SNMP Monitoring

[Stu McGregor]

Hi all

I've been looking around to find some network monitoring tools, especially around internet traffic (a few of my schools have sprung some leaks and I want to trace where it's coming from). So far NTOP and Cacti are the only ones i've tried with only minimal success. Just wondering what tools you use to monitor your network? Is there a decent open source solution out there or do we need to shell out some bucks to do the job properly?

Thanks in advance :)

Stu

[bevan.mc...@southlandgirls.school.nz]

Hewlett Packard's SIM (Systems Insight Manager) or Zenoss are 2 I have used. SIM is easy to use whereas Zenoss is very powerful.
In your case Zenoss may be an easier bet as SIM is more limited around device monitoring.

Bevan McNaughton.
Sent using my BlackBerry® smartphone powered by Telecom New Zealand

[trevor storr]

Hi there,

when you say monitor, what exactly do you mean?  If you want to monitor traffic that passes through a proxy then tools such as tcpdump http://www.tcpdump.org/tcpdump_man.html  and/or wireshark http://www.wireshark.org/ will let you see packets as they leave.

If you are on the outside looking in, then that's entirely different.

cheers

Trevor

--
cheers

Trevor

Trevor Storr
Director of eLearning, Aorakinet http://aorakinet.school.nz
Waimate High School
Waimate
New Zealand

[trevor storr]

Thinking about this a bit more, I remember setting up a switch with port reflection so that packets to the internet were also mirrored to a box running wireshark.  (So that the wireshark box gets a copy of all outbound packets).  You'll get masses of data to filter.

Trevor

[Bevan McNaughton]

Also if your switch supports it (especially SNUP core switches) have a nosey at SFLOW. A wonderful protocol for network analysis!

http://www.inmon.com/technology/index.php?gclid=CL-ixqe117ACFUIkpQodYHcG1A

Regards,

Bevan McNaughton.

--
Bevan McNaughton

Intranet Manager

Southland Girls' High School

328 Tweed Street

Invercargill 9812

Phone: +64 3 211 6030

Fax: +64 3 216 9010

[Gerard MacManus]

I put this out a bit further to someone in industry

we use PRTG at work, its a paid solution, but provides SNMP, Netflow (v5, v9) and also WMI and a few others for monitoring, runs under windows, and
allow you to set up remote probes as well.
We have 2 countries, over 50 sites, over 1000 systems and 6000 sensors on
this system, as a paid solution it is one of the cheaper ones and they are
very open on licensing cost.
Very simple to use and configure, sample at https://prtg.paessler.com
http://www.paessler.com

Also look into zabbix, its an open source monitoring system, but can have a bit more configuration. but includes windows and linux agents to run. we used to use it, but as with a number of open source systems can be a pain to manage.

other paid solutions, look into solarwinds orion, expensive, but includes IPAM and asset management.

Gerard MacManus

St Bedes College

[Ian MacPherson]

If you have mainly allied telesis switches an email to pa...@alliedtelesis.net.nz may give you a pleasant surprise!

Cheers,
Ian

[Bevan McNaughton]

If it's a licence for NMS or EMS please let me know! :)

With the SNUP based Allied Telesis (CAT/CAP) course we covered SFlow (as mentioned earlier) and it may be what is offered. From the core we can see all high density traffic going through the switch, you can also delegate monitoring to one port (such as your router) to see what are the highest requests and who is the thirstiest client in the school too!

We mainly use it for servers to see what is going during high resource drain periods. The screenshots below (redacted) are only a slice of the timeline but you can easily enough leave it running and get trends from it.

sFlowTrend is free but there is the Pro version which is expensive.

Bevan

[iService - Stephen]

We've been using MRTG for getting network traffic graph's off the switches.  It works quite well for identifying where on the network large amounts of traffic are coming from but doesn't help much if it's coming off a wireless network.  Depending on your Wireless system you may be able to add graph's for the AP's as well.

Cheers

[Craig Harrison]

Hi Stu,

 

When you say “a few of my schools have sprung some leaks and I want to trace where it's coming from” I assume this means that some of the users have found a way around the firewall/proxy and you want to find out who they are and how they are doing this and block them again?

 

Can you give us any more details on what they are doing?  If it is Skype traffic you are having problems with then it has some unique challenges.

Kind regards,

 

Craig.

 

Craig Harrison
Information Systems Manager
Helpdesk: +64 9 520 9230
Direct: +64 9 520 9238
Phone: +64 9 520 9224 ext.7868
Mobile: +64 21 222 4107
char...@diocesan.school.nz

 
P Please consider the environment before printing this email. CAUTION: The information contained in this email is confidential and may be legally privileged. If the reader of this message is not the intended recipient you are hereby notified that any use, dissemination, distribution, or reproduction of this message is prohibited. Thank you.

[Bevan McNaughton]

With Skype and the likes of BitTorrent it comes down to using a firewall/router appliance that can track application level data by packet rather than I.P and/or port.

If you are using a Juniper router there is already the features in this to do it.

It's amazing to see how many blocked attempts/application type traffic actually goes through the network on a daily basis from staff and students - even to the fact that we seem to have some TELA laptops here with spyware on them (stuff antivirus doesn't usually pick up).

Bevan

[Craig Harrison]

Hi Bevan,

 

The reason I flag Skype in particular is that it can use https secure traffic on port 443 to bypass firewalls.  Hence if you allow https traffic for your users then Skype may get out, and as this is encrypted traffic a firewall is often unable to look at the application level data to identify that it is Skype rather than say internet banking.  Checking the destination IP will also be unsuccessful as this will be the IP of the remote client and hence on no lists.  There are techniques that can be used to try and address this and probably your Juniper can break open the https stream if it has enough grunt for the processing required to do this in real time, but they each have their challenges with varying degrees of success.

 

Hence if Skype is Stu’s issue then he has a bigger problem than if it is just something like students using a proxy bypass site to get to Facebook when he thought it was blocked.

 

Kind regards,

 

Craig.

[Bevan McNaughton]

Indeed, slightly side topic in regards to Skype but it is more difficult to restrict BYOD but for computers in the school it is possible to restrict them with a Group Policy.

(http://www.skype.com/security/Skype-v1.7.adm)

Bevan

[paul.ba...@alliedtelesis.net.nz]

Hi there : we are supplying a FREE Network Monitoring Service to ALL SNUP schools.

This is based on PRTG and is a passive service... ie we do not actively monitor it but schools can view anytime on the web.

We have done this to assist us and the school and IT contractor when called upon for support. 

It includes the network diagram, ping sensors for switches, routers, wireless, servers etc 

Please contact us for more details.....e-mail: sn...@alliedtelesis.net.nz

Geoff Scrimgeour at Collingwood School has it up and running as well as Tawa College and many others.

Cheers

Paul

On Tuesday, 19 June 2012 11:12:20 UTC+12, Bevan McNaughton wrote:

Indeed, slightly side topic in regards to Skype but it is more difficult to restrict BYOD but for computers in the school it is possible to restrict them with a Group Policy.

(http://www.skype.com/security/Skype-v1.7.adm)

Bevan

On 19 June 2012 11:02, Craig Harrison <char...@diocesan.school.nz> wrote:

Hi Bevan,

 

The reason I flag Skype in particular is that it can use https secure traffic on port 443 to bypass firewalls.  Hence if you allow https traffic for your users then Skype may get out, and as this is encrypted traffic a firewall is often unable to look at the application level data to identify that it is Skype rather than say internet banking.  Checking the destination IP will also be unsuccessful as this will be the IP of the remote client and hence on no lists.  There are techniques that can be used to try and address this and probably your Juniper can break open the https stream if it has enough grunt for the processing required to do this in real time, but they each have their challenges with varying degrees of success.

 

Hence if Skype is Stu’s issue then he has a bigger problem than if it is just something like students using a proxy bypass site to get to Facebook when he thought it was blocked.

 

Kind regards,

 

Craig.

 

From: techies-for-schools@googlegroups.com [mailto:techies-for-schools@googlegroups.com] On Behalf Of Bevan McNaughton
Sent: Tuesday, 19 June 2012 10:32 a.m.

To: techies-for-schools@googlegroups.com

[craig.knights]

sFlow doesn't seem to be supported by either our AT-8000GS/48 or our core AT-9924Ts running Alliedware 3.2.1-05

Did you have to upgrade the switch software?

I've emailed snup@alliedtelesis to find out about the courses and the network software, but no reply yet..

ta,

Craig Knights

John McGlashan College

Dunedin

[Bevan McNaughton]

No, sFlow only works with the AlliedWare+ Layer 3 series switches such as SNUP core switches, x908, x900's & the x600/x610's.

It might work with the 9900's with a later revision, however I'm not a familiar with that model. sFlow isn't really designed for Layer 2 series such as the 8000GS series.

Also try e-mailing sup...@alliedtelesis.net.nz in regards to your query.

Regards,
Bevan

[Craig Knights]

thanks, figured as much, the 9924 is our SNUP core switch..  maybe we got that because of our small size....    I've got MRTG running, it's interesting but there's not much traffic to see this week...

ta

Craig