PRTG Manual: Monitoring Bandwidth via Packet Sniffing

Packet sniffing comes into consideration if your network devices do not support the Simple Network Management Protocol (SNMP) or Flow (NetFlow, jFlow, sFlow, IPFIX) to measure bandwidth usage and if you need to differentiate the bandwidth usage by network protocol and/or IP addresses.

i_round_bluePacket Sniffer sensors support Toplists (for example, Top Talkers or Top Connections).

How Packet Sniffing Works

If you need to know what applications or IP addresses cause the traffic in your network, you can use a packet sniffer. A packet sniffer looks at every single data package that travels through your network for accounting purposes.

Monitoring with PRTG via Packet Sniffer Sensors

Monitoring with PRTG via Packet Sniffer Sensors

PRTG can analyze the packets that pass the network card of a PC or you can connect it to the monitoring port of a switch. To calculate bandwidth usage, PRTG inspects all network data packets either passing the PC's network card (shown on the left side in the schema above) or the data packages that a monitoring port of a switch (right side) sends with its built-in packet sniffer. Using remote probes, you can set up packet sniffers anywhere in your network.

i_round_bluePacket Sniffer sensors use the npcap library to monitor traffic.

i_square_cyanFor more information, see section Add Remote Probe.

Comparing the four bandwidth monitoring technologies that PRTG provides (SNMP, Windows Management Instrumentation (WMI), flows, and packet sniffing), packet sniffing creates the most CPU and network load, so you should only use it in small to medium-sized networks, on dedicated computers for larger networks, or for individual computers.

Reasons to Choose Packet Sniffing

It is important to understand that the packet sniffer can only access and inspect data packages that actually flow through the network interfaces of the probe system. This is fine if you only want to monitor the traffic of this machine (for example, your web server). In switched networks, only the traffic for a specific machine is sent to each machine's network card, so PRTG usually cannot discern the traffic of the other machines in the network.

If you also want to monitor the traffic of other devices in your network, you must use a switch that offers a monitoring port or port mirroring configuration (Cisco calls it Switched Port Analyzer (SPAN)). In this case, the switch sends a copy to the monitoring port of all data packages traveling through the switch. As soon as you connect one of the probe system's network cards to the switch's monitoring port, PRTG can analyze the entire traffic that passes through the switch.

An alternative is to set up the PRTG core server system as the gateway for all other computers in the network.

Packet Sniffer Sensors

PRTG offers the following packet sniffer sensors:

Header-Based Packet Sniffing

For packet sniffing, PRTG looks at the IP addresses and ports of source and destination to assess the protocol. This is a very fast method and saves system resources.

i_round_blueSometimes, this method is not fully accurate. For example, it is not possible to identify HTTP traffic on ports other than 80, 8080, and 443 as HTTP. HTTP traffic on non-standard ports would not be accounted as such.


i_square_blueKNOWLEDGE BASE

How can I change the default groups and channels for flow and Packet Sniffer sensors?