[kwlug-disc] Monitoring network spikes (redux?)

[Paul Nijjar]

So our network is going crazy with traffic and I don't know why. 

I am looking for some (preferably FLOSS) tool that will be able to
offer some clues. Overall, I want to answer the question "why is the
network getting clogged up and what can I do to fix it?"

Ideally I would be able to get pie charts or bar charts for
things like:

- The IP addresses that are using the most traffic (both source and
  destination)
- Ideally, some indication of what that traffic is (but it all goes
  over port 80, so determining the specific traffic is probably deep
  packet inspection stuff)
- I do not mind logging stuff so I can see how the traffic is changing
  over time, but snapshot information is important too

I have some tools that I currently use: 
- Cacti can show me which interfaces are going crazy, but can't tell
  me specific IPs and cannot tell me much detail about what the
  traffic is
- pfSense has a "pfTop" tool that shows me some information about the
  hoggiest users, but I don't know how to make it tally numbers
- Wireshark can tell me what is going to a particular machine, but it
  does not help if a lot of machines are DDOSing my network with small
  requests
- There is a proprietary Windows tool called "TCPView" which can show 
  some information about a single machine (including a bit of process
  information) but has the same kind of limitations as Wireshark

I tried installing ntop on my pfSense box but that did not work too
well. Is ntop the software I am looking for? Something else?

- Paul

-- 
http://pnijjar.freeshell.org