Such as MRTG, even many service providers are using this freeware tool that is generally installed on a Solaris system. It is very useful to monitor the traffic flowing. You have to customize it according to your network management concepts.

Baris

Istanbul

Thanks Baris, Solaris SNMP is pretty good about measuring traffic going to individual IP addresses on the same NIC. Windows is unable to do that, not sure about Linux. I just need to capture traffic at Layer 3, can you give me some examples of some tools (free or commercial).

Thanks for your help Baris.

--Naresh

Please visit www.mrtg.com and download this freeware tool that can also be used on Solaris systems. And you will be so much flexible to monitor the traffic through this software. On this web site, you may also see inexpensive commercial ones. Enjoy them!!!

Regards,

Baris.

Thanks Baris, I have used MRTG before. It uses SNMP but is unable to capture data for all aliasd IP addresses on the NIC.

--Naresh

Have you any kind of router behind it or before it?

So you might can use netflow.

If you can mirror the traffic, you can use tcpdump / tcpstat for the analysis work or ntop for grapfics?

HtH

Regards

Patrick

Thanks Fausto, I am not sure if this method gives me layer 3 data. Can't use Netflow because it only comes with high end switches that are costly. Pix snmp is unable to capture it. There may be costly 3rd party tools but I haven't been able to find a reasonably priced tool that can capture this data at L3. But then, this measurement is non-trivial.

Regards,

--Naresh

For the least amount of out of pocket cost, you can install a linux box in front of the 515 and bridge the traffic through that. It would allow you do do a detailed packet analysis of the traffic flow, including easy extraction of your web traffic. Its not the most elegant solution, but it will give you direct access to what you are looking for.

Good luck. - scott

Thanks Scott, but this is one risk I cannot afford to take to put this Linux box in front of about 60 Ecommerce web sites running having 24x7x365 availablity. It would be suisidal.

Regards,

--Naresh

I think Scott was thinking of a Linux box with no addressing turned on. Strictly in bridged mode, no cracker could target it (unless they where on the same segment) without an IP address. Reports would have to be done locally then. But this is a good idea, you could also run a slew of freeware traffic monitoring tools on this box, I would suggest ntop.

Hi Jason,

Thanks for the response. I ran ntop. It was able to capture L2 data and not L3 as it is supposed to.

Regards,

--Naresh

Naresh,

By default, ntop will capture layer 2 and 3 frames/packets for analysis. If you do not want the layer 2 traffic, there is a command to turn that analysis off ("no-mac" I think, thats from memory though so check the man file). Usually the layer 2 information is useful, however I can think of at least one mirroring scenario where it could cause some confusion.

I believe that there is also a protocol parameter where you can specify to ntop that you are only interested in www traffic. For your purposes of bandwidth monitoring, you will probably want to include https, any proxied ports, or any non-standard http ports you may be running. In the case of https, you won't get any sort of advanced analysis because of the encrypted payload, but you will be able to get a numerical assessment of the bandwidth used.

Hope that helps,

Scott

Hi Naresh,

We use firewallanalyzer @ fwanalyzer.com to monitor the pix , take a look at demo.fwanalyzer.com.