Packet Sniffer Sensor Types

Packet Sniffing should come into consideration if your network device(s) do not support SNMP or xFlow to measure bandwidth usage or if you need to differentiate the bandwidth usage by network protocol and/or IP addresses.

Note: Packet Sniffer Sensors support Toplists (Top Talkers, Top Connections, etc.), see Toplists.

How Packet Sniffing works

If you need to know what applications or IP addresses are causing the traffic in your network, you can use a packet sniffer. This will look at every single data packet traveling through your network for accounting purposes.

clip0026

PRTG can analyze the packets passing the network card of a PC or it can be connected to the so-called monitoring port of a switch. In order to calculate bandwidth usage, PRTG inspects all network data packets either passing the PC's network card (shown on the left side) or the data packets sent by a monitoring port of a switch (right side) with its built-in packet sniffer. Using remote probes  you can set up packet sniffers anywhere in your network (see Multiple Probes and Remote Probes).

Comparing the four bandwidth monitoring technologies provided by PRTG (SNMP, WMI, xFlow and packet sniffing) this one creates the most CPU and network load and should thus only be used in small to medium networks, on dedicated computers for larger networks or for individual computers.

Reasons To Choose Packet Sniffing

It is important to understand that the packet sniffer can only access and inspect data packets that actually flow through the network interface(s) of the machine running the PRTG software. This is fine if you only want to monitor the traffic of this machine (e.g. your web server). In switched networks, only the traffic for a specific machine is sent to each machine's network card, so PRTG can usually not discern the traffic of the other machines in the network.

If you also want to monitor the traffic of other devices in your network, you must use a switch that offers a "monitoring port" or "port mirroring" configuration (Cisco calls it "SPAN"). In this case the switch sends a copy of all data packets traveling through the switch to the monitoring port. As soon as you connect the PRTG core to the switch's monitoring port, PRTG is able to analyze the complete traffic that passes through the switch.

Another option to using a switch's built-in packet sniffer is to set up the PC running PRTG as a gateway for all other computers in the network.

The different Packet Sniffer Sensor Types

PRTG offers three sensor types that are based on Packet Sniffing:

  • Packet Sniffer (Header): Looks at the headers of the data packets to account traffic by IP, by port, by protocol etc.
  • Packet Sniffer (Content): Reassembles data packets to streams and looks into the payload data of the streams to assess the type of traffic (e.g. SMTP, HTTP, IMAP, file sharing, NETBIOS etc.).
  • Packet Sniffer (Custom): Accounts for data packets using user-specific rules (header based). You find this sensor in the group "Custom Sensors".

In the sensor settings you can choose how detailed you want traffic to be accounted for according to the protocols used. You can also include and exclude filters that allow monitoring of specific packets, IPs, ports etc.

Packet sniffing can differentiate between the following protocols (in the sensor's "Channel Configuration"):

  • Web/WWW Traffic: HTTP, HTTPS
  • File Transfer: FTP
  • Mail Traffic: IMAP, POP3, SMTP
  • Chat, Instant Messaging: IRC, AIM
  • Remote Control: RDP, SSH, Telnet, VNC
  • Network Services: DHCP, DNS, Ident, ICMP, SNMP
  • NetBIOS: NETBIOS
  • Various: Socks, SSL, OtherUDP, OtherTCP

Header Based vs. Content Based Packet Sniffing

PRTG provides two base technologies for packet sniffing:

  • Header based: PRTG looks at the IPs and ports of source and destination to assess the protocol. This is very fast but, at times, not very accurate. For example it is not possible to identify HTTP traffic on ports other than 80, 8080 and 443 as HTTP.
  • Content based: PRTG captures the TCP packets, reassembles the data streams and then analyzes the content of the data using an internal set of rules to identify the type of traffic. This is quite accurate (e.g. HTTP traffic on any port number is accounted for as HTTP) but requires much more CPU and memory resources, especially when a lot of traffic passes the network card.

To summarize, header based sniffing is much faster but the accounting is less reliable (e.g. HTTP packets on non-standard ports are not accounted as HTTP traffic). Content based sniffing is quite accurate, but creates more CPU load.

Tools

Paessler Card Packet Counter: Shows short term statistics about the network data packets passing a local network card.
http://www.paessler.com/tools/

See also

Continue

Keywords: Sensor,Packet Sniffing,Packet Sniffer,Sniffing,Traffic Sensor,Header Based Packet Sniffing,Content Based Packet Sniffing