, and process ID/Name (For TCP connections).
Many organizations collect, store, and analyze network flow logs. They use this information to troubleshoot connectivity and security issues, and to make sure that network access rules are working as expected.
Up until now, AWS customers collected this data by installing agents on their Amazon Elastic Compute Cloud (Amazon EC2) instances. Doing so imposed some overhead on each instance, and also provided a view that was limited to network flows that were visible to the instance.
New VPC Flow Logs
In order to provide better support for this important aspect of network monitoring, we are introducing Flow Logs for the Amazon Virtual Private Cloud (Amazon VPC). Once enabled for a particular VPC, VPC subnet, or Elastic Network Interface (ENI), relevant network traffic will be logged to CloudWatch Logs for storage and analysis by your own applications or third-party tools.
The information captured includes information about allowed and denied traffic (based on security group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time interval during which the flow was observed, and an action (ACCEPT or REJECT).
Problem: The last few days my internet speed from a wifi device (laptop or phone) is under 50 while the speed from anything wired or the speedtest in the router is at 250+. I've read through the forums and I couldn't find any tools from Netgear that monitor traffic by device but plenty of threads about the absence of such a tool. Turning off devices one-by-one is not acceptable as it might be more than one device, culprit might change over time and .... and who does that anymore :).
When you have users reporting 'network issues', the problem could relate to a multitude of issues (routing, switching, host configuration, unicast, multicast, security policy, hardware failure). It's very unlikely that you'll find one piece of software to monitor all your different potential problems.
These kinds of simple diagnostics can often point you very quickly in the right direction. Finally, if you can, always get a source IP, a destination IP, and a destination port. Try and educate your users; ambigious complaints like 'the network is slow' can't be easily diagnosed.
I'm working at an organization that has a small to medium sized network (500 users) and about a dozen /24 subnets (and a handful of smaller ones behind NAT). We use a variety monitoring software that allows us to keep tabs on remote parts of the network and respond to problems proactively.
Check out the products from VSS Monitoring. They have several different in-line fail safe products for monitoring network traffic remotely. Once you have them peered into your network(s) and on the backbone, it is as good as being there.
If you have a router capable of reporting netflows, look into a netflow handler. Where MRTG will provide link utilization, netflows report IP and protocol usage flowing through the router. So, instead of "Suzy in accounting it using a lot of traffic" or "The port the WAP is on has high utilization", you could see "Suzy in accounting is 10% LAN traffic, 40% streaming media, and 50% internet HTTP traffic.
If it's the former, then I would start with the fileserver in question and work backwards. First of all check the fileserver, is it's utilization out of the ordinary ? Check the interface that user traffic flows over. Is it pegged ? Is auto negotiation enabled ? Is it enabled on both ends ...
Alternatively if it's a problem with a remote site, after debugging your network, and the users workstation try tools like mtr to detect packet loss between you and the remote site. If the problem is not local to your network then your options are probably limited to logging a case with your provider, or waiting till the remote site gets over whatever tizzy it's having.
A subject that I get asked about a lot is how to monitor and measure network traffic. There are many different ways to look at network traffic and link performance and several different schools of thought on which measures hold the most value.
In discussing this subject, let's first limit the conversation to WAN link analysis which is usually where people start to see issues with bandwidth utilization and latency. This isn't to say that you can't see these issues on the LAN - just the other day I was talking to an engineer that is daily fighting these issues on his LAN where the amount of data, voice, and video traffic is overwhelming even 10 gbps links in cases. Nevertheless, much more commonly the issue is on the WAN so let's talk about that first.
The first thing to understand about WAN links is that they're pretty much all full duplex. This basically means that they can both send and receive traffic simultaneously. You might compare a full duplex link to a typical highway bridge and then contrast that with a half duplex link which is more like one of those old time wooden bridges that is only wide enough for one car. This is important because you now have to analyze the traffic in each direction, almost as if they were two separate links. I do see a few cases where you may need to understand the aggregate in/out traffic on a link, but those cases are usually limited to situations where you either a) are getting billed for the total amount of traffic in/out of a location by your service provider or b) you're concerned about the total amount of traffic going through a device. "b" is only typically a concern if you're sending an extremely high amount of some very specific traffic types and you'll probably be working directly with your hardware vendor if you suspect that this is the issue.
So, let's assume that we're analyzing the network traffic in each direction separately. Next, you need to understand that each network interface is unique - meaning that you have to evaluate each hop separately along the traffic path. Case in point - we get asked sometimes for "network wide" bandwidth utilization reports or for reports that aggregate these statistics for all of the links along a specific path. As an engineer, I can't think of a case where I've actually used this data other than to satisfy the curiosity of some executive that didn't really understand network traffic anyway and was basically trying to figure out if they were spending too much on bandwidth or not. So in a nutshell, you need to analyze each LAN link or network interface separately and you need to analyze the traffic going in each direction separately. Effectively, for every link between two devices you now have 4 different places to look for issues. Trust me, it's much more complicated to try to troubleshoot an application performance issue over the network without this knowledge - even though at first it may seem complicated.
The next thing that's really important as it relates to analyzing network traffic and performance is understanding the difference between bandwidth and latency. To go back to our highway example, imagine that the bandwidth is the number of lanes that have going in each direction. If you have the same number of lanes going to and from the destination then you could say that your bandwidth is symmetrical. However, many times, for instance if you have a broadband connection at home, there will be only say 2 lanes heading away from your house and 10 lanes heading towards it. In this case you would consider the link to be asymmetrical.
Anyhow, that's a very quick summary of some things that you need to know in order to get started with understanding how to measure your network traffic. I'll stop here otherwise nobody will read this far If you're interested in hearing more on this subject or if you're interested in understanding how to more deeply analyze a specific type of network traffic or network topology, please let me know.
Now to Pay the Bills...
For those of you that have Orion, you'll see that when you look at the Interface Details page for a managed interface you see not only the average bandwidth utilization in each direction (receive and transmit) but you'll also see high and low water markers. This is really important, because you need to understand how often and for how long your network traffic spikes to the maximum allowable level. Additionally, if you have the VoIP module, you can view latency as it is measured from the remote router to the device on the other end of its WAN connections. This is pretty cool, especially if you put it on the same page with the other interface details and statistics and can really make it quick and easy to diagnose network performance issues. If you don't have Orion, you can still check it out on our online demo server at:
I would like to know if it is possible to remote monitor the incoming and outcoming network traffic of a specific IP from my network. I need to log the time, ip numbers and port that contact the computer as well the answers.
Big Man in the Middle (Between your target and the servers to which he's connecting): Attempt to gain access to the network device used by your target. For example, find some vulnerabilities or default passwords in the routers or gateways your target uses.
Man in the Middle (Between your target and his local network gateway): Attempt to trick your target into sending his traffic through you. By far, the easiest way to achieve this is through ARP Spoofing. An easy-to-use tool is Cain and Abel.
760c119bf3