How do I configure PRTG to tell me which network devices use most bandwidth?
This article applies to PRTG Network Monitor 19 or later
How to differentiate between excessive bandwidth usage with PRTG
Beyond normal bandwidth monitoring based on SNMP, PRTG allows you to differentiate between actual bandwidth usage. This can be based on multiple parameters, such as IP addresses, port numbers, or protocols, using either Packet Sniffer or xFlow (NetFlow, sFlow, jFlow, and IPFIX) sensors. Packet Sniffer sensors generally use the host machine's network card. However, they can be configured to use monitoring ports that are found on some networking devices that use port mirroring or forwarding in order to monitor the overall network bandwidth utilization. xFlow sensors receive data that is forwarded by Flow-capable devices, such as NetFlow on Cisco devices. The configuration and implementation methods are outlined below.
Packet Sniffer sensors
If you use a device that is equipped with a monitoring port or port mirroring, you can monitor all traffic in your network. Most unmanaged switches do not have this feature, many managed switches do.
Port mirroring is used on a network switch to send a copy of all network packets that are seen on one switch port to a monitoring network connection on another switch port. This is commonly used for network appliances that require network traffic monitoring, such as an intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as SPAN.
Note: You can also use an old-fashioned hub. Hubs send all network packets to all ports, but they are a lot slower than switches.
- Configure the switch(es) to send a copy of all network packets to the IP of the machine that is running PRTG.
- Create a new Packet Sniffer sensor without any filtering to monitor a network's total traffic.
Note: If you have several switches or routers, you may not see all traffic if you only monitor one device.
Further information on setting up Packet Sniffer sensors can be found in PRTG Manual: Monitoring Bandwidth via Packet Sniffing.
xFlow (NetFlow, sFlow, jFlow, IPFIX) sensors
Configure the Flow protocol on the router to send Flow packets to the computer that is running PRTG.
- Configure an xFlow sensor.
- Create one new xFlow sensor for each IP or protocol you want to monitor, and apply a filter based on the IP or protocol for each item you want to monitor.
- Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP or protocol, you can create just one xFlow sensor and enable the Toplist feature based on IP or protocol.
Note: If you have several switches/routers, you may not see all traffic if you only monitor one device
Further information on setting up Flow sensors can be found in PRTG Manual: Monitoring Bandwidth via Flows.
Configuring relevant Toplists
Note 1: When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. By using Toplists, you can track all single connections of an individual PC to the outside world. Therefore you, as the administrator, must make sure that it is legal for you to configure PRTG like this.
Note 2: Keep in mind that Toplists are also shown in the web interface. You may not want to show lists of domains that are used in your network to others. In this case, protect your PRTG web server by using passwords.
When you set up a new xFlow or Packet Sniffer sensor, three Toplists are created automatically:
- Top Talkers
- Top Connections
- Top Protocols
These cover the most basic needs. You can also edit the three Toplists or create additional ones. Use the Add, Edit, and Delete buttons to manage your Toplists.
Further information on editing Toplists can be found in PRTG Manual: Toplists.
Configure the system to use Toplists to differentiate between excessive usage based on IP address
- Configure the device(s) to send a copy of all network packets to the IP of the machine that is running PRTG.
- Create one new Packet Sniffer or xFlow Collector sensor for each PC you want to monitor, and apply a filter based on the MAC address or IP of each PC you want to monitor.
- Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP, you can create just one Packet Sniffer sensor and enable the Toplist feature based on IP.
Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.
Once the relevant sensors have been defined, you can differentiate between bandwidth usage either by comparing the individual sensor data or by monitoring the Toplist entries. Toplists also include an option to show data sorted by previous periods (15 minutes by default). This allows you to determine at a glance which machines or users are using more or less bandwidth than in prior scans. Furthermore, Toplists can include listings of visited IP addresses (optionally, DNS resolution can be turned on in the Toplist settings). This allows you to determine which machine or user accessed which server or website.
Note: PRTG cannot block access to any specific IP range, domain, DNS, or website!
Note: To monitor network traffic by IP address or protocol used by a shared internet connection or leased line, select "filtering" to exclude LAN IP addresses.
For more information, see:
- PRTG Manual: Filter Rules for xFlow, IPFIX, and Packet Sniffer Sensors
- PRTG Manual: Channel Definitions for xFlow, IPFIX, and Packet Sniffer Sensors
- What does the 'other'-entry in my TopConnections/TopTalkers mean?
- Do you have any configuration tips for Cisco routers and PRTG?
- Should I use SNMP, xFlow (IPFIX/NetFlow/sFlow) or Packet Sniffing for my monitoring?
- Website: Infographic: Comparison of SNMP, Packet Sniffing and NetFlow
- PRTG Manual: Bandwidth Monitoring Comparison