What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I differentiate between excessive bandwidth usage with PRTG?

Votes:

2

Your Vote:

Up

Down

How do I configure PRTG to tell me which network devices use most bandwidth?

bandwidth cisco flow general monitoring netflow packet-sniffer prtg sflow toplist

Created on Mar 23, 2010 1:10:28 PM by  Daniel Zobel [Product Manager]

Last change on Dec 2, 2021 8:31:52 AM by  Maike Guba [Paessler Support]



1 Reply

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies as of PRTG 22

How to differentiate between excessive bandwidth usage with PRTG

Apart from normal bandwidth monitoring based on SNMP, PRTG also allows you to differentiate between actual bandwidth usage. This can be based on multiple parameters, such as IP addresses, port numbers, or protocols, using either Packet Sniffer or flow (Netflow, sflow, jflow, and IPFIX) sensors.

Packet Sniffer sensors generally use the host machine's network card. However, they can be configured to use monitoring ports that are found on some networking devices that use port mirroring or forwarding to monitor the overall network bandwidth use. Flow sensors receive data that is forwarded by flow-capable devices, such as Netflow on Cisco devices. See the configuration and implementation methods below.

Packet Sniffer sensors

If you use a device that is equipped with a monitoring port or port mirroring, you can monitor all traffic in your network. While many managed switches do have this feature, most unmanaged switches do not.

Port mirroring is used on a network switch to send a copy of all network packets that are seen on one switch port to a monitoring network connection on another switch port. This is commonly used for network appliances that require network traffic monitoring, such as an intrusion detection system. Port mirroring on a Cisco Systems switch is generally referred to as SPAN.

Note: You can also use an old-fashioned hub. Hubs send all network packets to all ports, but they are a lot slower than switches.

  • Configure the switch(es) to send a copy of all network packets to the IP address of the PRTG core server system.
  • Create a new Packet Sniffer sensor without any filtering to monitor a network's total traffic.

Note: If you have several switches or routers, you may not see all traffic if you only monitor one device.

Further information on setting up Packet Sniffer sensors can be found in PRTG Manual: Monitoring Bandwidth via Packet Sniffing.

Flow (Netflow, sflow, jflow, IPFIX) sensors

Configure the flow protocol on the router to send flow packets to the PRTG core server system:

  • Configure a flow sensor.
  • Create one new flow sensor for each IP address or protocol that you want to monitor. Apply a filter based on the IP address or protocol for each item that you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP address or protocol, you can create just one flow sensor and enable the Toplist feature based on IP address or protocol.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.

Further information on setting up flow sensors can be found in PRTG Manual: Monitoring Bandwidth via Flows.

Configuring relevant Toplists

Note 1: When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. With Toplists, you can track all single connections of an individual PC to the outside world. As the administrator, you therefore must make sure that it is legal for you to configure PRTG like this.

Note 2: Keep in mind that Toplists are also shown in the PRTG web interface. You may not want to show lists of domains that are used in your network to others. In this case, protect your PRTG web server with passwords.

When you set up a new flow or Packet Sniffer sensor, three Toplists are created automatically:

  • Top Talkers
  • Top Connections
  • Top Protocols

These cover the most basic needs. You can also edit the three Toplists or create additional ones. Use the Add, Edit, and Delete buttons to manage your Toplists.

Further information on editing Toplists can be found in PRTG Manual: Toplists.

Configure the system to use Toplists to differentiate between excessive usage based on IP address

  • Configure the device(s) to send a copy of all network packets to the IP address of the PRTG core server system.
  • Create one new Packet Sniffer or flow Collector sensor for each PC that you want to monitor, and apply a filter based on the MAC address or IP address of each PC that you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP address, you can create just one Packet Sniffer sensor and enable the Toplist feature based on IP address.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.

Once the relevant sensors have been defined, you can differentiate between bandwidth usage either by comparing the individual sensor data or by monitoring the Toplist entries. Toplists also include an option to show data sorted by previous periods (15 minutes by default). This allows you to determine which machines or users are using more or less bandwidth than in prior scans. Furthermore, Toplists can include listings of visited IP addresses (optionally, DNS resolution can be turned on in the Toplist settings). This allows you to determine which machine or user accessed which server or website.

Note: PRTG cannot block access to any specific IP address range, domain, DNS, or website.

Note: To monitor network traffic by IP address or protocol used by a shared internet connection or leased line, use filtering to exclude LAN IP addresses.

For more information, see:

More

Created on Mar 23, 2010 1:10:42 PM by  Daniel Zobel [Product Manager]

Last change on Jun 29, 2022 7:24:44 AM by  Brandy Greger [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.