Using The ET/BWMGR Real-Time Traffic Analysis Tool

What is the Traffic Analysis Tool?

The Traffic Analysis Tool (aka the System Monitor) is a powerful tool that allows you to view the traffic on your network based on various criteria. By using the system monitor you can see what's "going on" on your network which can greatly enhance your ability to understand your bandwidth management requirements, and also to quickly find problems that might otherwise be very difficult to find. The monitor allows you "view" all activity on your network even if you don't have any rules defined, or if the activity doesn't match any of your rules.

Note that the monitor will only gather traffic from interfaces marked as "outside", unless a filter is specified.

The Main Panel

The tool includes several "canned" tests that can be used easily by selecting a report type from the GUI menu. The main Monitor panel allows you to select the report to run, the duration of the report and some other tuning parameters:

Report: The report to run. The choices are IP Address, MAC Address or Sessions. This specified the primary focus of the report. The sessions report shows connections (both source and destination), while the IP and MAC reports show info per address.

Report Duration:This is the length of time to run the report. The monitor will automatically shop after this period.

Max Entries:For large networks, this allows you to limit the number of entries to track. On large networks, you may have so many short-lived connections that the system will not have the capacity to track them all. Limiting this will allow the system to maintain only the busiest, active connections without taking over your CPU. Try different numbers here before using very large numbers to see the effect on your system.

Min Usage:The minium bps before an entry is displayed. This allows you to eliminate short-lived connections and concentrate on more significant traffic flows.

Display:The number of entries to display on the screen.

Filters:This specifies which filters to use. There are simple filters that can be used as a standalone monitor. You can also use rules to "feed" the monitor. You can tag rules (or create rules just for the monitor). This will be described later in this document.

Status:The current status of the Monitor.

Filters

Filters can be used to either "include" or "exclude" certain addresses or interfaces from the gathering process. For example you may want to exclude your server from an IP address report as its likely to be included in all transactions.

To add a filter, enter the parameters on the bottom line and press Add:

You can alternatively use a tilde (~) to specify a negative filter:

The above settings would include addresses on the 12.1.4 network except for 12.1.4.1, and only on interface em2 and not em3. Note that monitor traffic is only shown on "outside" interfaces, unless there is a positive filter. So these settings could be used to "watch" em2 and exclude the em3 outside interface.

You can save the current filter configuration by giving the filters a filterset name. Just enter a name in the lower box in the filterset column and click "Add":

You can add items to the filterset by including the filterset name when you add new filters. If you add an item without the filterset name, it will NOT add the setting to the loadable filterset.

You can use the pulldown menu and "Load Filterset" button to load saved filters for use in the future.

Using Rules as Filters

To do more complex filtering, you can optionally use bandwidth rules to filter what is monitored. You can either use existing rules or create new rules that are specific to the monitor. To use an existing rule, just check the "monitor" checkbox to enable passing to the monitor.

Suppose you had a rule managing the address 10.1.1.1, and you wanted to monitor that address. Simply check the Monitor checkbox, and when you start the monitor with the "Use Rule Filters" setting, traffic hitting that rule would be sent to the monitor:

You can also create rules specifically as monitor filters. To do this, create global rules that pass the traffic you want to the monitor:

Pre-defined Reports

The Traffic Analysis Tool includes several pre-defined test that make running common tests a snap.

IP address Report:

The IP address report will show the IPs of the 20 IPs on the network with the highest bandwidth usage. You may want to use filters to filter out servers that are local, or if you only want to see addresses on a specific network. The above report would be very useful to find which IPs are using the most bandwidth on your network.

MAC Address Report:

The MAC address report is basically the same as the IP address report. Note that your default gateway will show up in almost all traffic going to the internet, so you will probably want to exclude it from the report.

Sessions Report

The sessions report can be used to show connections on your network which can be useful in a number of ways. The graphs for sessions reports are quite ugly; so its recommended that you use "show data" mode for sessions reports:

Summary

The ET/BWMGR traffic monitor is a powerful tool that allows you to "see" whats going on on your network at any given time. Its invaluable in helping you to understand your traffic flows as well as tracking down problems. Without it, you may spend hours trying to figure out where bottlenecks are, but with the traffic monitor you'll know in minutes and be able to fix the problem before your customers start calling.