New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How do I differentiate between excessive bandwidth usage with PRTG?

Votes:

2

Your Vote:

Up

Down

How do I configure PRTG to tell which network devices use most bandwidth?

bandwidth cisco general monitoring netflow packet-sniffer prtg sflow toplist xflow

Created on Mar 23, 2010 1:10:28 PM by  Daniel Zobel [Paessler Support]

Last change on Apr 10, 2019 9:47:46 AM by  Maike Behnsen [Paessler Support]



1 Reply

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

How to Differentiate between Excessive Bandwidth Usage with PRTG

Beyond normal bandwidth monitoring based on SNMP, PRTG allows administrators to differentiate between actual bandwidth usage. This can be based on multiple parameters, such as IP addresses, port numbers, or protocols, using either Packet Sniffing or xFlow (NetFlow, sFlow, jFlow, and IPFIX) sensors. Packet Sniffer sensors generally use the host machine's network card. However, they can be configured to use monitoring ports that are found on some networking devices that use port mirroring / forwarding in order to monitor the overall network bandwidth utilization. xFlow sensors receive data that is forwarded by Flow-capable devices, such as NetFlow on Cisco devices. The configuration and implementation methods are outlined below.

Packet Sniffer Sensors

If you use a device that is equipped with a "monitoring port" or "port mirroring", you can monitor all traffic in your network. Most unmanaged switches do not have this feature, many managed switches do.

Port mirroring is used on a network switch to send a copy of all network packets that are seen on one switch port to a monitoring network connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as SPAN.

Note: You can also use an old-fashioned hub. Hubs send all network packets to all ports, but they are a lot slower than switches.

  • Configure the switch(es) to send a copy of all network packets to the IP of the machine that is running PRTG.
  • Create a new Packet Sniffer Sensor without any filtering to monitor a network's total traffic.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.

Further information on setting up Packet Sniffer sensors can be found in the user manual section Monitoring Bandwidth via Packet Sniffing.

xFlow (NetFlow, sFlow, jFlow, IPFIX) Sensors

Configure the Flow protocol on the router to send Flow packets to the computer that is running PRTG.

  • Configure a Flow sensor in PRTG.
  • Create one new Flow sensor for each IP or protocol to be monitored, and apply a filter based on the IP or protocol for each item you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP or protocol, you can create just one Flow sensor and enable the Toplist feature based on IP or protocol.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device

Further information on setting up Flow sensors can be found in the user manual section Monitoring Bandwidth via Flows.

Configuring Relevant Toplists

Note 1: When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. By using Toplists, you can track all single connections of an individual PC to the outside world. Therefore you, as the administrator, must make sure that it is legal for you to configure PRTG like this.

Note 2: Keep in mind that Toplists are also shown in the web interface. You may not want to show lists of domains that are used in your network to others. In this case, protect your PRTG web server by using passwords.

When you set up a new Flow or Packet Sniffer sensor, three Toplists are created automatically:

  • Top Talkers
  • Top Connections
  • Top Protocols

This covers the most basic needs. You can also edit the three Toplists or create additional ones. Use the Add, Edit, and Delete buttons to manage your Toplists.

Further information on editing Toplists can be found in the manual section Toplists.

Configure the System to Use Toplists in order to Differentiate between Excessive Usage Based on IP Address

  • Configure the device(s) to send a copy of all network packets to the IP of the machine that is running PRTG.
  • Create one new Packet Sniffer / Flow Collector sensor for each PC to be monitored, and apply a filter based on the MAC address or IP of each PC you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP, you can create just one Packet Sniffer sensor and enable the Toplist feature based on IP.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.

Once the relevant sensors have been defined, you can differentiate between bandwidth usage either by comparing the individual sensor data or by monitoring the Toplist entries. Toplists also include an option to show data by previous periods (15 minutes by default). This allows the administrator to determine at one glance which machines/users are using more/less bandwidth than in prior scans. Furthermore, Toplists can include listings of visited IP addresses (optionally, DNS resolution can be turned on in the Toplist settings). This allows to determine which machine/user accessed which server/website.

Note: PRTG cannot block access to any specific IP range, domain, DNS, or website!

Note: In order to monitor network traffic by IP address or protocol used by a shared Internet connection or leased line, select "filtering" to exclude LAN IP addresses.

Click on the following links for more information:

See also

Created on Mar 23, 2010 1:10:42 PM by  Daniel Zobel [Paessler Support]

Last change on Apr 12, 2019 11:19:17 AM by  Maike Behnsen [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.