Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any recommendations for a network traffic monitoring package?

    Scheduled Pinned Locked Moved Traffic Monitoring
    12 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LPD7L
      LPD7
      last edited by

      I just applied the nuclear option to restrict users on my local lan from accessing certain web sites, now before I dive deep into how to manage these restrictions (who to let through and who to ban) I would like to know what the traffic looks like and where people are going. I stumbled across NTOP but after doing some digging it seems like it is too much effort to manage and could possibly make my system unstable so am looking for alternate suggestions. Like anyone else I am hoping to find something that is informative, useful and easy to manage. All suggestions welcome. Thank you.

      Intelligence is not a substitute for common sense.
      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
      Putting legacy equipment into service and out of landfills.

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @LPD7
        last edited by

        @lpd7 said in Any recommendations for a network traffic monitoring package?:

        I just applied the nuclear option to restrict users on my local lan from accessing certain web sites, now before I dive deep into how to manage these restrictions (who to let through and who to ban) I would like to know what the traffic looks like and where people are going. I stumbled across NTOP but after doing some digging it seems like it is too much effort to manage and could possibly make my system unstable so am looking for alternate suggestions. Like anyone else I am hoping to find something that is informative, useful and easy to manage. All suggestions welcome. Thank you.

        Your best - and only alternative bet - is the ntopNG package. It works pretty well in 2.6/22.01, but it does take some getting use to as it is a combination of historical summary and near realtime data - but NOT detailed history data for inspection. You can configure the time it keeps “realtime” flow data in memory and what it writes to disk, but it is not a logging/evidence gathering package. It’s a near realtime monitoring tool with historical trends and counters on most measures.
        It also has a dpi engine with rules you can get alerts from whenever data/access falls outside of policy. But that part is not very usefull as it cannot be configured much in the community edition.

        Love the no fuss of using the official appliances :-)

        LPD7L 1 Reply Last reply Reply Quote 0
        • LPD7L
          LPD7 @keyser
          last edited by

          @keyser Thanks for the recommend.

          So when you say its not for detailed history or for logging/evidence how much info does it maintain and for how long?

          My need is to see what sites are being accessed, how much bandwidth is being used, the local time accessed and the IP or mac of local machine accessing the site (thats about all I can think of right now).

          Also I have been doing a bit of searching and another package that has come up as one of the top 5 PFS packages, as one reviewer puts it, is Darkstat. Are you familiar with this one?

          Intelligence is not a substitute for common sense.
          Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
          Putting legacy equipment into service and out of landfills.

          keyserK 2 Replies Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @LPD7
            last edited by

            @lpd7 You can only really see specific traffic/sessions for clients for at long as flows are in memory (depeding on settings 1 - 10min). After that you only have historical numbers for each client fx:
            Amount of traffic, which protocols that traffic was, highlevel distibution of when traffic from the client was active and so on.
            Besides that you can get dpi alerts, and those remain until you clear/acknowledge them or they expire (weeks, months or years depending on your settings).
            You can have NtopNG track DHCP clients based on MAC addresses rather than IP addresses which is nice.

            I like the package alot, but it is not a session logging tool. So you still need to log on firewall rules and have a log analysis tool if you want historical specifics.

            Love the no fuss of using the official appliances :-)

            1 Reply Last reply Reply Quote 0
            • keyserK
              keyser Rebel Alliance @LPD7
              last edited by

              @lpd7 But there is a lot of rather detailed historical data on each client, so it is a very nice tool to spot bandwidth usage on clients. And you get a decent amount of details on how/when/what, rather than just bytes total.

              Love the no fuss of using the official appliances :-)

              LPD7L 1 Reply Last reply Reply Quote 0
              • LPD7L
                LPD7 @keyser
                last edited by

                @keyser Thanks for that. I am watching a YT vid by Lawrence Systems on installing and configuring and may give it a try to see how it works out, I can always uninstall the package if not happy with it without any issues (i hope). With many of the packages there isnt a lot of user manuals, I havent searched yet so am hoping that I can get detailed docs to help support the package. Thanks again.

                Intelligence is not a substitute for common sense.
                Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                Putting legacy equipment into service and out of landfills.

                1 Reply Last reply Reply Quote 0
                • LPD7L
                  LPD7
                  last edited by

                  Just an FYI, I installed NtopNG this morning, install went smooth, did some config per Lawrence Systems YT video and for a few minutes things looked good, twiddling away to understand the data when all of a sudden my LAN went down.

                  When I stopped the Ntop service and reloaded PFS using reroot the network came back up so I dont know what it did but it wasnt a good thing. Also my mem usage went from approx 30% prior to install to 60% and even with the service stopped my mem is still at 60%.

                  Once I get my meetings out of the way I will reboot the box without Ntop running and see where my mem lands.

                  Any ideas what may have been the issue?

                  This is one of the reasons why I ask about alternatives to some of the more popular packages, so am looking for additional recommends if any.

                  I can say the 2 things I didnt see or not understand while looking around the application was mapping between internal host and external sites (internal host name or ip address to external site url address) before things went south.

                  Knowing where internal devices are connecting externally and conversely where external systems are coming from and attempting to go to with as much relevant/actionable data is a key for my current needs.

                  Thanks for reading.

                  Intelligence is not a substitute for common sense.
                  Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                  Putting legacy equipment into service and out of landfills.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mcury Rebel Alliance @LPD7
                    last edited by

                    I'm using Graylog..

                    f344a508-fffa-4cb7-b53f-7a8d7bb081fe-image.png

                    dead on arrival, nowhere to be found.

                    LPD7L 1 Reply Last reply Reply Quote 0
                    • LPD7L
                      LPD7 @mcury
                      last edited by

                      @mcury Thanks for that recommend. I dont see it as an available package within package manager how were you able to get it loaded to your PFS box? Also does this have additional details like urls accessed, ip's of internal devices, etc? I will do a quick search for documentation and see whats under the hood.

                      Intelligence is not a substitute for common sense.
                      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                      Putting legacy equipment into service and out of landfills.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mcury Rebel Alliance @LPD7
                        last edited by mcury

                        @lpd7 said in Any recommendations for a network traffic monitoring package?:

                        @mcury Thanks for that recommend. I dont see it as an available package within package manager how were you able to get it loaded to your PFS box? Also does this have additional details like urls accessed, ip's of internal devices, etc? I will do a quick search for documentation and see whats under the hood.

                        You don't need a pfsense package to run Graylog.
                        Just go to Status / System / Logs / Settings
                        At the bottom of the page, you will see Remote Logging Options, go there and configure it to export the logs to the Graylog server.

                        f2259112-9b5c-468c-a11a-1db9e84a8f14-image.png

                        You can run it in a VM to learn, I'm currently collecting data from Pfsense, Synology NAS, and Unifi equipments.
                        It works like a Syslog Server.

                        You don't have info about URLs accessed, just IPs like source, destination, ports used, system logs, dhcp and etc..
                        Yes, you have IPs of local devices, everything that goes through the Firewall, you will see in Graylog.

                        You can also use it as a Netflow collector.

                        0b3f3f1c-4016-4c78-a2b9-d0a788133e63-image.png

                        dead on arrival, nowhere to be found.

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mcury Rebel Alliance @mcury
                          last edited by mcury

                          Lawrence's videos about it:

                          Youtube Video

                          Youtube Video

                          Youtube Video

                          dead on arrival, nowhere to be found.

                          LPD7L 1 Reply Last reply Reply Quote 0
                          • LPD7L
                            LPD7 @mcury
                            last edited by LPD7

                            @mcury Great stuff much appreciated. I feel like I have to setup a perm VM server for various reasons so this may be the excuse that gets me off my heels. Since my primary driver is to "oversee" where users are visiting so I can apply restrictions, having an easy to digest interface or log that notes URL's might be a necessity but will see if I can get this up and running or take advantage of the 30 minute demo the developer offers to see where if any gaps exist and how I can close them. Thanks again, your input is very welcomed.

                            PS.. I love the Lawrence videos, great resource.

                            Intelligence is not a substitute for common sense.
                            Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                            Putting legacy equipment into service and out of landfills.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.