Using The ET/BWMGR Traffic Analysis Tool

What is the Traffic Analysis Tool?

The Traffic Analysis Tool (aka the System Monitor) is a powerful tool that allows you to view the traffic on your network based on various criteria. By using the system monitor you can see what's "going on" on your network which can greatly enhance your ability to understand your bandwidth management requirements. The monitor allows you "view" all activity on your network even if you don't have any rules defined, or if the activity doesn't match any of your rules.

The Main Panel

The tool includes several "canned" tests that can be used easily by selecting a report type from the GUI menu. The main Monitor panel allows you to select the interface on which to do the tests, the report to run, the duration of the report and some other tuning parameters.

The first tuning parameter is the Report Duration. This is simply the length of time, in seconds, to run the test. This allows you to start a test and then come back later and view the results. Taking snapshots of specific periods of time is a good way to look at your network. The traffic analysis tool uses a lot of CPU power, so its not a good idea to run reports continuously. You can run a very long report by entering a large number in this field, but its not recommended at high traffic levels.

The second parameter is the Max Depth. This specified that maximum number of objects to look at. For a protocol report, this is not an issue as you likely dont have that many distict protocols running. However for IP address test, or IP/Port combinations, you could have a very large number of distinct objects, most of which will have little traffic. The max depth parameter allows you to only look at a certain number of most active objects. Too large a number may cause your machine to overload. If you have plenty of CPU or low traffic levels you can safely increase this number, but with heavy loads or on an older machine you should do so with caution.

The Display parameter indicates how many results (maximum) that you want displayed. As you will see, the Monitor always displays its results in descending order of occurance. So, for example, a setting of 25 on an IP address report will display the 25 most active IP addresses.

Filters

Filters can be used to either "include" or "exclude" certain addresses or types of data from the gathering process. For example you may want to exclude your server from an IP address report as its likely to be included in all transactions. Or you may want to do a protocol report for a specific IP or subnet. Following is the filters menu:

To add a filter, enter the information in the text boxes. The first field under "Filterset" is a name that can be used to save a pre-defined filterset in your configuration database (mySQL required). If no name is specified, the filters will only be stored locally and you won't be able to recall them for later use. Enter the filters that you want to enforce, using a ~ before any "negative" filters:

In the sample above, two local filters have been set. Only TCP traffic with IP addresses that are NOT in the 10.1.1 class C would be shown. You can have up to 25 filters in each column.

Note that if you want to save a filterset, you will have to name it before you start to add filter (ie you will not be able to add a name to an existing filterset). So if you are creating a complex filter make sure to name it when you add the first entry.

Pre-defined Reports

The Traffic Analysis Tool includes several pre-defined test that make running common tests a snap.

IP Protocol Report:

To initialize an IP protocol report, simply select "Protocols" in the Report, and then hit "Begin analysis":

In a couple of seconds, an initial report will appear showing a graph of the protocols in use in high to low order. Note that only defined protocols will show up, so the traffic total will likely be less that the amount of traffic actually passing through the system. If there is some activity on an undefined port, then it won't be shown in this report.

IP address Report:

The IP address report will show the IPs of the 25 IPs on the network with the highest bandwidth usage. You may want to use filters to filter out servers that are local, or if you only want to see addresses on a specific network.

MAC Address Report:

The MAC address report is basically the same as the IP address report. Note that your default gateway will show up in almost all traffic going to the internet, so you will probably want to exclude it from the report.

Running the Monitor in Manual Mode

The monitor setup screen allows you to select the criteria that will be used to organize the traffic display.

When you select a Report type of "Manual", a secondary setup table will be displayed as above. To select a manual report, just check the boxes for the criteria that you want to analyze, and hit the "Begin Analysis" button. Selecting just "IP Address" will duplicate the IP Address report. However other combinations will product more interesting results.

Session Reports

A somewhat interesting option for viewing traffic is the "Sessions" option. Selecting this will show connection oriented data and can be used for tracking down specific hosts or connections. The following is an example of a manual report where the Sessions and IP Address options are selected:

The output display shows, in order of usage, the connections between different IP addresses. The above shows that 93% of the traffic is being used by one or more connections between 204.152.184.73 and 207.252.1.2. If you were tracking a problem, you could set a control on one of the addresses temporarily to slow the traffic and free bandwidth for other users.

Summary

The ET/BWMGR traffic monitor is a powerful tool that allows you to "see" whats going on on your network at any given time. Its invaluable in helping you to understand your traffic flows as well as tracking down problems. Without it, you may spend hours trying to figure out where bottlenecks are, but with the traffic monitor you'll know in minutes and be able to fix the problem before your customers start calling.