Cisco Works, SNMP, MIBs.
sparky
New Member
Posts:
38
Joined:
Tue Jul 19, 2011 8:47 am

realtime traffic monitoring

Wed Jul 20, 2011 8:37 am

Just wondering what suggestions people have in relation to monitoring traffic on their ASA, generally we have no need to but we have had instances where we've wanted to find out what server/pc is hogging bandwidth.

I've had a look around and found NTOP which utilises NetFlow (not used before) but this isn't realtime from what I can gather. More often than not we'd want to find out what's going on realtime/now, not what happened 5 mins ago.

Any thoughts?

User avatar
that1guy15
Post Whore
Posts:
3224
Joined:
Thu Apr 29, 2010 6:12 pm
Certs:
CCNP, CCDP, CCIP

Re: realtime traffic monitoring

Wed Jul 20, 2011 9:02 am

"Real-time" is going to be hard to come by. NetFlow and SNMP are my tools of choice. Keep in mind though you can adjust the poling intervails to sub-minute rates (on some tools) but you are going to start chewing up a ton of firewall and server resources. Some tools out there will freak out and not be able to handle this. Your ASA might not like it either.

just like debug, you will get a ton of information but at a high cost.
http://blog.movingonesandzeros.net/

User avatar
raven
CCIE #20728
Posts:
1450
Joined:
Thu Aug 09, 2007 11:22 am

Re: realtime traffic monitoring

Wed Jul 20, 2011 9:19 am

Did something like that a few years ago with RRD and own written Perl/PHP Scripts as an on Demand Service.
We got a php Front end which let you choose which device and link to monitor and at which interval. The PHP Scripts did create the RRD Database and started the Perl Script which worked in deamon mode and just queried the SNMP Mibs within every intervall and put it into the RRD Database.

After we did not need it any more the stuff was deleted so the server and device did not have issues with resources over a long time period. The only thing I saw so far which was able to create near real time monitoring without a sky high price.
http://ccie20728.wordpress.com/

sparky
New Member
Posts:
38
Joined:
Tue Jul 19, 2011 8:47 am

Re: realtime traffic monitoring

Thu Jul 21, 2011 2:14 am

Yeah I've read about the load it can have on CPU, etc. It's a shame you can't just select the Outside interface and breakdown the data/source in realtime via ASDM. Half the problem is first identifying the best place to monitor the data.

Don
New Member
Posts:
11
Joined:
Tue Sep 08, 2009 6:46 am

Re: realtime traffic monitoring

Mon Aug 01, 2011 9:34 am

NetFlow is the best but, yes, NetFlow export from Cisco ASA is not real-time. ASA NetFlow known as NSEL (NetFlow Secure Event Logging) is based on events triggered on the ASA.

Enabling NetFlow is not going to bug your firewall. I have had many customers use NetFlow from Cisco ASA with the NetFlow monitoring product Iam a part of. I never came across an issue of CPU or memory shoot ups on the ASA due to enabling NetFlow. So, its safe. And since its the ASA, get a free version of some NetFlow software. My product's free edition can monitor 2 interfaces with all features including data storage. The product is ManageEngine NetFlow Analyzer.

Regards,
Don Thomas

User avatar
bakergarry
Senior Member
Posts:
387
Joined:
Mon May 30, 2011 1:51 pm
Certs:
ccna, ccna security, ccna voice, ccnp, ccip

Re: realtime traffic monitoring

Mon Aug 01, 2011 9:56 am

the only way you are going to get "realtime" is to put in a tap or SPAN off a switch and use NTOP as the traffic flows, not as a netflow probe....

and still that has to refresh the webpage to show you "top talkers" just like if you were using a more pricey Netscout with nGenius frontend...

or tap with wireshark (tshark) or cace pilot server...

netflow, ipfix, sflow is always going to have tax the router/switch/firewall under question and have to collect and dump to the collecting station...
"With sufficient thrust, pigs fly just fine..." - RFC 1925

User avatar
bakergarry
Senior Member
Posts:
387
Joined:
Mon May 30, 2011 1:51 pm
Certs:
ccna, ccna security, ccna voice, ccnp, ccip

Re: realtime traffic monitoring

Mon Aug 01, 2011 10:16 am

"With sufficient thrust, pigs fly just fine..." - RFC 1925

User avatar
timmynorris
New Member
Posts:
12
Joined:
Fri Sep 23, 2011 1:49 am

Re: realtime traffic monitoring

Wed Sep 28, 2011 3:13 am

Thank you very much for sharing that information, I also want to monitor real time traffic as well.

User avatar
cisco_1
CCIE #24973
Posts:
201
Joined:
Fri Mar 02, 2007 5:18 am
Certs:
CCNP,CCSP,CCIE (R&S)#24973

Re: realtime traffic monitoring

Sun Oct 30, 2011 12:37 am

you can setup a "Cacti" along with Realtime plugin.
"Nothing Is Limited, Except Our Understanding To The Universe"

Fred
Post Whore
Posts:
2576
Joined:
Sat Jun 07, 2008 11:06 am
Certs:
CCNP, CCDP

Re: realtime traffic monitoring

Fri Nov 04, 2011 9:34 pm

Remember that at any given moment, a link is either 100% utilized, or 0% utilized, since it's a digital signal.

sparky
New Member
Posts:
38
Joined:
Tue Jul 19, 2011 8:47 am

Re: realtime traffic monitoring

Wed Nov 23, 2011 6:29 am

Anybody using SNMP to monitor their ASA and are there any security implications to think about?

User avatar
ristau5741
Post Whore
Posts:
10522
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: realtime traffic monitoring

Wed Nov 23, 2011 9:21 am

sparky wrote:Anybody using SNMP to monitor their ASA and are there any security implications to think about?



all depends on what version of SNMP you are talking about.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

shapeshifter
Member
Posts:
133
Joined:
Sat Mar 26, 2011 10:42 pm

Re: realtime traffic monitoring

Sat Feb 11, 2012 2:25 am

bakergarry wrote:the only way you are going to get "realtime" is to put in a tap or SPAN off a switch and use NTOP as the traffic flows, not as a netflow probe....

LS21
Junior Member
Posts:
85
Joined:
Tue Mar 20, 2012 6:39 pm
Certs:
CCNA, CCNA Security, FIREWALL v2.0

Re: realtime traffic monitoring

Thu Mar 22, 2012 4:47 am

How about using a proxy server? There is some pretty good software out there that will allow you to see real time traffic, routing through the proxy.

dannyn382
New Member
Posts:
30
Joined:
Wed Aug 24, 2011 4:11 pm
Certs:
CCENT,Network+

Re: realtime traffic monitoring

Fri Mar 23, 2012 1:17 am

I would also like to know the answer to this. Does anyone know if there is a tool like torch on RouterBoard? http://i294.photobucket.com/albums/mm90 ... torch2.jpg

Thanks for all the info above as well!

'

Return to Cisco Network Management

Who is online

Users browsing this forum: No registered users and 2 guests