Any administrator sooner or later receives instructions from management: “count who goes online and how much they download.” For providers, it is complemented by the tasks of “letting whoever needs it in, taking payment, limiting access.” What to count? How? Where? There is a lot of fragmentary information, it is not structured. We will save the novice admin from tedious searches by providing him with general knowledge and useful links to hardware.
In this article I will try to describe the principles of organizing the collection, accounting and control of traffic on the network. We will look at the issue and list possible ways to retrieve information from network devices.
This is the first theoretical article in a series of articles devoted to the collection, accounting, management and billing of traffic and IT resources.
Internet access structure
In general, the network access structure looks like this:- External resources - the Internet, with all sites, servers, addresses and other things that do not belong to the network that you control.
- Access device – router (hardware or PC-based), switch, VPN server or concentrator.
- Internal resources are a set of computers, subnets, subscribers whose operation on the network must be taken into account or controlled.
- A management or accounting server is a device on which specialized software runs. Can be functionally combined with a software router.
Network traffic
First, you need to define what is meant by “network traffic” and what useful statistical information can be extracted from the stream of user data.The dominant internetworking protocol is still IP version 4. The IP protocol corresponds to layer 3 of the OSI model (L3). Information (data) between the sender and the recipient is packaged into packets - having a header and a “payload”. The header determines where the packet is coming from and to (sender and recipient IP addresses), packet size, and payload type. The bulk of network traffic consists of packets with UDP and TCP payloads - these are Layer 4 (L4) protocols. In addition to addresses, the header of these two protocols contains port numbers, which determine the type of service (application) transmitting data.
To transmit an IP packet over wires (or radio), network devices are forced to “wrap” (encapsulate) it in a Layer 2 (L2) protocol packet. The most common protocol of this type is Ethernet. The actual transmission “to the wire” occurs at the 1st level. Typically, the access device (router) does not analyze packet headers at levels higher than level 4 (with the exception of intelligent firewalls).
Information from the fields of addresses, ports, protocols and length counters from the L3 and L4 headers of data packets constitutes the “raw material” that is used in traffic accounting and management. The actual amount of information transmitted is found in the Length field of the IP header (including the length of the header itself). By the way, due to packet fragmentation due to the MTU mechanism, the total volume of transmitted data is always greater than the payload size.
The total length of the IP and TCP/UDP fields of the packet that are interesting to us in this context is 2...10% of the total length of the packet. If you process and store all this information batch by batch, there will not be enough resources. Fortunately, the vast majority of traffic is structured to consist of a series of “conversations” between external and internal network devices, called “flows.” For example, as part of one operation of sending an email (SMTP protocol), a TCP session is opened between the client and the server. It is characterized by a constant set of parameters (source IP address, source TCP port, destination IP address, destination TCP port). Instead of processing and storing information packet by packet, it is much more convenient to store flow parameters (addresses and ports), as well as additional information - the number and sum of lengths of packets transmitted in each direction, optionally session duration, router interface indexes, ToS field value, etc. This approach is beneficial for connection-oriented protocols (TCP), where it is possible to explicitly intercept the termination of a session. However, even for non-session-oriented protocols, it is possible to perform aggregation and logical completion of a flow record based on, for example, a timeout. Below is an excerpt from the SQL database of our own billing system, which logs information about traffic flows:
It is necessary to note the case when the access device performs address translation (NAT, masquerading) to organize Internet access for local network computers using one, external, public IP address. In this case, a special mechanism replaces IP addresses and TCP/UDP ports of traffic packets, replacing internal (not routable on the Internet) addresses according to its dynamic translation table. In this configuration, it is necessary to remember that in order to correctly record data on internal network hosts, statistics must be collected in a way and in a place where the translation result does not yet “anonymize” internal addresses.
Methods for collecting traffic/statistics information
You can capture and process information about passing traffic directly on the access device itself (PC router, VPN server), transferring it from this device to a separate server (NetFlow, SNMP), or “from the wire” (tap, SPAN). Let's look at all the options in order.PC router
Let's consider the simplest case - an access device (router) based on a PC running Linux.How to set up such a server, address translation and routing, a lot has been written. We are interested in the next logical step - information on how to obtain information about the traffic passing through such a server. There are three common methods:
- intercepting (copying) packets passing through the server’s network card using the libpcap library
- intercepting packets passing through the built-in firewall
- using third-party tools for converting packet-by-packet statistics (obtained by one of the two previous methods) into a netflow aggregated information stream
Libpcap
In the first case, a copy of the packet passing through the interface, after passing the filter (man pcap-filter), can be requested by a client program on the server written using this library. The packet arrives with a layer 2 header (Ethernet). It is possible to limit the length of the information captured (if we are only interested in information from its header). Examples of such programs are tcpdump and Wireshark. There is an implementation of libpcap for Windows. If address translation is used on a PC router, such interception can only be carried out on its internal interface connected to local users. On the external interface, after translation, IP packets do not contain information about the internal hosts of the network. However, with this method it is impossible to take into account the traffic generated by the server itself on the Internet (which is important if it runs a web or email service).
libpcap requires support from the operating system, which currently amounts to installing a single library. In this case, the application (user) program that collects packages must:
- open the required interface
- specify the filter through which to pass received packets, the size of the captured part (snaplen), the buffer size,
- set the promisc parameter, which puts the network interface into capture mode for all packets passing by, and not just those addressed to the MAC address of this interface
- set a function (callback) called on each received packet.
When a packet is transmitted through the selected interface, after passing the filter, this function receives a buffer containing Ethernet, (VLAN), IP, etc. headers, total size up to snaplen. Since the libcap library copies packets, it cannot be used to block their passage. In this case, the traffic collection and processing program will have to use alternative methods, such as calling a script to place a given IP address in a traffic blocking rule.
Firewall
Capturing data passing through the firewall allows you to take into account both the traffic of the server itself and the traffic of network users, even when address translation is running. The main thing in this case is to correctly formulate the capture rule and put it in the right place. This rule activates the transfer of the packet towards the system library, from where the traffic accounting and management application can receive it. For Linux OS, iptables is used as a firewall, and interception tools are ipq, netfliter_queue or ulog. For OC FreeBSD – ipfw with rules like tee or divert. In any case, the firewall mechanism is complemented by the ability to work with a user program in the following way:
- A user program - a traffic handler - registers itself in the system using a system call or a library.
- A user program or external script installs a rule in the firewall, “wrapping” the selected traffic (according to the rule) inside the handler.
- For each passing packet, the handler receives its contents in the form of a memory buffer (with IP headers, etc. After processing (accounting), the program must also tell the operating system kernel what to do next with such a packet - discard it or pass it on. Alternatively, it is possible pass the modified packet to the kernel.
Since the IP packet is not copied, but sent to the software for analysis, it becomes possible to “eject” it, and therefore, completely or partially restrict traffic of a certain type (for example, to a selected local network subscriber). However, if the application program stops responding to the kernel about its decision (hung, for example), traffic through the server is simply blocked.
It should be noted that the described mechanisms, with significant volumes of transmitted traffic, create excessive load on the server, which is associated with the constant copying of data from the kernel to the user program. The method of collecting statistics at the OS kernel level, with the output of aggregated statistics to the application program via the NetFlow protocol, does not have this drawback.
Netflow
This protocol was developed by Cisco Systems to export traffic information from routers for the purpose of traffic accounting and analysis. The most popular version 5 now provides the recipient with a stream of structured data in the form of UDP packets containing information about past traffic in the form of so-called flow records:
The amount of information about traffic is several orders of magnitude smaller than the traffic itself, which is especially important in large and distributed networks. Of course, it is impossible to block the transfer of information when collecting statistics via netflow (unless additional mechanisms are used).
Currently, a further development of this protocol is becoming popular - version 9, based on the template flow record structure, implementation for devices from other manufacturers (sFlow). Recently, the IPFIX standard was adopted, which allows statistics to be transmitted via protocols at deeper levels (for example, by application type).
The implementation of netflow sources (agents, probes) is available for PC routers, both in the form of utilities working according to the mechanisms described above (flowprobe, softflowd), and directly built into the OS kernel (FreeBSD: ng_netgraph, Linux:). For software routers, the netflow statistics stream can be received and processed locally on the router itself, or sent over the network (transfer protocol - over UDP) to the receiving device (collector). 
The collector program can collect information from many sources at once, being able to distinguish their traffic even with overlapping address spaces. Using additional tools such as nprobe, it is also possible to perform additional data aggregation, stream bifurcation or protocol conversion, which is important when managing a large and distributed network with dozens of routers.
Netflow export functions support routers from Cisco Systems, Mikrotik, and some others. Similar functionality (with other export protocols) is supported by all major network equipment manufacturers. 
Libpcap “outside”
Let's complicate the task a little. What if your access device is a hardware router from another manufacturer? For example, D-Link, ASUS, Trendnet, etc. It is most likely impossible to install additional data acquisition software on it. Alternatively, you have a smart access device, but it is not possible to configure it (you don’t have rights, or it is controlled by your provider). In this case, you can collect information about traffic directly at the point where the access device meets the internal network, using “hardware” packet copying tools. In this case, you will definitely need a separate server with a dedicated network card to receive copies of Ethernet packets.The server must use the packet collection mechanism using the libpcap method described above, and our task is to submit a data stream identical to that coming from the access server to the input of the network card dedicated for this purpose. For this you can use:
- Ethernet - hub: a device that simply forwards packets between all its ports indiscriminately. In modern realities, it can be found somewhere in a dusty warehouse, and using this method is not recommended: unreliable, low speed (there are no hubs with a speed of 1 Gbit/s)
- Ethernet - a switch with the ability to mirror (mirroring, SPAN ports. Modern smart (and expensive) switches allow you to copy all traffic (incoming, outgoing, both) of another physical interface, VLAN, including remote (RSPAN) to a specified port
- Hardware splitter, which may require installation of two network cards instead of one to collect - and this is in addition to the main, system one.
Naturally, you can configure a SPAN port on the access device itself (router), if it allows it - Cisco Catalyst 6500, Cisco ASA. Here is an example of such a configuration for a Cisco switch:
monitor session 1 source vlan 100 ! where do we get the packages from?
monitor session 1 destination interface Gi6/3! where do we issue packages?
SNMP
What if we don’t have a router under our control, we don’t want to contact netflow, we’re not interested in the details of our users’ traffic. They are simply connected to the network through a managed switch, and we just need to roughly estimate the amount of traffic going to each of its ports. As you know, network devices with remote control support and can display counters of packets (bytes) passing through network interfaces. To poll them, it would be correct to use the standardized remote management protocol SNMP. Using it, you can quite easily obtain not only the values of the specified counters, but also other parameters, such as the name and description of the interface, MAC addresses visible through it, and other useful information. This is done both by command line utilities (snmpwalk), graphical SNMP browsers, and more complex network monitoring programs (rrdtools, cacti, zabbix, whats up gold, etc.). However, this method has two significant drawbacks:- Traffic blocking can only be done by completely disabling the interface, using the same SNMP
- traffic counters taken via SNMP refer to the sum of the lengths of Ethernet packets (unicast, broadcast and multicast separately), while the rest of the previously described tools give values relative to IP packets. This creates a noticeable discrepancy (especially on short packets) due to the overhead caused by the length of the Ethernet header (however, this can be approximately combated: L3_byte = L2_byte - L2_packets * 38).
VPN
Separately, it is worth considering the case of user access to the network by explicitly establishing a connection to the access server. A classic example is the good old dial-up, the analogue of which in the modern world is VPN remote access services (PPTP, PPPoE, L2TP, OpenVPN, IPSEC)
The access device not only routes user IP traffic, but also acts as a specialized VPN server and terminates logical tunnels (often encrypted) within which user traffic is transmitted.
To account for such traffic, you can use all the tools described above (and they are well suited for deep analysis by ports/protocols), as well as additional mechanisms that provide VPN access control tools. First of all, we will talk about the RADIUS protocol. His work is a rather complex topic. We will briefly mention that the control (authorization) of access to the VPN server (RADIUS client) is controlled by a special application (RADIUS server), which has a database (text file, SQL, Active Directory) of allowed users with their attributes (restrictions on connection speeds, assigned IP addresses). In addition to the authorization process, the client periodically transmits accounting messages to the server, information about the state of each currently running VPN session, including counters of transmitted bytes and packets.
Conclusion
Let's bring all the methods for collecting traffic information described above together:
Let's summarize. In practice, there are a large number of methods for connecting the network you manage (with clients or office subscribers) to an external network infrastructure, using a number of access tools - software and hardware routers, switches, VPN servers. However, in almost any case, it is possible to come up with a scheme where information about traffic transmitted over the network can be sent to a software or hardware tool for its analysis and management. It is also possible that this tool will allow feedback to the access device, using intelligent access restriction algorithms for individual clients, protocols, and other things.
This is where I will finish the analysis of the materiel. The remaining unanswered topics are:
- how and where the collected traffic data goes
- traffic accounting software
- What is the difference between billing and a simple “counter”
- How can you impose traffic restrictions?
- accounting and restriction of visited websites
Tags: Add tags
There are a lot of programs for tracking traffic on a local network: both paid and free, differing greatly in functionality. One of the most popular Open Source programs is SAMS. It runs on the Linux platform in conjunction with Squid.
SAMS requires PHP5, we will use Ubuntu Server 14.04. We will need Squid, Apache2, PHP5 packages with modules.
Accounting Internet traffic on a local network Linux
Let's try to figure out how it works.
Squid distributes the Internet, accepting requests on port 3128. At the same time, it writes a detailed log access.log. All control is carried out through the squid.conf file. Squid has extensive capabilities for managing access to the Internet: limiting access by address, controlling bandwidth for specific addresses, groups of addresses and networks.
SAMS works based on analysis of Squid proxy server logs. The local network traffic accounting system monitors the proxy server statistics and, in accordance with the specified policies, makes a decision to block, unblock or limit the speed for the Squid client.
Installing SAMS
Installing packages.
apt-get install apache2 php5 php5-mysql mysql-server php5-gd squid3
Download and install SAMS
wget https://github.com/inhab-magnus/sams2-deb/archive/master.zip
unzip master.zip
cd sams2-deb-master/
dpkg -i sams2_2.0.0-1.1_amd64.deb
Installing the web interface
dpkg -i apache2/sams2-web_2.0.0-1.1_all.deb
We make changes to the /etc/sams2.conf file.
DB_PASSWORD=/MySql password/
Launching SAMS
service sams2 start
Setting up Squid
We make changes to the /etc/squid3/squid.conf file
http_port 192.168.0.110:3128
cache_dir ufs /var/spool/squid3 2048 16 256
We enable logging and log rotation with storage for 31 days.
access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 31
Stop Squid, create a cache.
service squid3 stop
service squid3 start
For the purity of the experiment, we configure one of the browsers to work with proxy 192.168.0.110 via port 3128. Having tried to connect, we receive a connection refusal - Squid does not have proxy access rights configured.
Initial SAMS setup
In another browser, open the address (192.168.0.110 – server address).
http://192.168.0.110/sams2
He will tell us that he cannot connect to the database and will offer to perform the installation.
We specify the database server (127.0.0.1), login and password for MySql.
The initial setup of the traffic accounting system has been completed. All that remains is to configure the program.
Local network traffic monitoring
Login to the system as administrator (admin/qwerty).
It’s worth mentioning right away about user authorization. 
In the Squid branch, open the proxy server and click the “Configure proxy server” button at the bottom.
The most important thing here is to indicate your IP address in the addresses of folders and files where necessary, otherwise the proxy server will not start.
The essence of all changes to SAMS settings is that they are written to squid.conf. Sams2deamon runs in the background, which monitors changes in settings that require entry into the configuration file (you can also set the tracking interval there).
Fill in the “User” and “IP address” fields. Let's take the same IP as the username (the IP of the computer, not the server!). In the “Allowed traffic” field we enter “0”, that is, without restrictions. We omit all other fields.
A new acl will be added for this IP address and permission to work through Squid. If the config has not been changed automatically, go to the proxy branch and click the “Reconfigure Squid” button. Changes to the config will be made manually.
We try to open any URL in the browser. We check access.log and see requests processed by the proxy. To check the operation of SAMS, open the “Users” page and click the “Recalculate user traffic” button at the bottom.
Using the buttons below for managing statistics, you can obtain detailed information on the statistics of user visits to pages.
A program for tracking incoming and outgoing traffic on your computer. It will help you not to exceed the traffic limit and not end up without the Internet at all.
ATTENTION: Starting from version 6, the program has become paid, so in order to avoid misunderstandings, do not update it. Here is the latest free version 5.5.5.
Anyone who used the Internet five years ago probably remembers the most important problem for a user - constantly monitoring the amount of traffic. After all, there were no unlimited packages back then, and Dial-Up connections required money for every megabyte of information downloaded.
As a result, if you don’t control traffic consumption, you could end up costing a pretty penny :). But the people are inventive and they came up with many programs for measuring and limiting the flow. Today, the need for such utilities has decreased a little, but they are still in use, because during their existence they have acquired many additional useful functions.
Thanks to such programs, today you can measure the speed of your Internet connection, check all processes that have access to the Internet, measure traffic usage in corporate networks, and much more.
A small program has all the above functions - NetWorx. In addition, it has a number of additional features that will be useful to both the system administrator and the average user. An equally simple but powerful tool can be called a paid program - DU Meter.
Comparison of the free traffic metering program NetWorx with the paid analogue DU Meter
In addition, in NetWorx you can impose a quota on the amount of traffic, as well as launch various applications on a schedule. The program itself comes in two versions: portable and installation. I think it's easiest to use the "portable" version, although if you're a fan of installers, you can easily install NetWorx using the standard installation wizard.
Installing NetWorx
I will assume that you downloaded the portable version. To get started, you need to unpack the archive with the program and run the executable exe file. Before directly launching NetWorx, we’ll make a couple of settings. First, you will need to specify the program language, and second, you will need to enable or disable checking for new versions. That's all:).
After this, a program icon will appear in the tray (a place next to the system clock), with which we will manage it.
NetWorx will be controlled through a right-click context menu.
Here in this menu all the functions of the program are listed, but before use you can make some settings. To do this, click on the menu section of the same name.
NetWorx Settings
“Settings” consists of several tabs. In “General” we can configure the speed units, information displayed in the tray, and also (most importantly!) which connection to monitor (by default, all traffic is counted).
The “Graph” and “Graph Colors” sections allow us to customize the appearance of the graph of incoming/outgoing information packets. In “Notifications” you can enable and configure service messages from the program, and in “Additional” we have the opportunity to configure the collection of statistics.
The very last tab, Dial-up, allows you to set the default connection and add applications that will run with NetWorx.
After the settings are made, first click the “Apply” button for them to take effect, and then “Ok” to exit the settings.
Traffic Monitor
Now let's go directly through the NetWorx tools. The first and main one is a traffic monitor. It is presented in the form of a graph, which is called by the “Show graph” button.
The graph can be presented in the form of a histogram (in my opinion, this is the most convenient), curved lines, or simply numbers. In this case, there will always be two numbers at the bottom. The number with the index “D” (blue by default) shows the amount of incoming traffic (from the English download), and “U” (green) respectively, outgoing traffic (from the English upload).
Velocity change curves are drawn in the corresponding colors on the graph, the numerical value of which can be correlated with the scale on the left.
Speed measurement
The next button - “Speed measurement” - unfortunately, does not measure the overall speed of your Internet connection, but only the current speed of background packet transmission. This may be needed to compare (saving is available) the results under full load on the channel (for example, downloading a file) and at rest.
To start the test, just click the “Start” button and mark a certain period of time. The result can then be saved to a text file, and then compared with the new data obtained when “loading” the channel.
Statistics
System administrators will like this feature most of all, since it is possible to keep both a general count of traffic and display detailed statistics for each of the network users. The results can be exported to xls format (Excel spreadsheets) and saved on a computer.
There are also tools for backup statistics and their further restoration (for example, if you need to save all the data after reinstalling the system).
Traffic quota
Moving on, we move on to the “Quota” section. This function is most suitable for users with a Dial-up connection or limited traffic (for example, mobile Internet). It allows you to set the maximum amount of information received or sent and will always warn the user if the specified limit is exceeded.
By default, the quota is set to 0.00 KB, so if you want to use this function, you will need to “Configure” it first :).
In the settings, we specify the type of quota (daily, weekly, monthly, last 24 hours) and the type of traffic (incoming, outgoing or all). You can leave the clock as is, and then specify the units of measurement and the quota itself.
To save the settings, click “Ok”, and in the quota monitoring window, do not forget to check the box “Notify when the quota is used by %” in order to receive timely information about overexpenditure.
Route tracing
We have already looked at the “Settings” item, so let’s move on to the next one – “Route tracing”. If you suddenly lost access to any Internet resource or you need to find out what path you take before you get to this or that site, try tracing this path. This can be done with standard Windows capabilities, but with NetWorx it is much easier and more visual.
To start tracing, enter the name of the site (remote computer) or its IP address. Now you can set the response time (although often the standard value is more than enough) and you can click “Start”. In this case, we traced the site yandex.ru and saw that to access it you need to go through 11 intermediate servers, and the total time to travel this path is 31 ms.
Ping
The next option is “Ping”. The window interface of this function is very similar to the previous one, but its purpose is somewhat different. Ping, simply put, is the speed at which a remote computer responds to a request you send. The built-in NetWorx ping is inferior in capabilities to the standard one (it is not possible to set your own keys to change parameters), but it copes with the main task.
Another disadvantage of the function is that you cannot enter the website’s Internet address directly - you need to know its exact IP (you can find out from the previous utility). Now specifically about use: enter the address of the remote PC, select the waiting time and the number of echo requests and click “Start”.
In our example, the site was pinged vkontakte.ru. The average response time is not calculated automatically, but it can be calculated in your head by adding all the obtained values and dividing by three :).
It turned out to be about 45 ms, which in principle is good (ping up to 50 ms ± 10 ms is considered good). The TTL value is the “lifetime” of the echo packet. The number 64 means that the sent packet of information can pass through 64 intermediate servers.
Connections
The last tool is Connections. It allows you to monitor all applications that require an Internet connection.
I immediately advise you to enable the “Convert addresses to names” option. This way you can see where this or that application is going and stop its attempt to connect to a suspicious resource. Pay special attention to “established” connections (ESTABLISHED) and listening ports (LISTENING), as they can pose a hidden threat.
If a suspicious connection is detected, you can immediately terminate the application that installs it by right-clicking on it and selecting “End Application”.
conclusions
Thus, we can summarize all of the above. NetWorx is not just a program for monitoring your Internet connection, but also a complex for ensuring security and comprehensive network diagnostics.
Therefore, if you suspect that some application is using traffic irrationally or even transmitting confidential information, try monitoring your network with the NetWorx program and you can easily identify the “spy” :).
P.S. Permission is granted to freely copy and quote this article, provided that an open active link to the source is indicated and the authorship of Ruslan Tertyshny is preserved.
A data counter is not only an interesting program that will be used by Internet users. It works fine on a PC with a network cable installed. Thanks to this, we will be able to analyze all network traffic, even that which is located. Using a program to monitor Internet traffic on a computer, we can easily find out whether our computer is infected and whether it is sending unnecessary packets.
Choosing the best program for monitoring Internet traffic.
Network Meter is a handy desktop gadget and traffic metering program that allows you to easily monitor your Internet connection and distribute it over your local network and Wi-Fi. Most users ignore the features offered by desktop gadgets that were already introduced in Windows Vista and carried over to Windows 7. Some of these applications can be very useful.
Network Meter is an application that monitors your active Internet connection. It allows you to specify an IP address both on the local network and on the Internet. Shows the current data transfer speed, download speed, upload speed and the amount of data that we downloaded and sent during the last session (since Windows was restarted). In addition, in the wireless network monitoring mode, the application shows the SSID of the Wi-Fi network, that is, its name and the percentage value of the signal quality (0 - 100%). An additional element of the gadget is an IP address locator (IP search) and an Internet tester (speed test).
Anyone can use the program:
- Unpack the gadget installer from the ZIP archive, selecting a location on your hard drive. Double click the extracted file to install Network Meter.
- You will be prompted to check the manufacturer, click Install. The gadget should appear on our desktop (usually on the right), but it can be placed anywhere by clicking and dragging with the left mouse button.
- The app is already active, but to make sure it's monitoring the connection you're interested in, go to the "Network Meter" option. To do this, right-click on the gadget and select “Options”.
- On the main “Settings” tab, you can manage the gadget’s functions. First of all, you need to choose which network to monitor (network type). You can choose to connect to your local network via cable (wired network) or Wi-Fi (wireless network). In the latter case, the gadget will be equipped with additional functions - SSID and a signal quality meter. The function indicated by the marker shows the network card controlled by our local IP address (local area network), as well as the network controlled for data transmission. If used on a personal PC there will be no problems, but on a laptop it is worth making sure that the All Network Meter is currently monitoring the active card - usually you need to choose between an Ethernet LAN and a Wi-Fi card.
- The “Screen” tab determines how the gadget will display information. For example, it is recommended to change the default unit setting from bits per second to get the speed in kilobytes or megabits. The settings are saved by pressing the “OK” button.
- Changes to the Network Meter window appear immediately. It is worth noting that the counter represents the current data transfer - at the moment and, thus, monitors network activity. However, another metric counts how much data is downloaded and sent during that session. It may be useful for users using metered networks - for example, 3G mobile Internet. This makes it easy to know if the packet is overdrawn.
License: Free
IMPORTANT. Correct operation of the program requires the .NET Framework 1.1 package installed on the system.
A brilliant program in terms of GUI that can surprise you with some very interesting features. GlassWire is a program for managing the data flow of an Internet connection, the characteristic feature of which is, first of all, a modern animated interface, the appearance of which can be further modified using graphic templates, which increase the readability of the information presented on the graphs. The program allows you to display the names of processes and applications that initiate new sessions and use the network connection. The user is informed about everything through pop-up windows and directly from the program window.
Using GlassWire is intuitive and comes down to switching between successive tabs that correspond to the main functions implemented in the program: graphical data analysis, firewall settings, transfer of consumption data divided into applications and a list of notifications. In them we usually have the following three views, which allow us to customize the contents of the screen to our needs - at the same time more information about individual processes can be displayed, as well as the account presenting the data in charts.
Directly from the program menu, you can contact the technical support section, available online on the manufacturer’s website. It is very clear and contains not only a quick and complete guide to using the program, but also access to a database of frequently asked questions or user forums. Although the program is currently only available in a development version, the manufacturer's commitment to fine-tuning all the details is quickly making it popular. Advantages:
- firewall function;
- very convenient and beautiful interface;
- ease of operation.
Flaws:
- lack of many functions in the free version;
- there is no data transfer tracking schedule.
License: free.
An advanced monitoring utility that allows you to monitor network traffic generated by applications. Creates reports in many formats. This program reports downloading and sending data for the Internet, local network and for certain programs. It also tells you which applications are using the internet. Monitors the quality of the Wi-Fi signal. The latest version is fully compatible with Windows 10. The DU metric clearly tracks data usage. It provides hourly, daily, weekly and monthly reports. Can also warn when fixed limits are exceeded. Data from reports can be exported to Excel, Word and PDF. Stopwatch mode allows you to measure data consumption with a high degree of accuracy at a specific time. Not only can you specify the hours during which transfers should not be counted (which would be useful for people who use plans with free hours).
DU Meter appears as a translucent notification window in the lower right corner of the desktop and shows real-time network traffic information. The DU Meter window can be enlarged by dragging its edges with the mouse. Each vertical line is one second. The red line is incoming traffic, and the green line is outgoing. At the bottom of the window there are tabs “Internet”, “LAN”, “Programs” - by switching between them, you can see the corresponding data. By right-clicking on the program window, you can bring up a pop-up menu that gives access to various reports, a stopwatch mode, or user and administrator options.
To see the main Internet traffic report as quickly as possible, hover your mouse over the DU Meter icon on the taskbar. To view detailed information about programs' online activity, right-click on the semi-transparent DU Meter window and select View Network Connections. In the new window, on the “Programs” tab, there are all applications that use data transfer. The Open TCP Connections tab displays information that will help you identify unauthorized traffic from your computer. Advantages:
- maximum number of report formats;
- simultaneous calculation of data for specific applications and network traffic;
- usage timer.
Disadvantage: trial version.
License: trial.
These are the most popular applications. You can try several others that stand out for their functionality.
A very useful program. Many additional features make it the most versatile application for monitoring data transfer on a PC. Advantages:
- ease of operation;
- tracking specific applications;
- ability to create reports;
- traffic monitoring mode on the router (requires SNMP supported by the router).
Disadvantage: Inaccurate tracking of applications running on the system.
License: free.
Takes up very little space and does not overload the processor during operation. There are not many advanced features, but the application excels in its simplicity. Advantages:
- simple controls;
- stopwatch function.
Flaws:
- uninteresting appearance;
- Lack of application-specific data tracking.
License: free.
It works without problems in almost all versions of Windows, and has features that are only available in paid versions of this type of program. Advantages:
- firewall function;
- schedule with the ability to disable tracking at a certain time;
- remote management of statistics via the network.
Disadvantage: Quite difficult to use.
License: free.
Of course, the list of programs for tracking traffic on a computer can be continued for quite a long time. We have collected the best and most popular applications. If you already have experience using other software, share it in the comments.
05/23/16 45.3KMany network administrators often encounter problems that can be resolved by analyzing network traffic. And here we come across such a concept as a traffic analyzer. So what is it?
NetFlow analyzers and collectors are tools that help you monitor and analyze network traffic data. Network process analyzers allow you to accurately identify devices that are reducing channel throughput. They know how to find problem areas in your system and improve the overall efficiency of the network.
The term " NetFlow" refers to a Cisco protocol designed to collect IP traffic information and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.
NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.
Several other network equipment vendors have their own protocols for monitoring and data collection. For example, Juniper, another highly respected network device vendor, calls its protocol " J-Flow". HP and Fortinet use the term " s-Flow". Although the protocols are called differently, they all work in a similar way. In this article, we'll look at 10 free network traffic analyzers and NetFlow collectors for Windows.
SolarWinds Real-Time NetFlow Traffic Analyzer
Free NetFlow Traffic Analyzer is one of the most popular tools available for free download. It gives you the ability to sort, tag, and display data in a variety of ways. This allows you to conveniently visualize and analyze network traffic. The tool is great for monitoring network traffic by type and time period. As well as running tests to determine how much traffic various applications consume.
This free tool is limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow analyzer is a powerful tool that is worth using.
Colasoft Capsa Free
This free LAN traffic analyzer identifies and monitors over 300 network protocols and allows you to create custom reports. It includes email monitoring and sequence charts TCP synchronization, all of this is collected in one customizable panel.
Other features include network security analysis. For example, tracking DoS/DDoS attacks, worm activity and ARP attack detection. As well as packet decoding and information display, statistical data about each host on the network, packet exchange control and flow reconstruction. Capsa Free supports all 32-bit and 64-bit versions of Windows XP.
Minimum system requirements for installation: 2 GB of RAM and a 2.8 GHz processor. You must also have an Ethernet connection to the Internet ( NDIS 3 compliant or higher), Fast Ethernet or Gigabit with mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.
Angry IP Scanner
It is an open source Windows traffic analyzer that is fast and easy to use. It does not require installation and can be used on Linux, Windows and Mac OSX. This tool works by simply pinging each IP address and can determine MAC addresses, scan ports, provide NetBIOS information, determine the authorized user on Windows systems, discover web servers, and much more. Its capabilities are expanded using Java plugins. Scan data can be saved to CSV, TXT, XML files.
ManageEngine NetFlow Analyzer Professional
A fully featured version of ManageEngines' NetFlow software. This is a powerful software with a full set of functions for analysis and data collection: monitoring of channel throughput in real time and alerts when threshold values are reached, which allows you to quickly administer processes. In addition, it provides summary data on resource usage, monitoring of applications and protocols, and much more.
The free version of the Linux traffic analyzer allows unlimited use of the product for 30 days, after which you can monitor only two interfaces. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for a minimum flow rate of 0 to 3000 threads per second are a 2.4 GHz dual-core processor, 2 GB of RAM, and 250 GB of available hard drive space. As the speed of the flow to be monitored increases, the requirements also increase.
The Dude
This application is a popular network monitor developed by MikroTik. It automatically scans all devices and recreates a network map. The Dude monitors servers running on various devices and alerts you if problems arise. Other features include automatic discovery and display of new devices, the ability to create custom maps, access to tools for remote device management, and more. It runs on Windows, Linux Wine and MacOS Darwine.
JDSU Network Analyzer Fast Ethernet
This traffic analyzer program allows you to quickly collect and view network data. The tool provides the ability to view registered users, determine the level of network bandwidth usage by individual devices, and quickly find and fix errors. And also capture data in real time and analyze it.
The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large volumes of data, and much more. This tool for entry-level professionals, as well as experienced administrators, allows you to take complete control of your network.
Plixer Scrutinizer
This network traffic analyzer allows you to collect and comprehensively analyze network traffic, and quickly find and fix errors. With Scrutinizer, you can sort your data in a variety of ways, including by time interval, host, application, protocol, and more. The free version allows you to control an unlimited number of interfaces and store data for 24 hours of activity.
Wireshark
Wireshark is a powerful network analyzer that can run on Linux, Windows, MacOS X, Solaris and other platforms. Wireshark allows you to view captured data using a GUI, or use the TTY-mode TShark utilities. Its features include VoIP traffic collection and analysis, real-time display of Ethernet, IEEE 802.11, Bluetooth, USB, Frame Relay data, XML, PostScript, CSV data output, decryption support, and more.
System requirements: Windows XP and higher, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free disk space. Wireshark NetFlow Analyzer is a powerful tool that can greatly simplify the work of any network administrator.
Paessler PRTG
This traffic analyzer provides users with many useful features: support for monitoring LAN, WAN, VPN, applications, virtual server, QoS and environment. Multi-site monitoring is also supported. PRTG uses SNMP, WMI, NetFlow, SFlow, JFlow and packet analysis, as well as uptime/downtime monitoring and IPv6 support.
The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.
nProbe
It is a full-featured open source NetFlow tracking and analysis application.
nProbe supports IPv4 and IPv6, Cisco NetFlow v9 / IPFIX, NetFlow-Lite, contains functions for VoIP traffic analysis, flow and packet sampling, log generation, MySQL/Oracle and DNS activity, and much more. The application is free if you download and compile the traffic analyzer on Linux or Windows. The installation executable limits the capture size to 2000 packets. nProbe is completely free for educational institutions, as well as non-profit and scientific organizations. This tool will work on 64-bit versions of Linux and Windows operating systems.
This list of 10 free NetFlow traffic analyzers and collectors will help you get started monitoring and troubleshooting a small office network or a large, multi-site corporate WAN.
Each application presented in this article makes it possible to monitor and analyze network traffic, detect minor failures, and identify bandwidth anomalies that may indicate security threats. And also visualize information about the network, traffic and much more. Network administrators must have such tools in their arsenal.
This publication is a translation of the article “ Top 10 Best Free Netflow Analyzers and Collectors for Windows", prepared by the friendly project team
Good bad