Thanks, i have tried Etherreal. I only see that I can monitor my ethernet interface. All i see is information I request and broadcast packets that I receive. Is there a way to snif a port on the router so I can see what other IP addresses are doing?

You can add another NIC to the PC (actually you can add several NICs). I have a few headless Windows boxes that have multiple NICs. Use one NIC as the management interface and the other interfaces for sniffing. Take all the normal Windows precautions to stop forwarding traffic between the interfaces. You can access the box with Windows terminal services and fire up Ethereal. If you set the capture buffers to rotate to a new file if the buffer exceeds say 10 Meg you can capture lots of traffic. Easy and not too costly.

Thanks for the reply. Can you elaborate a little more on the setup? I dont quite understand how to setup the mgmt interface and the sniffing interface. I can install another nic on my laptop, no problem.

I would assert that you don't need a ful-fledged packet capture and analysis to accomplish your goal. If all you want is to see top talkers, protocols, etc. you can use NetFlow services (http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_home.html) in IOS and a third party product such as Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php - trial version available) to analyze the data.

Hope this helps. please rate helpful posts.

I cannot configure my switches for SPAN ports because they are unmanaged in that subnet.

I like the idea of using netflow. However, I am running Windows XP professional, not Linux.

Is there any netflow annalyzer for Windows?

While I agree that NetFlow is probably the optimum tool for identifying traffic, there is an aspect of the discussion about sniffing (or etherealing) that needs some follow up. This statement was made about the results when using Ethereal:

All i see is information I request and broadcast packets that I receive.

this is a fairly classic symptom when using packet capture software. It is caused by the fact that the PC running the capture software is on an access port on a switch. The access port forwards unicast traffic for that device and forwards broadcast and multicast traffic. If you want to run packet capture software then you need to have the switch post set up as a SPAN port (or a monitoring port depending on the switch model).

There is also an interesting new feature which would allow packet capture for packets on a router called ip export. This link explains the new feature:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b94.html

HTH

Rick

Thanks I will try this one too.

I cannot configure my switches for SPAN ports because they are unmanaged in that subnet.

I like the idea of using netflow. However, I am running Windows XP professional, not Linux.

Is there any netflow annalyzer for Windows?

Yes there are NetFlow analyzers for Windows.

One product is NetFlow Tracker from Crannog software

http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1

Another product is PRTG from Paessler

http://www.paessler.com/

Both of these are commercial products and they have an evaluation copy that you can try out.

And another tool for windows with a free version is

Scrutinizer

http://www.somix.com/products/scrutinizer_free.php

HTH

Rick

I have made some headway on my issue. I figured a way to monitor traffic. I have to insert a HUB between the router and the switch which feeds the users. If I do this, all traffic is broadcast to the hub ports because it repeats it. I can see the users traffic this way.

The program I am trying right now is etherlook. It has a VERY nice GUI which shows you every node and resolves the computer names with their IP addresses and their are tabs for IP, TCP, UDP, and Web traffic. Pretty neat.

I tried using Netflow and it did work, but I didnt see who was doing what. It just showed me kind of what PRTG shows, using SNMP.

Gideon

I am glad that you have a solution that is working for you. I agree that sometimes it is a bit dense to get into the NetFlow data and interpret it. If you want to have another go at it, and assuming that you have a copy of PRTG based on your comment, I would suggest that you look at the top conversations report. Within the observation window it gives source and destination address, source and destination port, and indicator of traffic load.

On the other hand, if you are getting what you need from etherlook then maybe that is all that you need to do.

HTH

Rick

Thanks for the help. I use PRTG and SNMP religiously on my intranet, I would like to have another go at Netflow. I would like to see the destination IP addresses in Domain form as well for easier interpretation. Is this possible? Also, which client software are you refering to?