Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Packet Analysis on an Ethernet

Hello everyone. I am a network admin and we have a fairly large ethernet consisting of mutliple segments and two seperate subnets divided by two cisco 1600 routers with a T1. The main network is 10.1.1.0 255.255.255.0 and network fed by the T1 is 10.1.2.0 255.255.255.0. I am using IGRP between the two routers.

My users across the T1 (10.1.2.0 network) are compaining about slowness and lagging in applications they are pulling from the server (10.1.1.5). I am wondering if this due to high utilization on the T1.

However, I would like to be able to monitor what my users are requesting and sending on the network. IE, find out if someones using Kazaa or listen to streaming audio, etc. What Ethernet analysis program would you guys recommend to look at the packets? Thanks for all the help.

16 REPLIES
Cisco Employee

Re: Packet Analysis on an Ethernet

Ethereal (http://www.ethereal.com) is extremely popular and powerful (and it's free).

New Member

Re: Packet Analysis on an Ethernet

Thanks, i have tried Etherreal. I only see that I can monitor my ethernet interface. All i see is information I request and broadcast packets that I receive. Is there a way to snif a port on the router so I can see what other IP addresses are doing?

New Member

Re: Packet Analysis on an Ethernet

You can add another NIC to the PC (actually you can add several NICs). I have a few headless Windows boxes that have multiple NICs. Use one NIC as the management interface and the other interfaces for sniffing. Take all the normal Windows precautions to stop forwarding traffic between the interfaces. You can access the box with Windows terminal services and fire up Ethereal. If you set the capture buffers to rotate to a new file if the buffer exceeds say 10 Meg you can capture lots of traffic. Easy and not too costly.

New Member

Re: Packet Analysis on an Ethernet

Thanks for the reply. Can you elaborate a little more on the setup? I dont quite understand how to setup the mgmt interface and the sniffing interface. I can install another nic on my laptop, no problem.

Hall of Fame Super Silver

Re: Packet Analysis on an Ethernet

I would assert that you don't need a ful-fledged packet capture and analysis to accomplish your goal. If all you want is to see top talkers, protocols, etc. you can use NetFlow services (http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_home.html) in IOS and a third party product such as Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php - trial version available) to analyze the data.

Hope this helps. please rate helpful posts.

New Member

Re: Packet Analysis on an Ethernet

I cannot configure my switches for SPAN ports because they are unmanaged in that subnet.

I like the idea of using netflow. However, I am running Windows XP professional, not Linux.

Is there any netflow annalyzer for Windows?

Re: Packet Analysis on an Ethernet

Hi

I would like to suggest PacketAnalyzer available at www.networkchemistry.com.Its an excelent tool and easy to use.

Regards

JD

Hall of Fame Super Silver

Re: Packet Analysis on an Ethernet

While I agree that NetFlow is probably the optimum tool for identifying traffic, there is an aspect of the discussion about sniffing (or etherealing) that needs some follow up. This statement was made about the results when using Ethereal:

All i see is information I request and broadcast packets that I receive.

this is a fairly classic symptom when using packet capture software. It is caused by the fact that the PC running the capture software is on an access port on a switch. The access port forwards unicast traffic for that device and forwards broadcast and multicast traffic. If you want to run packet capture software then you need to have the switch post set up as a SPAN port (or a monitoring port depending on the switch model).

There is also an interesting new feature which would allow packet capture for packets on a router called ip export. This link explains the new feature:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b94.html

HTH

Rick

New Member

Re: Packet Analysis on an Ethernet

Thanks I will try this one too.

New Member

Re: Packet Analysis on an Ethernet

I cannot configure my switches for SPAN ports because they are unmanaged in that subnet.

I like the idea of using netflow. However, I am running Windows XP professional, not Linux.

Is there any netflow annalyzer for Windows?

Hall of Fame Super Silver

Re: Packet Analysis on an Ethernet

Yes there are NetFlow analyzers for Windows.

One product is NetFlow Tracker from Crannog software

http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1

Another product is PRTG from Paessler

http://www.paessler.com/

Both of these are commercial products and they have an evaluation copy that you can try out.

And another tool for windows with a free version is

Scrutinizer

http://www.somix.com/products/scrutinizer_free.php

HTH

Rick

New Member

Re: Packet Analysis on an Ethernet

I have made some headway on my issue. I figured a way to monitor traffic. I have to insert a HUB between the router and the switch which feeds the users. If I do this, all traffic is broadcast to the hub ports because it repeats it. I can see the users traffic this way.

The program I am trying right now is etherlook. It has a VERY nice GUI which shows you every node and resolves the computer names with their IP addresses and their are tabs for IP, TCP, UDP, and Web traffic. Pretty neat.

I tried using Netflow and it did work, but I didnt see who was doing what. It just showed me kind of what PRTG shows, using SNMP.

Hall of Fame Super Silver

Re: Packet Analysis on an Ethernet

Gideon

I am glad that you have a solution that is working for you. I agree that sometimes it is a bit dense to get into the NetFlow data and interpret it. If you want to have another go at it, and assuming that you have a copy of PRTG based on your comment, I would suggest that you look at the top conversations report. Within the observation window it gives source and destination address, source and destination port, and indicator of traffic load.

On the other hand, if you are getting what you need from etherlook then maybe that is all that you need to do.

HTH

Rick

New Member

Re: Packet Analysis on an Ethernet

Thanks for the help. I use PRTG and SNMP religiously on my intranet, I would like to have another go at Netflow. I would like to see the destination IP addresses in Domain form as well for easier interpretation. Is this possible? Also, which client software are you refering to?

Hall of Fame Super Silver

Re: Packet Analysis on an Ethernet

Gideon

The version of PTRG that I worked with recently has the ability to process NetFlow data as well as to process information from SNMP. You can send NetFlow export to PRTG, define a collector in PRTG for the NetFlow, and one of its reports is for top connections. In the top connections report it gives the source and destination addresses and source and destination port numbers.

HTH

Rick

New Member

Re: Packet Analysis on an Ethernet

I will check this. Thank you.

184
Views
20
Helpful
16
Replies
CreatePlease login to create content