2

I am looking to monitor my network usage (on a packet level). Everything. Logging is a strict requirement. I need to be able to log HTTP and DNS queries, for storage, over time.

Yes, I have the network setup in place to capture this. I have been using Colasoft Capsa, but am looking for different solutions due to stability issues.

Yes, I have tried Wireshark. I can't seem to get it to discard packets and focus on logging what I want in a sane manner. Also, some form of endpoint graphing or reporting (top talkers, popular endpoints, and usage breakdown and filtering by traffic type) is a requirement. If I am blatantly missing something let me know. But I don't think Wireshark will work for me.

Obviously with Capsa, I am in a Windows environment but I am fine with moving to Linux if need be. I have spent quite a bit of time looking but cannot find an alternative.

I have SNMP graphing and services checking already covered, for what it is worth.

I am not against a paid solution, but would prefer anything open source. Any of your thoughts and suggestions would be highly appreciated!

Improve this question
1
  • You should use a dedicated piece of hardware if you want to do this properly. However, my company uses a tool called PacketTrap MSP which works pretty well, but is fairly expensive.
    – user3463
    Commented Jul 14, 2012 at 19:46

3 Answers 3

Reset to default
2

All the implementations I saw where there was a requirement of logging all packets or certain packets were done with equipment by Check-point. You will still need some other tools for graphing I think.

Another solution is to use a Linux intermediary to log all packets and feed them to Splunk. Splunk is a very good tool to build graphs and automatically generate reports.

Improve this answer
1

Have a look at ntop (linux package), it logs just about everything from my own experience and can produce reports as needed.

Improve this answer
0

BTW this can be done very easily with Wireshark by using the following filter

tcp.srcport == 443 or tcp.srcport == 80 or udp.srcport ==53

You can remove the tcp.srcport == 443 if you are not interested in HTTPS packets.

Wireshark can also produce endpoint reports (Statistics > Endpoints), response time. conversation list, protocol hierarchy, etc..

I would give Wireshark another chance.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .