Network Monitoring

[Stuie]

Okay i know there are few network guys and gals out there.

I am looking for some good network monitoring software that can run on a PC or Server that can monitor traffic on my network.

Here's what I know so far

Spiceworks - Doesn't do it.
SolarWinds - Need a Ph.D. just to get their free apps to work.

Any one have any suggestions or thoughts?

[Cp44]

Wireshark

[matias]

[quote name='Cp44' date='03 June 2010 - 05:45 PM' timestamp='1275579915' post='470494']
Wireshark
[/quote]

I'm with Cp44. I use wireshark to monitor traffic going through one or more network adapters on the machine where it is running. I have never tried using it to remotely monitor activity not directly bound to this machine but I understand it is possible:
[url="http://wiki.wireshark.org/CaptureSetup/Ethernet"]http://wiki.wireshar...eSetup/Ethernet[/url]
[url="http://wiki.wireshark.org/CaptureSetup"]http://wiki.wireshark.org/CaptureSetup[/url]
In the scope I have used it (traffic to and from one machine) it is absolutely BRILLIANT.

[url="http://openmaniak.com/wireshark.php"]http://openmaniak.com/wireshark.php[/url]
[url="http://en.wikipedia.org/wiki/Wireshark"]http://en.wikipedia.org/wiki/Wireshark[/url]

[Arcane]

we use wireshark here at work...it's ok...solarwinds is better. if you're dead set against solarwinds, wireshark is acceptable.

[Stuie]

I haven't figured out solarwinds yet and my boss doesn't like so. But I may pick your brain on it Jay some day.

[Cp44]

Do you guys use vulnerability scanners? If so I use Nessus or Snort.

[Arcane]

Retina and GoldDisk

[Stuie]

Looking at wire shark.

Looks like i can setup port mirroring on a switch and the directly monitor the mirrored port. Only allows one port at a time, but it's a start.

I am not sure the capabilites of solar winds Jay, if you have time to explain.

I was hoping that i could find something that would show me... bad analogy... but a birds eye view of all the traffic of the network.

[Stuie]

Here's the skinny.

Have a database program on a server, everyone uses.
Exchange 2007.
Internet connectivity.

All connections drop frequently starting in the last month. Nothing new has changed on the network. Can not locate the bottle neck or rogue device. Any help?

[Arcane]

[quote name='Stuie' date='07 June 2010 - 05:20 AM' timestamp='1275924011' post='470960']
Looking at wire shark.

Looks like i can setup port mirroring on a switch and the directly monitor the mirrored port. Only allows one port at a time, but it's a start.

I am not sure the capabilites of solar winds Jay, if you have time to explain.

I was hoping that i could find something that would show me... bad analogy... but a birds eye view of all the traffic of the network.
[/quote]
Solarwinds can give you the "birds eye view" of your network and then some. The programs you'll want to focus on are the Orion products, mainly Network Performance Monitor and NetFlow Traffic Analyzer. ipMonitor would be useful too. With the two former applications, you should be able to identify the traffic flow, errors/faults, and the type of traffic being sent across the network. If you include ipMonitor, you can see if your apps are actually dropping off.

These are all pay to play though. For the free applications, IP SLA Monitor is good if you run Cisco. Kiwi Syslog Server is good for an overall “picture” in text. Real-time NetFlow Analyzer should help you identify if there’s any bottle necks OR where your traffic dies. I forget if it identifies the type of traffic being transmitted though.

With the Orion suite, you pretty much have everything you need.


If you want to go the simpler (although, a bit more involved) route....you can just do dumps on your switches and/or routers and see where/when the traffic halts. Then you can kind of narrow down the possibilities of what is causing your headache.

[Arcane]

When you say the connections “drop”, is the port on the switch actually shutting down? Are any other services unavailable? Is this limited to one subnet or multiple or the entire LAN/MAN?

[Cp44]

can you log into your router by telnet and run a continuous ping to [url="http://www.yahoo.com"]www.yahoo.com[/url] or google.com? If you see any packets drop it means the line from your building to your provider is bad. If there's no dropped packets then work backwards within your network.

[Arcane]

[quote name='Cp44' date='07 June 2010 - 10:02 AM' timestamp='1275940971' post='470989']
can you log into your router by telnet and run a continuous ping to [url="http://www.yahoo.com"]www.yahoo.com[/url] or google.com? If you see any packets drop it means the line from your building to your provider is bad. If there's no dropped packets then work backwards within your network.
[/quote]
guess it would help to know if the exchange server and database server are internal or external?