Per-User Traffic Bandwidth Monitor
-
I am looking to monitor user traffic so we can find out who is consuming all of our bandwidth in real time. When our connection is slow, I would like to be able to bring up a graph that immediately shows me "X-user is using Y% of bandwidth" and then be able to see exactly what they're doing.
I've installed DarkStat but it can only monitor one interface at a time and it can't draw a line between a user and what the user is doing online…only how much data they're pulling in. That doesn't help because the user could be downloading from our DMZ or the internet, and we can't tell. I can tell that Pandora is being used heavily, but I can't tell who the user listening to it is.
We have a realtime URL monitor (Untangle), but it doesn't graph bandwidth and a request made to Pandora could've been made hours ago which won't be viewable till tomorrow in a daily report.
We don't want to simply filter out Pandora or whatever, we just want to find heavy users and tell them to chill out.
Any suggestions?
edit: pfTop is nice and seems to be capturing what I need (would like URLs)....but anything a little more user-friendly or at least a way to export it?
-
The Rate package is supposed to be nice but I could never get it to show accurate results.
Darkstat works for me. If you see that there are connections to pandora or whatever you can click on the IP address and it will tell you traffic narrowed down by port. You can then go to your state table and filter by the ip and port such as x.x.x.x:8654 and then you will see which user has an open state to that external IP on the port that is using all the traffic.
Not the quickest or most convenient but it has worked well enough for me.
-
Check out the 'rate' package it does exactly what youre looking for
-
install pfflowd package. Download and install manageengine netflow monitor. This can monitor 1 or 2 interfaces for free. Call presales support for assistance with initial config. This will give you a breakdown of per ip and per protocol traffic. I doubt any of the other packages can beat this. Manageengine needs to be installed on any old pc. Tech is based on neflow….... If you want to monitor more interfaces then buy a license......
excellent tool for analisys and free and also gives historical
good luck
-
RATE puts me int the same boat as before…it only monitors a single interface at a time and doesn't draw the line between source and destination traffic. It also shows me that the firewall's interfaces themselves are what are consuming all the bandwidth.
pfflowd sounds nice, but the two free interfaces aren't enough and we're already using it to monitor our routers.
-
You can also try the 'iftop' package from a shell prompt:
# pkg_add -r iftop # rehash # iftop -i <lan nic=""></lan>
It might get you a little closer to what you want.
-
Yes, it does look look nice.
What would be the uninstall command (Besides using it as an appliance, I am pretty much handicap when it comes to Linux)?
-
If you want to get rid of it, do:
pkg_delete iftop-\*
If you want to be more precise, you can look at the output of:
pkg_info
and find the line for iftop, something like this:
iftop-0.17 Display bandwidth usage on an interface by host
Then you can do:
pkg_delete iftop-0.17
-
Great, thanks for the thorough instructions!
-
I get the following:
pkg_add -r iftop
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/iftop.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/iftop.tbz' by URLI checked the FTP and the packages-7.0-release doesn't exist, the only "release" folder is packages-8.0-release.
There's actually no 7.0 anything folder, only packages-7-stable.
???
-
What version of pfSense are you running? pfSense 1.2.3 should be 7.2-RELEASE
Either way, you can do this instead:
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/iftop.tbz
-
1.2.2….. We need to upgrade.