The page below is from the manual of PRTG, our quick-to-install and easy-to-use network monitoring software
Try PRTG now and see how it can make your job easier.
PRTG Manual: Monitoring Bandwidth via Packet Sniffing
Packet Sniffing comes into consideration if your network device(s) do not support SNMP or xFlow to measure bandwidth usage and if you need to differentiate the bandwidth usage by network protocol and/or IP addresses.
Note: Packet Sniffer sensors support Toplists (Top Talkers, Top Connections, etc.).
If you need to know what applications or IP addresses cause the traffic in your network, you can use a packet sniffer. A packet sniffer looks at every single data package that travels through your network for accounting purposes.
Click here to enlarge: http://media.paessler.com/prtg-screenshots/data-acquisition-using-packet-sniffing-lan.png
PRTG can analyze the packets passing the network card of a PC or you can connect it to the monitoring port of a switch. To calculate bandwidth usage, PRTG inspects all network data packets either passing the PC's network card (shown on the left side in the schema above) or the data packages that a monitoring port of a switch (right side) sends with its built-in packet sniffer. Using remote probes, you can set up packet sniffers anywhere in your network (see Add Remote Probe section).
Comparing the four bandwidth monitoring technologies which PRTG provides (SNMP, WMI, xFlow, and packet sniffer) this one creates the most CPU and network load, so you should only use it in small to medium networks, on dedicated computers for larger networks or for individual computers.
It is important to understand that the packet sniffer can only access and inspect data packages that actually flow through the network interface(s) of the machine running the PRTG probe software. This is fine if you only want to monitor the traffic of this machine (e.g., your web server). In switched networks, only the traffic for a specific machine is sent to each machine's network card, so PRTG can usually not discern the traffic of the other machines in the network.
If you also want to monitor the traffic of other devices in your network, you must use a switch that offers a monitoring port or port mirroring configuration (Cisco calls it SPAN ). In this case, the switch sends a copy to the monitoring port of all data packages traveling through the switch. As soon as you connect one of the PRTG probe system's network cards to the switch's monitoring port, PRTG is able to analyze the complete traffic that passes through the switch.
Another option is to set up the PC running PRTG as the gateway for all other computers in the network.
Find details on how to set up the different flow sensors in the following sections:
For packet sniffing, PRTG looks at the IP addresses and ports of source and destination to assess the protocol. This is a very fast method which saves system resources.
Note: Sometimes, this method is not fully accurate. For example, it is not possible to identify HTTP traffic on ports other than 80 , 8080 and 443 as HTTP. HTTP traffic on non-standard ports would not be accounted as such.
Knowledge Base: How can I change the default groups and channels for xFlow and Packet Sniffer sensors?
- Monitoring via SNMP
- Monitoring via WMI
- Monitoring via SSH
- Monitoring Bandwidth via Packet Sniffing
- Monitoring Bandwidth via Flows
- Bandwidth Monitoring Comparison
- Monitoring Quality of Service
- Monitoring Email Round Trip
- Monitoring Backups
- Monitoring Virtual Environments
- Monitoring Databases
- Monitoring Syslogs and SNMP Traps