Stellarcore.net
Search: Google
Whois
 Links of the Moment: Nekochan  Apple Computers

Bandwidth Monitoring

Measuring network load is an important ability for most IT departments. Getting an accurate measurement can be tricky. The three most common approaches to bandwidth measurement are:

1) SNMP data from the routers as represented by tools such as MRTG
2) Packet capture and aggregation via tools such as Ntop
3) Netflows data (Cisco) as represented by tools such as Flowscan

I'm only detailing three tools in this analysis - many more exist. They do all fall into one of the three methods described, so this should provide a broad overview of the various approaches.

MRTG

Overview: The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. It collects its data via SNMP traps configured on the router (network-link). SNMP allows for the monitoring of various types of data such as Fan Speed, Machine Temperature, User Logins, Network Load, and much more. This makes MRTG very flexible and allows one installation to monitor multiple "sensors" and produce data (HTML graphs) of any type of SNMP data you can collect.

Home: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

Examples:
http://www.stat.ee.ethz.ch/mrtg/
http://www.menet.umn.edu/stats/mrtg-2.5.2/web/user-count.html

Disadvantage: MRTG's only weakness for bandwidth monitoring is its inability to aggregate traffic types by protocol. So although you can see that 5.3MB/sec is passing through a router, you cannot tell what the traffic is composed off.

Ntop

Overview: Ntop is a network traffic probe that shows the network usage. Ntop is based on libpcap and the ability to capture packets and aggregate data. This allows Ntop to overcome the main weakness of MRTG, because Ntop can break down traffic totals via Protocols, or IP, or any number of ways.

Home: http://www.ntop.org/ntop.html

Disadvantage: Ntop probes have to be placed on a hub or switch where the traffic you want to watch is flowing. Ntop has limited ability to split out data on subnets, which leads to the problem of having to place multiple probes around a network to be able to "at a glance" visualize network traffic. Ntop does provide filters (tcpdump style) but each filter you add creates more overhead for the probe, and on a fast network that can be a problem. Thus the biggest challenge with Ntop on a large network is probe placement.

Netflows (FlowScan)

Overview: Netflows is a feature of Cisco IOS that allows the exporting of routing data to a collector. Cisco, of course, provides a total solution built around this, but since we're interested in free solutions, I'll skip over that and go directly to FlowScan. FlowScan analyzes and reports on Internet Protocol (IP) flow data exported by routers. It's very much like MRTG except that, instead of SNMP, it is collecting Netflows which contain more detailed packet information, and thus allows protocol breakdown.

Home: http://www.caida.org/tools/utilities/flowscan/

Disadvantage: Since Netflows are a feature of Cisco IOS (version 12), you have to be using Cisco products to take advantage of this. I also would be concerned about the overhead this feature adds to an already busy router.

  Business Information
Mike Tremaine's GPG Key
Mike Tremaine's Resume

  Security Links
Bastille - Linux Hardening
IPTables - Linux Kernel Firewalling
Nessus - Vulnerability Scanner
Nmap - Network Scanner
Ntop - Network Traffic Probe
Sans/FBI Top 20 Exploit List
Snort - Packet Sniffer

  Open Source Projects
Endian Firewall
Logwatch
Pix Firewall Reports

  Local Tools
San Diego Traffic (Major)
San Diego Traffic (Minor)
San Diego 4-day Tide Report