From owner-freebsd-isp@FreeBSD.ORG Thu Apr 22 08:16:21 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B2B316A4CE for ; Thu, 22 Apr 2004 08:16:21 -0700 (PDT) Received: from admin.wolfpaw.net (admin.wolfpaw.net [204.209.44.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 49D6143D39 for ; Thu, 22 Apr 2004 08:16:21 -0700 (PDT) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 12961 invoked from network); 22 Apr 2004 15:16:20 -0000 Received: from wolf.wolfpaw.net (HELO wolf) (142.179.166.184) by admin.wolfpaw.net with SMTP; 22 Apr 2004 15:16:20 -0000 From: "Wolfpaw - Dale Corse" To: "'Spidey Knepscheld'" , Date: Thu, 22 Apr 2004 09:32:06 -0600 Message-ID: <01cf01c4287e$f80edb10$b8a6b38e@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 In-Reply-To: Subject: RE: Traffic Monitor X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 15:16:21 -0000 Hi Spidey, > My network looks like this: My Link comes in on a Cisco 805 > from the router it goes to the first NIC on the Firewall from > the second NIC it runs into a 10base HUB where there are only > 3 ports used one as I said for the Firewall the other for a > FreeBSD box (I want to use this box for traffic monitoring) > and then one port for the rest of the network which connects > to a 100base switch. The reason I used the 10base HUB is > because it broadcasts all the data to all the ports. So for > all data to and from the firewall will be caught by the > Monitoring BSD box. I hope this makes sense. That is an _extremely_ bad idea. Hubs have major collisions, Meaning you will essentially be lagging yourself (put simply). Personally, I'd go pick up a Cisco switch (1900 / 2900 series) Off Ebay, for about 100 - 200 USD, and then you can set the Switch to "mirror" all traffic to one port, which is great For monitoring things (we do it on a Catalyst 5000 for Snort) > > What I am looking for is some app that could show me live > what ip on my network is utilizing what part of the > bandwidth. Don't laugh !!I have a 256k Diginet connection and > I would like to see who is killing my network. I do get live > graphs from my upstream supplier but it shows the line > utilization from my router and not who is using what. Assuming the above scenario is in place (with the Cisco Switch) I would recommend IOG (http://www.dynw.com/iog/) for "Per Port" monitoring, and if you have access to one of the routers, the absolute best way to monitor bandwidth is using the Cisco Flow Export features. They can tell you a ton about not only who's using what, but where its going, which connection it used (for multi-homing) etc. Not sure if there is an app out there to deal with flow data in that Manner, ours is home-grown. A good place to start looking though is http://www.splintered.net/sw/flow-tools. This daemon will run on Freebsd, and you need it to collect the data. Best of luck with it :) Regards, Dale. -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095