View Full Version : Analyzing traffic to router from network scenario

08-13-2012, 11:58 AM
Hi all,

A few weeks back I was in a scenario in which I had to analyze the whole traffic of a network. Yes ! whole traffic of the network. All VLANs.

Hmm. So the natural option was to analyze upstream traffic from all switches going to router. The added danger was that if I messed up anything in their data center, I would feel the wrath of a lot of people.

So I am just enumerating some ways which I thought can be done in such scenario. (Note that I am not very good at networking :( )

1. The use of network taps Network tap - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/Network_tap) comes in very handy in such scenarios. The hardware is specially made to duplicate traffic from a wire and monitoring node sees this traffic. So no hindrance to actual bandwidth and packets. Pretty cool ehh. But pricing is not very cool ...


2. Port mirroring is the natural option that most would opt. The economical and most viable option. What is port mirroring >> Port mirroring - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/Port_mirroring) Note, it can only be done on switch ports. (Correct me if I am wrong)

There was a main switch which was handling all the rest of switches. There was a one LAN wire which was going from this main switch port to router port. Port mirroring can be enabled on this port to capture all the packets going upstream to router.

Note that port mirroring is enabled by issuing extra commands on switch or by configuring through the web interface of switch.

3. Many routers now come with NetFlow technology. NetFlow - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/NetFlow)

Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector - typically a server that does the actual traffic analysis.

So basically Netflow can be enabled on routers on which it is supported and there are Netflow clients which can be used to analyze the data.The clients are very good and have excellent reporting mechanisms and algorithms.

4. An idea also came as to put a machine with two NIC cards with linux between the connection. Put one interface for incoming connection and another interface for outgoing connection. Enable IP forwarding. Capture traffic on any interface. Could it be done :confused:
Didn't try this method as automatically it was evident that a single x86 machine could not handle all the traffic of the network and could collapse.


Anyways, plz do share some more points if you can come with something w.r.t this scenario.

08-18-2012, 05:03 PM
Proprietary Network Taps are costly, but if you have a decent soldering and PCB fabricating skills you can design your own Network tap. The Hak5 crew had one in their shop inventory for ages. They have open sourced their CAD designs (http://greatscottgadgets.com/throwingstar/throwing-star-20110217.tar.gz) and Assembly instructions are here (http://hakshop.myshopify.com/products/throwing-star-lan-tap).

08-18-2012, 07:35 PM
If your objective is to just monitor the network traffic i.e the bandwidth statistics & protocol statistics then netflow is the one to go....config is simple i.e set of commands to redirect traffic to a particular IP which has the netflow client to analyze the netflow statistics.

If you objective is to collect all traffic data go with port mirroring....but you might experience latency and overheads in the network....it depends on the Core Switch HW config.

The option of going with 2 NIC cards would be the least preferred in my opinion u will have packet loss

01-29-2013, 04:57 AM
I agree with AnarKI

If your analyzing multiple systems and this is a Datacenter your talking about

And your wanting to place a NIC card on 2 systems and one for Forwarding and one for outgoing

+ you have over 1000+ Systems forwarding all information at once

you could look at Load balance being slowed down and not only that the systems might not be able to handle such information

I dont think putting it on 2systems will do the job by reading about NetFlow it seems like it would do the trick But then again your analyzing over 1000+ Systems

The best thing to do is make a Network Script that runs a Tcpdump on all systems and forwards the data to a particular machine and run it through a network Analyzer software

Tcpdump is very low and would not increase any system performance

by putting Tcpdump script on 50 systems with a 25mb file each day lets say it fills it up 25mb each day forwarded to all other systems your looking at maybe a

3gb+ file to analyze and spread across a multiple tier system with higher power performance it would reduce the performance greatly especially if it has Parallel Distribution