PRTG Manual: Monitoring Bandwidth via Packet Sniffing
Packet sniffing comes into consideration if your network devices do not support the Simple Network Management Protocol (SNMP) or xFlow (NetFlow, jFlow, sFlow, IPFIX) to measure bandwidth usage and if you need to differentiate the bandwidth usage by network protocol and/or IP addresses.
Packet Sniffer sensors support Toplists (for example, Top Talkers or Top Connections).
If you need to know what applications or IP addresses cause the traffic in your network, you can use a packet sniffer. A packet sniffer looks at every single data packages that travels through your network for accounting purposes.
PRTG can analyze the packets passing the network card of a PC or you can connect it to the monitoring port of a switch. To calculate bandwidth usage, PRTG inspects all network data packets either passing the PC's network card (shown on the left side in the schema above) or the data packages that a monitoring port of a switch (right side) sends with its built-in packet sniffer. Using remote probes, you can set up packet sniffers anywhere in your network.
Packet Sniffer sensors use the npcap library to monitor traffic.
For more information, see section Add Remote Probe.
Comparing the four bandwidth monitoring technologies that PRTG provides (SNMP, Windows Management Instrumentation (WMI), xFlow, and packet sniffing), packet sniffing creates the most CPU and network load, so you should only use it in small to medium-sized networks, on dedicated computers for larger networks, or for individual computers.
It is important to understand that the packet sniffer can only access and inspect data packages that actually flow through the network interfaces of the machine running the PRTG probe software. This is fine if you only want to monitor the traffic of this machine (for example, your web server). In switched networks, only the traffic for a specific machine is sent to each machine's network card, so PRTG usually cannot discern the traffic of the other machines in the network.
If you also want to monitor the traffic of other devices in your network, you must use a switch that offers a monitoring port or port mirroring configuration (Cisco calls it Switched Port Analyzer (SPAN)). In this case, the switch sends a copy to the monitoring port of all data packages traveling through the switch. As soon as you connect one of the PRTG probe system's network cards to the switch's monitoring port, PRTG is able to analyze the entire traffic that passes through the switch.
Another option is to set up the PC running PRTG as the gateway for all other computers in the network.
Find details on how to set up the different flow sensors in the following sections:
For packet sniffing, PRTG looks at the IP addresses and ports of source and destination to assess the protocol. This is a very fast method and saves system resources.
Sometimes, this method is not fully accurate. For example, it is not possible to identify HTTP traffic on ports other than 80, 8080, and 443 as HTTP. HTTP traffic on non-standard ports would not be accounted as such.
Knowledge Base: How can I change the default groups and channels for xFlow and Packet Sniffer sensors?