How do I configure PRTG to tell me which network devices use most bandwidth?
This article applies as of PRTG 21
How to differentiate between excessive bandwidth usage with PRTG
Apart from normal bandwidth monitoring based on SNMP, PRTG also allows you to differentiate between actual bandwidth usage. This can be based on multiple parameters, such as IP addresses, port numbers, or protocols, using either Packet Sniffer or flow (NetFlow, sFlow, jFlow, and IPFIX) sensors.
Packet Sniffer sensors generally use the host machine's network card. However, they can be configured to use monitoring ports that are found on some networking devices that use port mirroring or forwarding to monitor the overall network bandwidth use. Flow sensors receive data that is forwarded by Flow-capable devices, such as NetFlow on Cisco devices. See the configuration and implementation methods below.
Packet Sniffer sensors
If you use a device that is equipped with a monitoring port or port mirroring, you can monitor all traffic in your network. While many managed switches do have this feature, most unmanaged switches do not.
Port mirroring is used on a network switch to send a copy of all network packets that are seen on one switch port to a monitoring network connection on another switch port. This is commonly used for network appliances that require network traffic monitoring, such as an intrusion detection system. Port mirroring on a Cisco Systems switch is generally referred to as SPAN.
Note: You can also use an old fashioned hub. Hubs send all network packets to all ports, but they are a lot slower than switches.
- Configure the switch(es) to send a copy of all network packets to the IP address of the machine that is running PRTG.
- Create a new Packet Sniffer sensor without any filtering to monitor a network's total traffic.
Note: If you have several switches or routers, you may not see all traffic if you only monitor one device.
Further information on setting up Packet Sniffer sensors can be found in PRTG Manual: Monitoring Bandwidth via Packet Sniffing.
Flow (NetFlow, sFlow, jFlow, IPFIX) sensors
Configure the Flow protocol on the router to send Flow packets to the computer that is running PRTG:
- Configure a flow sensor.
- Create one new flow sensor for each IP address or protocol you want to monitor. Apply a filter based on the IP address or protocol for each item you want to monitor.
- Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP address or protocol, you can create just one flow sensor and enable the Toplist feature based on IP address or protocol.
Note: If you have several switches/routers, you may not see all traffic if you only monitor one device
Further information on setting up Flow sensors can be found in PRTG Manual: Monitoring Bandwidth via Flows.
Configuring relevant Toplists
Note 1: When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. With Toplists, you can track all single connections of an individual PC to the outside world. As the administrator, you therefore you must make sure that it is legal for you to configure PRTG like this.
Note 2: Keep in mind that Toplists are also shown in the web interface. You may not want to show lists of domains that are used in your network to others. In this case, protect your PRTG web server with passwords.
When you set up a new flow or Packet Sniffer sensor, three Toplists are created automatically:
- Top Talkers
- Top Connections
- Top Protocols
These cover the most basic needs. You can also edit the three Toplists or create additional ones. Use the Add, Edit, and Delete buttons to manage your Toplists.
Further information on editing Toplists can be found in PRTG Manual: Toplists.
Configure the system to use Toplists to differentiate between excessive usage based on IP address
- Configure the device(s) to send a copy of all network packets to the IP address of the machine that is running PRTG.
- Create one new Packet Sniffer or Flow Collector sensor for each PC you want to monitor, and apply a filter based on the MAC address or IP address of each PC you want to monitor.
- Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP address, you can create just one Packet Sniffer sensor and enable the Toplist feature based on IP address.
Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.
Once the relevant sensors have been defined, you can differentiate between bandwidth usage either by comparing the individual sensor data or by monitoring the Toplist entries. Toplists also include an option to show data sorted by previous periods (15 minutes by default). This allows you to determine at a glance which machines or users are using more or less bandwidth than in prior scans. Furthermore, Toplists can include listings of visited IP addresses (optionally, DNS resolution can be turned on in the Toplist settings). This allows you to determine which machine or user accessed which server or website.
Note: PRTG cannot block access to any specific IP range, domain, DNS, or website.
Note: To monitor network traffic by IP address or protocol used by a shared internet connection or leased line, select filtering to exclude LAN IP addresses.
For more information, see:
- PRTG Manual: Filter Rules for Flow, IPFIX, and Packet Sniffer Sensors
- PRTG Manual: Channel Definitions for Flow, IPFIX, and Packet Sniffer Sensors
- What does the 'other'-entry in my TopConnections/TopTalkers mean?
- Do you have any configuration tips for Cisco routers and PRTG?
- Should I use SNMP, Flow (IPFIX/NetFlow/sFlow) or Packet Sniffing for my monitoring?
- PRTG Manual: Bandwidth Monitoring Comparison
- Infographic: Comparison of SNMP, Packet Sniffing and NetFlow