Networking optimize

Track down bandwidth hogs easily with SolarWinds monitor

Brandon Carroll shows how the Orion SolarWinds network monitoring tool has helped him trace network issues.
I run into a number of situations where students using my network blame the network for the speed and latency of their connection. Having a way to verify this was not always easy, until I started using SolarWinds Orion, which was easy to set up with no major assistance. Since I've had it running, I have a new depth of visibility into the workings of my network. Visibility is very important to me. I've provided an image of my CUBE router using XO for my Internet and SIP connectivity. In the Interface Aggregate Chart you can see that I have a number of interfaces being monitored (Figure A). This information is provided to the Orion server via SNMP polling. You can easily see when my network usage starts to pick up in the morning.

Figure A

Click to enlarge thumbnails

Another useful bit of information comes in the way of the gauges seen at the left side of the following screenshots. My router in this case is hardly utilized and the response times are looking great:

Figure B

Another annoyance I deal with is that I can't remember the IP address or name resolutions that I have in place. The links provided for you to access the device are very handy. You can access via web browsing, ssh, telnet, remote desktop, and even launch a SolarWinds traceroute tool.

Figure C

I ran into a situation where I had a high amount of traffic one day that I wanted to investigate. By looking at my router and viewing the Top 5 applications I could see that my largest amount of traffic was unmonitored traffic, as you can see in the image below. This screenshot did not capture the high-traffic day, but it shows you the type of information you can see when troubleshooting.

Figure D

My next step was to look at the Top 5 Conversations. From here, I can see who my big talkers are and hammer down into more detail. Eventually I found that the conversation was coming from my 10.12.x.x subnet which is my student access network. Tracing the IP of the destination led me to the student's place of employment and helped me determine that the student was doing a large FTP download over their VPN.

Figure E

Finding the culprit

If I had not had the visibility into the network that Solarwinds Orion provided I would have spent a lot more time tracking down my bandwidth offender.

Check out the free trials that are available as well as free tools such as the SolarWinds Bandwidth Monitor on the SolarWinds Downloads page.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

18 comments
SteveRR
SteveRR

We use CloudView NMS  http://www.cloudviewnms.com . IMO their most important feature is : they do not charge per number of  monitored nodes or switching ports. We have 750 IP nodes thus far in our network : They claim it is scalable to tens of thousands of nodes. I know which device is connected to which switching port . They monitor via SNMP (all versions) , somehow (without agents) know about all the services running on my servers. Accessible over Internet/Intranet by several NetAdmin team members  ...

freddyboy1
freddyboy1

I wouldn't trust Solarwind with anything. These guys spam without even caring. Don't sign up for anything or contact them, or your Inbox is doomed !!!!

tomofumi
tomofumi

I can do all these troubleshooting and tracking under Linux although without those pretty GUI. e.g. MRTG, iptraf, tcpdump. And I can even rate limit the abusers by "tc" command to put them into a 256kb traffic jail but it is a bit hard to use for beginners. ;)

matt
matt

For those that can ill afford to licence the SolarWInds Netflow solution (cos it does get pricey) there is a great alternative from Plixer called Scrutinizer - http://www.prosperon.co.uk/products/scrutinizer/overview Plixer focus 100% on Flow analysis, on V8.5 its a very mature product supporting every flow variant.

jakemichaelwilson
jakemichaelwilson

Hello Brandon, Solarwinds is a great NMS and a fast growing company. Their NetFlow reporting does a good job of providing the basics. For in depth flow details and 100% of the detail, please consider Scrutinizer from plixer. It integrates with Orion. Thank you, Jake

darksidegeek
darksidegeek

Orion NPM is pricey. Worth it, but often out of reach for small budgets. In its full-sensor glory, Paessler PRTG is in a similar vein. The difference is that you can use a 10-sensor version of PRTG for free (and then grow into more). If one of those sensors is NetFlow or the port-sniffer module, then you can have the same "top user" graphs as in NPM, but without the big price tag. (SolarWinds has also recently introduced a free NetFlow tool as a step-stone to NPM, but not sure if it as full-featured as PRTG's offering.) For my beginner's intro to network monitoring, see http://siliconexus.com/blog/2011/10/an-overview-of-network-monitoring/.

delphi9_1971
delphi9_1971

That Figures A, B and C are part of the base Orion Solarwinds product. But the Figures D and E require the Netflow Traffic Analyzer Module, which is an add-on and will cost you a few more bucks. Also the NTA requires that the devices you are managing support the NetFlow Protocol and must be configured for that in addition to SNMP. I'm not sure all equipment manufacturers support that Protocol.

dgoodale
dgoodale

I've been using Orion NPM for 9 years. I had the NTA module installed for a couple of years but I just uninstalled it last month because of performance and stabilitiy issues. For the last few months prior to my uninstall, NTA would break every week or 2 and would require a reinstall to get working. Performance was an issue from the day I installed NTA (Netflow Traffic Analyzer). I would suggest that you make sure your database server is prepared to deal with the huge amount of netflow data. Obviously, my SQL server wasn't. After installing NTA, it took a minimum of 20 seconds for any screen refresh or page change when browsing Orion. When NTA started blowing chunks every week or two, that was the last straw and awayyyyyyy it went!

mkogrady
mkogrady

Can the Nagios solution monitor Cisco IP Phones and Remote Call Managers as well as my local Access Points and numbers of concurrent users connected to them? Can it do an Auto Discovery of the networks and generate reports?

AL_7
AL_7

I see many concerns about price and I agree it can be an issue. Just saw this thread from some time back. We recently launched an all-in-one Traffic Monitoring solution designed specifically for SMBs - easy to use and very affordable. Check it out here: www.sparrowiq.com.

dgoodale
dgoodale

NPM starts at $2500 and goes up....way up. We use the unlimited version. It's $25,000. The Netflow piece he talks about is an add-on. Unlimited version of that is $15,000. There are numerous add-ons so it can get really expensive.

delphi9_1971
delphi9_1971

The license fees are based on the number of ports you're monitoring. So if you have a large infrastructure or want to monitor all your switch ports, be prepared for some serious sticker shock. That said, it is a great tool. I wish we had the budget for more licenses because I'd monitor every switch port we had if I could.

klh456
klh456

And is worth every penny! It has saved us countless hours of searching for network issues as well as alerting us to problems long before a user would begin to notice a problem.

dgoodale
dgoodale

Orion NPM core can't monitor the phone call QUALITY without the IP SLA module. $10,000 for the unlimited version. But a cool product. The addition of IP SLA Manager allows you to test the quality of numerous services from any IP SLA capable router or switch to another. NPM by itself performs all tests from its pollers. Add in IPSLAM and you can test your little heart out. :-)

oecaballero
oecaballero

is this product able to decypher traffic from RDP Sessions? We have users logging into MS Remote Desktop servers and that's their access to the net.

darksidegeek
darksidegeek

In answer to the RDP session question, no. Traffic from all users on the TermServer will originate from the same server IP, and this is how NetFlow or sniffing will categorize the activity. There is no multi-user granularity from the same IP.