New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How do I differentiate between excessive bandwidth usage with PRTG?

Votes:

2

Your Vote:

Up

Down

How do I configure PRTG to tell me which network devices use most bandwidth?

bandwidth cisco general monitoring netflow packet-sniffer prtg sflow toplist xflow

Created on Mar 23, 2010 1:10:28 PM by  Daniel Zobel [Paessler Support]

Last change on May 6, 2019 12:04:23 PM by  Maike Behnsen [Paessler Support]



1 Reply

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

How to Differentiate between Excessive Bandwidth Usage with PRTG

Beyond normal bandwidth monitoring based on SNMP, PRTG allows you to differentiate between actual bandwidth usage. This can be based on multiple parameters, such as IP addresses, port numbers, or protocols, using either Packet Sniffer or xFlow (NetFlow, sFlow, jFlow, and IPFIX) sensors. Packet Sniffer sensors generally use the host machine's network card. However, they can be configured to use monitoring ports that are found on some networking devices that use port mirroring or forwarding in order to monitor the overall network bandwidth utilization. xFlow sensors receive data that is forwarded by Flow-capable devices, such as NetFlow on Cisco devices. The configuration and implementation methods are outlined below.

Packet Sniffer Sensors

If you use a device that is equipped with a monitoring port or port mirroring, you can monitor all traffic in your network. Most unmanaged switches do not have this feature, many managed switches do.

Port mirroring is used on a network switch to send a copy of all network packets that are seen on one switch port to a monitoring network connection on another switch port. This is commonly used for network appliances that require network traffic monitoring, such as an intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as SPAN.

Note: You can also use an old-fashioned hub. Hubs send all network packets to all ports, but they are a lot slower than switches.

  • Configure the switch(es) to send a copy of all network packets to the IP of the machine that is running PRTG.
  • Create a new Packet Sniffer sensor without any filtering to monitor a network's total traffic.

Note: If you have several switches or routers, you may not see all traffic if you only monitor one device.

Further information on setting up Packet Sniffer sensors can be found in PRTG Manual: Monitoring Bandwidth via Packet Sniffing.

xFlow (NetFlow, sFlow, jFlow, IPFIX) Sensors

Configure the Flow protocol on the router to send Flow packets to the computer that is running PRTG.

  • Configure an xFlow sensor.
  • Create one new xFlow sensor for each IP or protocol you want to monitor, and apply a filter based on the IP or protocol for each item you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP or protocol, you can create just one xFlow sensor and enable the Toplist feature based on IP or protocol.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device

Further information on setting up Flow sensors can be found in PRTG Manual: Monitoring Bandwidth via Flows.

Configuring Relevant Toplists

Note 1: When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. By using Toplists, you can track all single connections of an individual PC to the outside world. Therefore you, as the administrator, must make sure that it is legal for you to configure PRTG like this.

Note 2: Keep in mind that Toplists are also shown in the web interface. You may not want to show lists of domains that are used in your network to others. In this case, protect your PRTG web server by using passwords.

When you set up a new xFlow or Packet Sniffer sensor, three Toplists are created automatically:

  • Top Talkers
  • Top Connections
  • Top Protocols

These cover the most basic needs. You can also edit the three Toplists or create additional ones. Use the Add, Edit, and Delete buttons to manage your Toplists.

Further information on editing Toplists can be found in PRTG Manual: Toplists.

Configure the System to Use Toplists to Differentiate between Excessive Usage Based on IP Address

  • Configure the device(s) to send a copy of all network packets to the IP of the machine that is running PRTG.
  • Create one new Packet Sniffer or xFlow Collector sensor for each PC you want to monitor, and apply a filter based on the MAC address or IP of each PC you want to monitor.
  • Or: If you do not need long-term accounting data for each PC, and only want to know the current and recent traffic by IP, you can create just one Packet Sniffer sensor and enable the Toplist feature based on IP.

Note: If you have several switches/routers, you may not see all traffic if you only monitor one device.

Once the relevant sensors have been defined, you can differentiate between bandwidth usage either by comparing the individual sensor data or by monitoring the Toplist entries. Toplists also include an option to show data sorted by previous periods (15 minutes by default). This allows you to determine at a glance which machines or users are using more or less bandwidth than in prior scans. Furthermore, Toplists can include listings of visited IP addresses (optionally, DNS resolution can be turned on in the Toplist settings). This allows you to determine which machine or user accessed which server or website.

Note: PRTG cannot block access to any specific IP range, domain, DNS, or website!

Note: To monitor network traffic by IP address or protocol used by a shared internet connection or leased line, select "filtering" to exclude LAN IP addresses.

For more information, see:

See also

Created on Mar 23, 2010 1:10:42 PM by  Daniel Zobel [Paessler Support]

Last change on May 20, 2019 11:03:38 AM by  Brandy Greger [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.