In many cases, we need to know not only the total bandwidth of a connection, (communication line or on a server port), but also who exactly are the consumers, that is from which IP addresses and port numbers the traffic is coming. In this recipe, we will see how to measure it.
In order to see this, you can use proprietary tools that collect the data from the switch (RMON1, RMON2, sFlow) or router (Cisco Netflow or Juniper Jflow), or to use Wireshark with port mirror to the communication link, and this is what we'll learn in this recipe.
For using Wireshark to get traffic distribution, connect a laptop with a port mirror to the link you wish to monitor and start packet capture. You can also use the Tshark
command from the CLI.
For basic statistics on users and applications that are using the communications link, perform the following steps:
With Wireshark, like we learned in Chapter 1, Introducing Wireshark, we capture data and analyze it.
In Netflow, Jflow, and applications that collect data from the router, the router periodically sends the collected data to the management console that analyzes it.
In Remote Monitoring 1 (RMON1) and Remote Monitoring 2 (RMON2), when the end switch supports it, you access the data with the SNMP software that reads from the RMON1/RMON2 MIB. While RMON1 provides you layer 1 to 2 statistics, RMON2, when implemented provides you layer 3 to 4 statistics. The main standards of RMON were published in RFCs 2613, 2819, 3577, and 4502. In various applications and devices such as firewalls, Intrusion Detection Systems (IDS), Deep Packet Inspection (DPI) devices, and WAN Accelerators, you will get the data from the monitored device.
Additional data on these applications can be found at:
Cisco Netflow: http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
http://www.ietf.org/rfc/rfc3954.txt
http://www.ietf.org/rfc/rfc3176.txt
Various applications can be located in:
3.138.101.69