IT Question: LAN Monitoring

Greetings All,

I would like to find out if anyone knows of any good freebie (to start with) tools that I can run on my local network in the office to check the traffic that's being pushed around.

We are in the middle of a PC migration, and have already rolled out around 80 windows 7 profesional 64 bit PCs, but I'm finding the LAN has started to slow a little.

Before, I get the uproar from the users, I wanted to run some tools across the network to see what's slowing it down, and if I need to now start looking at upgrading the switch infrastructure.

Failing the freebie tools, then if anyone knows of a decent bit of software or kit, that I can use in order to obtain any statistics that might help diagnose my issues.

Thanks in advance.

There is only one tool, wireshark! Open source, free & damn scary at times. Seriously, you would not believe half of the packets that are flying about the place.

Thanks Raf...although looking at the demonstration of Wireshark - it looks a little dark to say the least. Will this product identify potential streaming media and how much is actually being banded around the network?

Wireshark does have all sorts of filters built into it. The community also adds a lot of filters as well, I am sure some other sysadmin out there has also came accross your problem. It can identify RTSP easily so if you have someone out there using it you will find him/her. I am also sure you can add extra filters to tack on to youtube, vimeo and other such sites too. The tool is quite flexible and powerful, and yes it is a bit full on when you first get started with it.

[hindle8907]

Have a look at untangle. there are lots of add-ons, we use this just for the net fail over and wan balancer but I'm sure there will be some sort of lan monitor add-on.

If not its still a cool piece of software/os to keep in mind for other network management.

You may run into legal issues running wireshark even on a LAN you own unless it is stated in the employees contract that the company may monitor raw packets flying around on the network. Plus its not going to tell you much regarding bandwidth utilisation such as the obvious, someone using p2p or it could give you a clue if you see a lot of tcp retransmission etc.

What network devices are you using, if its cisco does it support netflow if it isn't cisco does it support sflow?
Also if your switch is snmp capable it will be easy to monitor each interface on the switch for traffic rates and speed/duplex issues

That said net/sflow are only really useful on a layer 3 interface, but i still think snmp is the way to go to as it will give a definitive picture of traffic/load across your network and networking devices.

Are all these machines on the same subnet?
Do you have a topology diagram to hand?

I'll second wireshark, it is an indispensable tool for hunting down network issues.

At 80 end devices it might be worth looking at how your infrastructure is deployed, are you using multiple small switches daisy chained or is it a single chassis switch?

Surely wireshark is going to be limited on a switched network unless your sniffing an uplink port, if your on a switched network patched into an access port without arp poisoning your only going to see traffic on that particular network segment which in theory would only be one machine

Assuming your sniffing on an uplink port wireshark is only going to tell you the blinding obvious such as an excess amount of re transmission or dodgy protocols being used and even then you are going to have millions of packets to examine. Im not saying wireshark is no use but its a tool with a narrow scope that is best to further investigate and issue that has already been discovered

Position a hub on a network segment with congestion hang a laptop with wireshark off the hub and see what you get. Granted it will make congestion worse but will enable you to check the type of traffic flow. Else wireshark will enable you to see what broadcasts are going on if attached to a standard access port.

Quote:

Originally Posted by ravingdavis

Position a hub on a network segment with congestion hang a laptop with wireshark off the hub and see what you get. Granted it will make congestion worse will you check but it will give you an idea of what is going on. Else wireshark will enable you to see what broadcasts are going on if attached to a standard access port.

I doubt it is going to be congestion due to excessive broadcasts unless theres a loop on the network but i think the switches would of died by now.
One of our engineers recently by accident caused a loop on a network core consisting of 3 extreme black diamond switches (8806), they were on their knees in seconds

The thing is now do you determine how many broadcasts are to much on a network with 80 machines on it?
A single switched network should be capable of 4-500 hosts before broadcasts become and issue

If he is using managed switch he could have snmp up and running in 30 mins with stats on every single port for traffic in/out as well as speed/duplex issues, plus you can break traffic in/out into broadcast, multicast and unicast as well as showing the number of frames dropped