0

We have an international line between two sites with limited bandwidth. I want to monitor bandwidth usage between the two sites, and understand which type of traffic consumes the most.

Ideally I would like to have a "per-second" breakdown of the amount of data arriving at the "end" site per TCP & UDP port - this way I could see which of our application is using the most. I don't really need a nice graph, a simple text file would be enough.

I have access to the Cisco 2960 connected to the link's router (but not to the router itself), managing to extract data from the switch would be ideal as it's the single point of entry.

Another option would be to do the same thing on each of the linux server that is sending data through the link.

I haven't managed to find a tool that would help me with that - there are plenty of things around (netstat, iftop), but they don't seem to be able to spit out a "per port" split every second...

Can anybody think of a (lightweight) specific tool & method to achieve this ?

Edit: I already use MRTG to get a rough idea of the amount of traffic on the link, but it's not precise enough. It's probing the link every 5 minutes (not every second), and it's not making any distinction between TCP/UDP ports.

Bastien
  • 169
  • 2
  • 9
  • I clearly misunderstood your question, please do add to it you are already using MRTG. I posted a more appropriate answer. – Rui F Ribeiro Feb 26 '16 at 09:22

1 Answers1

1

I do not known any lighweight method to do so. There nfsen or cflowd, but I do not consider them "lightweight" and the equipment/iOS version has to support Neftlow.

I capture netflows both in our border router and in our internal firewall, and use them mainly to "go back in time" to debug security events. Back when I worked in an ISP environment, I used netflows to compute customer bandwidth usage.

The alternative is sniffing a monitoring port, which is more CPU intensive for the server involved and not advised for (very) high-speed links. You can use ntop for that. Whilst ntop gives you a very interesting run-down in traffic, it wont give you a finer detail as drinking from NetFlow information, at least without plug-ins.

You also have software for the linux to generate Netflows from traffic sniffing (kernel modules?), however I am not familiar with them. Once again, they are much more CPU-intensive than using NetFlow.

The easier path would be asking the Cisco 2960 admins to configure a netflow feed to a local IP address/server of your own.

P.S. There are also very interesting commercial products for netflow collecting, including from Cisco; often they can be costly.

Rui F Ribeiro
  • 203
  • 2
  • 8
  • My cisco switch doesn't support Netflow. I think I'll take the SPAN port route, mirror all traffic received on my WAN link to a "monitor" server, then analyze this traffic directly on a linux box. Still need to figure out which tools to use for that - I will start playing with Wireshark, but no idea if it will be enough. – Bastien Mar 03 '16 at 01:00