Wireshark is a great program for watching the conversations go by on your
network, and Bjorn and Dave have brought up some important points.

Dave said:
> It isn't any help on point to point connections on a switched network
> unless you are one of the points in the connection.

Since the "inline hub" won't provide you with much visibility into what's
happening between machines on a switched LAN (except for broadcast
traffic, as Dave points out), you'd need to follow Bjorn's suggestion to
get access to that traffic.

Bjorn said:
> Some managed switches have a port that is specifically for seeing all
> the data also.

If you have managed switches at the core of your network, this feature
can help substantially*. It's frequently called a "monitor port", or "port
mirroring". The idea is that you instruct the switch to copy ALL the data
being transferred across it to one special port, to which you connect your
sniffer. If your network is even moderately busy, the monitor port should
probably be a Gigabit port, if you have them available, and the sniffer
should be sporting a Gbit NIC and be a fairly robust machine. (Otherwise
both the switch and Wireshark will, I believe, drop packets in order to
keep up with the realtime data.)

* It won't be a silver bullet, though, if you have multiple switches
chained together, and the traffic you want to watch never transits the
switch running your monitor port.

That said, there are programs other than Wireshark that are perhaps
better-suited to analyzing your bandwidth utilization. If you have a Linux
machine available (or could maybe boot your sniffer computer using a live
CD like Knoppix[1]), iptraf[2] will do bandwidth analysis on a per-station
basis (i.e., it'll show the top network nodes by amount of data
transferred). iptraf calls this feature "LAN station monitor". Because
it's analyzing the raw Ethernet transfer (including non-IP protocols like
AppleTalk and IPX/SPX), it lists each station by MAC address, but it's
pretty easy to find out which MAC owns a given IP from the command line

	arp -a | grep -i 00:ma:ca:dd:re:ss

(You have to add the colons yourself, as iptraf leaves them out.)

Additionally, if your switch(es) and firewall support SNMP queries, you
could install Cacti[1], which can graph all transfer on all ports in
five-minute increments with a minimum of configuration. (This also assumes
that you have a Linux machine at your disposal on the LAN, though.)

Hope this helps. Let me know if you have questions.




  Sam Hooker [log in to unmask]		|
  Consulting Engineer, Partner			|
  ClearBearing, Inc. (802)846-1855 		|
  Internet engineering | network services	|			|

> Date:    Fri, 20 Apr 2007 09:29:19 -0400
> From:    Bryan Thompson <[log in to unmask]>
> Subject: Ethereal (Network Sniffing Advice)
> All,
> I have a funny story to tell you, but I also have a question.
> Yesterday, our e-mail server kept timing out, and our Internet
> connection was at a crawl for many hours of the day. I called
> SoverNet, our Internet provider, and I was told that we were using
> our entire bandwidth. This morning, same thing. I decided to
> download, and install ethereal on a windows box, and I started
> sniffing - yes, without reading the manual. While the program was
> sniffing, I got a call from [someone] in the district that has very
> few security restrictions because this [someone] can be trusted, and
> needs more access than other people. Anyhow, this person was needed
> help with something else in his/her room, which I fixed, but then
> said person said his/her computer was acting slow, and wondered if he/
> she stopped a few downloads if it would speed up her computer. I took
> a look, and said person was downloading 28 large files at one time.
> We discussed what happens when too many large files are downloaded at
> one time, and that problem was resolved.
> This is a funny story because I accidentally found the problem, but
> I'd like to know more about sniffing programs. The data that I got
> back from ethereal, out of the box didn't help me find the problem
> right away - I did only run it for a minute though just to play with
> it. Can anyone give me advice on reading ethereal data, or any other
> network sniffing solutions? Also, I installed ethereal on a regular
> PC box in my office - I'm guessing the box should be in front of our
> firewall to get better data, or maybe right behind it, as I wouldn't
> be able to see our internal IP addresses in front of it?
> Thanks,
> Bryan
> Bryan Thompson
> Technology Coordinator
> Winooski School District
> 60 Normand Street
> Winooski, VT 05404
> 802-655-2555