GWTW Forum
October 26, 2014, 12:57 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Forum Info Login Register Chat  
Welcome to the GWTW Forum.
Guests (non-registered users) can view the forum but are unable to post.  If you don't have anything to say then why would you bother to register?
One of the most popular sections of the GWTW Forum has long been the Swap Meet.  A great place to sell old, seldom flown kites or to get great deals on used (gently flown) kites.  Only registered users can see the Swap Meet section, let alone wheel and deal.  1000's (literally) of kites have changed hands thanks to the Swap Meet.
There are several more benefits to being a registered user, but you'll have to join our little community to find out all the "secrets".
Questions or concerns? Contact Steve ... just drop an email to: forum.gwtwkites@gmail.com

Pages: [1]   Go Down
  Print  
Author Topic: Network monitoring software ?  (Read 1510 times)
0 Members and 1 Guest are viewing this topic.
RobB
Trade Count: (+9)
*****
Offline Offline

Posts: 1412


Location: Long Island

WWW
« on: April 04, 2011, 06:23 PM »

Hey...
I have an environment that has some sort of piece of cr@p running around on the network. It's a ~200 user environment, and maybe 1/4 of the machines on the network have current & working anti-virus/anti-spyware. That is someone else's job that can't come up with the $$$ in her budget to get taken care of.   Roll Eyes
Anyway, I have ~20 managed switches in the network, across ~10 different buildings connected by T1s/fiber/PTP microwave, etc. Needless to say, whatever's running around on the network is bringing it to a crawl. That's where it becomes my problem to pinpoint the source (or sources) of the polution, so we can get the offending workstations off line.
I was wondering if anyone might have a suggestion as to what the best PC based network monitoring software would be. All of my network monitoring tools can tell there's pollution, but just gets lost after that. I just need something that will monitor the traffic on the net for a 24 hour period, and tell me which IPs have the highest mystery traffic.
Any suggestions ?

Thanks,
~Rob.
Logged

indigo_wolf
Trade Count: (+10)
*****
Offline Offline

Posts: 1199


Location: North of Washington, DC (USA)

« Reply #1 on: April 04, 2011, 08:03 PM »

Do you have a budget for this? 

If so, take a look at SolarWinds

Orion Network Performace Monitor (MSRP Starts at $2475)
http://www.solarwinds.com/products/orion/

Orion Network Traffic Analyzer (MSRP Starts at $1795)
http://www.solarwinds.com/products/orion/nta/

Check the online live demos to see which one is a better fit for you.

If all of your switches can export NetFlow data, SW's Realtime NetFlow Analyzer is free:
http://www.solarwinds.com/products/freetools/netflow_analyzer.aspx
and that might be enough to suss out what is bogging your system.  You can remotely enable NetFlow on switches that support it using SW's free Netflow Configurator
http://www.solarwinds.com/products/freetools/netflow_configurator.aspx

If none of the above works, let me know and I can go through my notes to see if anything else might work for you.

ATB,
Sam

Logged
Allen Carter
Board Moderator
Trade Count: (+19)
*****
Offline Offline

Posts: 1828

Location: Half Moon Bay, CA

« Reply #2 on: April 04, 2011, 08:04 PM »

You mention a lack of AV software, but it would seem that most malware is fairly easy to track down at the Internet gateway. A single choke point on a small network. Your border device(s) should be able to reveal the hosts with the mosts. If you have no such device at the gateway, that's where you put something. The basic tool is a sniffer like Wireshark. With Internet bound traffic going through a sniffer you should see the heavy hitters right quick.

If you have malware active on the network that is not trying to connect to the Internet, then you've got a low percentage bug. You'd need to en the sniffer on various segments until you turn up something. But really, if a large percentage of the network is effected it should be pretty obvious where the common data connections are. If your network is slow all the time (not intermittantly) then you shouldn't need anywhere near 24 hours of capture. If the problem is traffic based, you'll see it right away.

Have you ruled out DNS issues?

Here's link to a tutorial on sniffing.

http://www.netresec.com/?page=Blog&month=2011-03&post=Sniffing-Tutorial-part-1---Intercepting-Network-Traffic
« Last Edit: April 04, 2011, 08:11 PM by Allen Carter » Logged

Allen, AKA kitehead
fidelio
Trade Count: (+7)
*****
Offline Offline

Posts: 1101


Location: las vegas

« Reply #3 on: April 04, 2011, 11:07 PM »

i've not used it in a professional setting but i've had good results before with visual pulse by visualware. http://www.visualpulse.com

it may or may not be the best for your specific situation as it's a bit of a quality assurance application but this is among its features:
Router, Firewall and Server network usage -- SNMP measurements provide vital traffic levels for ICMP, TCP, UDP and IP traffic
Router, Firewall and Server port utilization -- monitors SNMP device utilization levels, inbound and outbound bandwidth usage

anyway, just tossing it out there.
Logged

Fdeli
RobB
Trade Count: (+9)
*****
Offline Offline

Posts: 1412


Location: Long Island

WWW
« Reply #4 on: April 05, 2011, 04:33 AM »

Thanks, guys... that gives me a few directions to explore. I have 3 ISA servers as internet gateways, with Cisco 1700 or 2600 routers behind them. I was monitoring traffic through them last night, and found my top 3 machines on each of those. Also, after the onsite IT person plugged my AV server back in   Huh  I got a couple thousand emails this morning reporting virus & spyware on the managed machines... That should keep me busy, I think I'll be finding some machines today & pulling cords !

I know, some of you real IT people's heads are spinning while you're reading this, but most of my environments are a little better than this one.  Cheesy This is what happens when the small/medium sized business gets big enough to hire a full-time, onsite, IT 'professional', but pays bottom feeder salary for the position. This particular customer happens to be a car dealer...  Roll Eyes
Logged

indigo_wolf
Trade Count: (+10)
*****
Offline Offline

Posts: 1199


Location: North of Washington, DC (USA)

« Reply #5 on: April 05, 2011, 09:28 AM »

This is what happens when the small/medium sized business gets big enough to hire a full-time, onsite, IT 'professional', but pays bottom feeder salary for the position. This particular customer happens to be a car dealer...  Roll Eyes


Hope you get the utilization issue sorted out.

Wow.... internally, I am ROTFLMAO, close to knocking myself unconscious on the hardwood floor. .

FWIW: Your comments are dead-on, but it could be much, much worse.... take my word on this. 

ATB,
Sam
Logged
Allen Carter
Board Moderator
Trade Count: (+19)
*****
Offline Offline

Posts: 1828

Location: Half Moon Bay, CA

« Reply #6 on: April 05, 2011, 09:51 AM »

ISA servers!  Cry

I feel your pain.

I work at NASA's Security Operation Center. We do pretty much exactly what you're describing for the whole agency. "What the hell is that and where is it coming from!!???"   Roll Eyes

Logged

Allen, AKA kitehead
RobB
Trade Count: (+9)
*****
Offline Offline

Posts: 1412


Location: Long Island

WWW
« Reply #7 on: April 06, 2011, 04:49 AM »

Hey guys...
I decided in the early 90s that there was no challenge in being a hardware tech (or whatever I am) working for a big organization with a big IT budget.  Cheesy
I worked for a while on some trading floors, and for some big investment banks, but the suit & tie crowd just didn't fit me. So, I've made my living working with the smallest companies, some have only 1 computer, some have a server and 2 computers. I have some bigger small companies that have grown over the years, like the one I'm having trouble with now.
OK, you guys were laughing, and I didn't even post a picture of one of the comm closets...



Ok, Ok... you can catch your breath... stop laughing...
Really, that was neat & clean when it was first installed. I did make some progress calming the traffic on the network yesterday by yanking some machines off line and getting the AV server back up to speed. Now if I could only convince them to buy the AV licenses for the other 75% of the clients on the network !   Grin

~Rob.
Logged

Allen Carter
Board Moderator
Trade Count: (+19)
*****
Offline Offline

Posts: 1828

Location: Half Moon Bay, CA

« Reply #8 on: April 20, 2011, 01:35 PM »

So how did it go?

A little misconfig or a major exploit?
Logged

Allen, AKA kitehead
RobB
Trade Count: (+9)
*****
Offline Offline

Posts: 1412


Location: Long Island

WWW
« Reply #9 on: April 20, 2011, 03:04 PM »

Hey Allen...

Thanks for checking in... well, you saw the picture. It's worse than it looks !  Cheesy

No, I have made progress on getting their network to flow better. No authorization on the rest of the AV licenses yet, so, I am very limitted on what I can do for them. I got the worst offenders off the network, and replaced some bad switches. The level of traffic is still very high, but at least there aren't errors in the data flow, now. Timeouts on the pings are gone...
It's still no where near where it should be, but the customer is happy because they don't crash multiple times per day. That's about all they'll pay for, is 'good enough'. I have to wait to see if I'll get paid for what I did do for them before I'll do more...  Roll Eyes

~Rob.
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  


items purchased through the links below help support the forum

Cal Custom

Our forum is made possible by the good folks whose ads appear below and by the members of our community (PayPal donation button at bottom)
In case you missed it each ad is linked to the sponsors web site.  So please, take a moment and visit our sponsors sites as this forum wouldn't be possible with out them.
Interested in running an ad for your business or kiting event?  Contact Steve at advertise.gwtwkites@gmail.com for a quote.

kmacFab
kmacFab

Kite Classifieds Ad
Kite Classifieds

A Wind Of Change
A Wind Of Change

Kitebookie
Kitebookie.com

Untitled Document

Untitled Document
Untitled Document

A Wind Of Change
skyshark

Untitled Document
Untitled Document


Untitled Document
DOLLAR SHAVE CLUB

Support the GWTW Forum

Powered by MySQL Powered by PHP Powered by SMF 1.1.8 | SMF © 2006-2008, Simple Machines LLC
SimplePortal 2.2.1 © 2008-2009
Valid XHTML 1.0! Valid CSS!