How to track traffic on a local network. Principles of organization of IP-traffic accounting. NetWorx will monitor the traffic

How to track traffic on a local network. Principles of organization of IP-traffic accounting. NetWorx will monitor the traffic
How to track traffic on a local network. Principles of organization of IP-traffic accounting. NetWorx will monitor the traffic
10.02.2022

In the "PID" section, we look at which program consumes resources.

Also, if you right-click on the process, a set of functions will appear. Process Properties - process properties, End Process - end the process, Copy - copy, Close Connection - close the connection, Whois - what the system advises.

The third way is to use Windows OS components

Click Start, Control Panel.

For Windows XP. Open the Security Center.

Click "Auto Update".

In the new window, put a mark next to "Disable" and "OK".

For Windows 7. Open Windows Update.

Click "Settings".

Check the box "Do not check for updates".

Programs and system elements will not access the network. However, so that the service does not turn back on, we perform the following steps (acceptable for Windows XP Windows 7).

In the "Control Panel" go to the "Administration" section.

We are looking for "Security Center" or "Windows Update". Click "Disable Service".

The fourth way is to control the antivirus program

The new version of Nod 32 has an additional feature - traffic control. Launch ESET NOD32 Smart Security 5 or higher. Go to the "Utilities" section and select "Network Connections".

We close browsers and look at the list of programs and elements that consume Internet resources. Opposite the name of the software, the connection and data transfer speed will also be displayed.

In order to restrict the program's access to the network, right-click on the process and select "Temporarily disable network connection for the process."

Internet connection speed will increase.

Hi friends! Write about how to monitor traffic I was going right after I wrote the article ““, but somehow forgot. Now I remembered and will tell you about how to track how much traffic you spend, and we will do this with the help of a free program NetWorx.

You know, when unlimited Internet is connected, then you don’t really need to monitor the traffic, except for the sake of interest. Yes, now all urban networks are usually unlimited, which cannot be said about 3G Internet, the tariffs of which usually go off scale.

All this summer I have been using CDMA Internet from Intertelecom, and I know all these nuances with traffic and tariffs firsthand. I already wrote about how to set up and improve the Internet from Intertelecom, read and. So, their “unlimited” tariff costs 150 hryvnia per month. As you can see, I put the word unlimited in quotation marks, why? Yes, because there is a speed limit, though only during the day, but there is nothing to rejoice at, the speed there is simply terrible, it is better to use GPRS already.

The most normal tariff is 5 hryvnia per day upon connection, that is, if you do not connect today, you do not pay. But it's not unlimited, it's 1000 megabytes a day, until 12 midnight. I have this tariff now, but at least it has a decent speed, the real average speed is 200 Kbps. But 1000 Mb per day is not very much at such a speed, so in this case it is simply necessary to control the traffic. Moreover, after using this 1000 MB, the cost of one megabyte is 10 kopecks, which is not a little.

Even as soon as I connected this Internet, I started looking for a pretty program that would control my Internet traffic and I could set a warning when the limit was used up. And I found it, of course, not immediately, after trying a couple of things, I came across the NetWorx program. Which we will continue to talk about.

NetWorx will monitor the traffic

Now I will tell you where to get the programs and how to set it up.

1. Whatever you are looking for a program, I uploaded it to my hosting, so .

2. Run the downloaded file and install the program, I will not describe the installation process, I wrote about this in .

3. If after installation the program did not start itself, then we launch it with a shortcut on the desktop or in the start menu.

4. That's it, the program already counts your Internet traffic, it hides in the tray and quietly works for itself there. The working window of the program looks like this:

As you can see, the program displays Internet traffic for the current day and for the entire time, starting from the time you installed the program, you can see how much I burned :). In fact, the program does not need any settings. I'll just tell you how to set a quota in NetWorx, that is, traffic restrictions and how to make it so that the activity of incoming and outgoing Internet traffic is displayed in the tray icon.

5. Now let's make it so that the activity of Internet traffic is displayed in the tray.

Right-click on the program icon in the tray and select "Settings"

On the “Graph” tab, set it as in my screenshot, click “OK” and “Apply”. The NetWorx tray icon will now display internet connection activity.

6. And the last item in setting up this program will be setting a quota. For example, Intertelecom gives me only 1000 MB per day, so in order not to spend more than this rate, I set up the program so that when I use traffic by 80% it warns me.

Right-click on the program's tray icon and select "Quota".

You see, today I used up my limit by 53%, below there is a field where you can specify at what percentage to report that the traffic is ending. Let's click on the "Settings" button and set up the quota.

Everything is very simple here, first we set what quota you have, for example, I have a daily quota, then we set the traffic, I selected all traffic, that is, incoming and outgoing. Set "Clock" and "Units", I have megabytes. And of course, do not forget to specify the size of the quota, I have 1000 megabytes. Click "OK" and that's it, our quota is set.

That's it, the program is fully configured and ready to read your traffic. It will be launched along with the computer, and you just have to occasionally look in and see for interest how much traffic you have already burned. Good luck!

More on the site:

NetWorx: How to Monitor Internet Traffic updated: August 17, 2012 by: admin

In the last 10-15 years, Internet expenses have been added to the usual expenses of the company. In order to properly budget for Internet traffic, you need to know its monthly consumption. Traffic accounting is one of the most important responsibilities of a system administrator.
The head of a company of any size must be aware of the amount of resources consumed by his organization, how much money is spent and where, how much electricity is consumed, what are the costs of telephony, etc. In the last 10-15 years, another item of expenditure has been added: the Internet. In order to correctly budget for the company's Internet traffic, you need to know for sure what its monthly consumption in the company is. Therefore, traffic accounting http://www.10-strike.com/rus/bandwidth-monitor/- one of the most important duties of a system administrator, who is responsible for counting traffic, saving it, which includes continuous control over the fact that the amount of traffic allocated to the company, for example, weekly traffic does not exceed the established limit.

To save money, more and more organizations are switching to the use of unlimited Internet access packages, but the importance of traffic accounting does not decrease from this. So, for example, in the network, a periodic drop in the speed of the Internet connection is possible, for which there can be many reasons: from an unscrupulous provider or an employee downloading large files during working hours, to the fall of any of the network interfaces. And the low speed of the Internet or its absence for modern business is fraught with a decrease in the quality of services today and the loss of partners and customers tomorrow.

Depending on the security policy, traffic accounting can be implemented in the following ways:


  1. Using SNMP protocol(Simple Network Management Protocol). The advantage of this method is that there is no need to install additional software on users' computers. In this case, the traffic accounting program is installed only on the system administrator's PC, and on remote computers it is only necessary to correctly configure the SNMP service, which is not at all difficult for a specialist. This protocol allows you to account for traffic, firstly, on computers running Windows and Linux, and secondly, on network printers, switches and other network devices. Therefore, the system administrator also has the opportunity to control the operation of the active network equipment of the company. Often, by default, the SNMP protocol is disabled in the OS and it needs to be installed and configured.

  2. Via WMI services(Windows Management Instrumentation), which is an alternative to SNMP. This method of traffic accounting, like the previous one, does not require the installation of any additional modules on controlled computers. However, this method is only suitable for Windows OS.

  3. If the company's security policy prohibits the use of SNMP and WMI services, then the system administrator can take advantage of traffic accounting through agent installations to remote computers, which are usually attached to the traffic accounting program. If the agent is implemented as a service, then it reads all traffic values ​​imperceptibly for the user and without loading the computer.

  4. The next way is to account for traffic through NetFlow protocol, which was developed by Cisco and is designed to collect information about IP traffic within the network. The principle of its operation is to accumulate all statistics about transmitted IP packets in a special buffer, and then to process it. The most important advantage of this method is the ability to keep track of traffic in large companies with a complex and geographically distributed network. True, it should be noted that this method of traffic accounting can be implemented only in networks where there is equipment that supports the NetFlow protocol, and it must be admitted that it is quite expensive.

  5. Another method is to count network packets using sniffer or traffic analyzer. This method allows you to find out the IP address of both the sender and the recipient, which means you can see what the organization's resources are spent on. It is important to know that in networks with a large amount of transmitted traffic or high bandwidth, this type of traffic accounting may give some errors.
Using several methods of traffic accounting at once helps to get a complete picture of the work of the enterprise and its employees. Accounting for traffic separately for each protocol, as well as automatic display of all collected information in the form of tables and graphs, allows you to calculate the employees who use the Internet most actively, as well as find out for what purposes it is spent: viewing photos, downloading files, messaging or browsing videos on the Internet.

Some traffic accounting programs (http://www.10-strike.com/eng/bandwidth-monitor/) allow you to configure their reaction to certain events, for example, to exceed the set limit of consumed traffic or to drop a network interface. Thanks to this, the system administrator responds to these events faster and troubleshoots problems with minimal loss of time and effort. But the most important task of the traffic accounting process is the ability to always be aware of current expenses, on the basis of which you can carefully plan your budget in the future, as well as draw objective conclusions about the work of the organization's employees.

Any administrator sooner or later receives an instruction from the management: "calculate who goes to the network and how much he downloads." For providers, it is supplemented by the tasks of "letting anyone in, taking payment, restricting access." What to count? How? Where? There is a lot of fragmentary information, they are not structured. We will save the novice admin from tedious searches by providing him with general knowledge and useful links to the materiel.
In this article I will try to describe the principles of organizing the collection, accounting and control of traffic on the network. We will consider the issues of the issue, and list possible ways to retrieve information from network devices.

This is the first theoretical article in a series of articles dedicated to the collection, accounting, management and billing of traffic and IT resources.

Internet access structure

In general, the network access structure looks like this:
  • External resources - the Internet, with all sites, servers, addresses and other things that do not belong to a network that you control.
  • An access device is a router (hardware or PC-based), switch, VPN server or hub.
  • Internal resources - a set of computers, subnets, subscribers, whose work in the network must be taken into account or controlled.
  • Management or accounting server - a device that runs specialized software. It can be functionally combined with a software router.
In this structure, network traffic flows from external resources to internal, and vice versa, through the access device. It sends traffic information to the management server. The control server processes this information, stores it in the database, displays it, issues lock commands. However, not all combinations of access devices (methods) and collection and management methods are compatible. The various options will be discussed below.

Network traffic

First you need to define what is meant by "network traffic" and what useful statistical information can be extracted from the user data stream.
IP version 4 remains the dominant internetworking protocol so far. The IP protocol corresponds to the 3rd layer of the OSI model (L3). The information (data) between the sender and the recipient is packed into packets - having a header and a "payload". The header defines where the packet comes from and where (sender and destination IP addresses), packet size, payload type. The bulk of network traffic is made up of packets with UDP and TCP payloads - these are Layer 4 (L4) protocols. In addition to addresses, the header of these two protocols contains port numbers that determine the type of service (application) that transmits data.

To transmit an IP packet over wires (or radio), network devices are forced to “wrap” (encapsulate) it into a Layer 2 (L2) protocol packet. The most common protocol of this type is Ethernet. The actual transfer "to the wire" is at the 1st level. Usually, the access device (router) does not parse packet headers at a level higher than 4 (the exception is intelligent firewalls).
Information from the fields of addresses, ports, protocols and length counters from the L3 and L4 headers of data packets constitute the “source material” that is used in traffic accounting and management. The actual amount of information to be transferred is in the Length field of the IP header (including the length of the header itself). By the way, due to packet fragmentation due to the MTU mechanism, the total amount of data transmitted is always greater than the payload size.

The total length of the IP and TCP/UDP fields of the packet that are of interest to us in this context is 2...10% of the total packet length. If you process and store all this information batch by batch, there will not be enough resources. Fortunately, the vast majority of traffic is structured in such a way that it consists of a set of "dialogues" between external and internal network devices, the so-called "flows". For example, within a single e-mail forwarding operation (SMTP protocol), a TCP session is opened between the client and the server. It is characterized by a constant set of parameters (Source IP address, Source TCP port, Destination IP address Destination TCP port). Instead of processing and storing information packet by packet, it is much more convenient to store flow parameters (addresses and ports), as well as additional information - the number and sum of lengths of transmitted packets in each direction, optionally session duration, router interface indices, ToS field value, and so on. This approach is beneficial for connection-oriented protocols (TCP), where it is possible to explicitly intercept the moment the session ends. However, even for non-session-oriented protocols, it is possible to aggregate and logically complete a stream record by, for example, a timeout. Below is an excerpt from the SQL database of our own billing system that logs information about traffic flows:

It is necessary to note the case when the access device performs address translation (NAT, masquerading) to organize access to the Internet for computers on the local network using a single, external, public IP address. In this case, a special mechanism performs the substitution of IP addresses and TCP / UDP ports of traffic packets, replacing internal (not routable on the Internet) addresses according to its dynamic translation table. In this configuration, it must be remembered that in order to correctly record data on internal network hosts, statistics must be collected in a way and in the place where the translation result does not yet “anonymize” internal addresses.

Methods for collecting information about traffic / statistics

You can capture and process information about passing traffic directly on the access device itself (PC router, VPN server), transferring it from this device to a separate server (NetFlow, SNMP), or “from the wire” (tap, SPAN). Let's analyze all the options in order.
PC router
Consider the simplest case - an access device (router) based on a PC with Linux OS.

How to set up such a server, address translation and routing, much has been written. We are interested in the next logical step - information on how to obtain information about the traffic passing through such a server. There are three common ways:

  • interception (copying) of packets passing through the server network card using the libpcap library
  • interception of packets passing through the built-in firewall
  • use of third-party tools for converting per-packet statistics (obtained by one of the two previous methods) into a stream of aggregated information netflow
libpcap


In the first case, a copy of the packet passing through the interface, after passing through the filter (man pcap-filter), can be requested by a client program on the server written using this library. The packet arrives with a Layer 2 (Ethernet) header. It is possible to limit the length of the captured information (if we are only interested in the information from its header). Examples of such programs are tcpdump and Wireshark. There is a Windows implementation of libpcap. In the case of using address translation on a PC router, such interception can only be performed on its internal interface connected to local users. On the external interface, after translation, IP packets do not contain information about the internal hosts of the network. However, with this method, it is impossible to take into account the traffic generated by the server itself on the Internet (which is important if a web or mail service is running on it).

The operation of libpcap requires support from the operating system, which currently comes down to installing a single library. In this case, the application (user) program that collects packages must:

  • open required interface
  • specify the filter through which to pass received packets, the size of the captured part (snaplen), the size of the buffer,
  • set the promisc parameter, which puts the network interface into capture mode for all packets passing by in general, and not just those addressed to the MAC address of this interface
  • set a function (callback) to be called on each received packet.

When transmitting a packet through the selected interface, after passing the filter, this function receives a buffer containing Ethernet, (VLAN), IP, etc. headers, total size up to snaplen. Since the libcap library copies packages, it is not possible to block their passage with it. In this case, the traffic collection and processing program will have to use alternative methods, for example, calling a script to place the specified IP address in the traffic blocking rule.

Firewall


Capturing data passing through the firewall allows you to take into account both the traffic of the server itself and the traffic of network users, even when address translation is running. The main thing in this case is to correctly formulate the capture rule and put it in the right place. This rule activates the transmission of the packet towards the system library, from where the traffic accounting and management application can receive it. For Linux OS, iptables is used as a firewall, and interception tools are ipq, netfliter_queue or ulog . For OC FreeBSD - ipfw with rules like tee or divert . In any case, the firewall mechanism is supplemented by the ability to work with the user program in the following way:
  • A user program - a traffic handler registers itself in the system using a system call, or a library.
  • The user program or an external script sets a rule in the firewall, "wrapping" the selected traffic (according to the rule) inside the handler.
  • For each passing packet, the handler receives its contents in the form of a memory buffer (with IP headers, etc. After processing (accounting), the program must also tell the operating system kernel what to do next with such a packet - discard or pass on. Alternatively, it is possible pass the modified packet to the kernel.

Since the IP packet is not copied, but sent to the analysis software, it becomes possible to "eject" it, and therefore, completely or partially restrict traffic of a certain type (for example, to the selected local network subscriber). However, if the application stops responding to the kernel about its decision (hangs, for example), traffic through the server is simply blocked.
It should be noted that the described mechanisms, with significant amounts of transmitted traffic, create an excessive load on the server, which is associated with constant copying of data from the kernel to the user program. The method of collecting statistics at the level of the OS kernel does not have this drawback, with the issuance of aggregated statistics to the application program using the NetFlow protocol.

Netflow
This protocol was developed by Cisco Systems to export traffic information from routers for the purpose of traffic accounting and analysis. The most popular now version 5 provides the recipient with a structured data stream in the form of UDP packets containing information about the past traffic in the form of so-called flow records:

The volume of information about traffic is several orders of magnitude smaller than the traffic itself, which is especially important in large and distributed networks. Of course, it is impossible to block the transfer of information when collecting statistics on netflow (if you do not use additional mechanisms).
Currently, the further development of this protocol is becoming popular - version 9, based on the flow record template structure, an implementation for devices from other manufacturers (sFlow). Recently, the IPFIX standard has been adopted, which allows statistics to be transmitted over protocols of deeper levels (for example, by application type).
The implementation of netflow sources (agents, probes) is available for PC routers, both in the form of utilities working according to the mechanisms described above (flowprobe, softflowd), and directly built into the OS kernel (FreeBSD: ng_netgraph , Linux: ). For software routers, the netflow statistics stream can be received and processed locally on the router itself, or sent over the network (transmission protocol - over UDP) to the receiving device (collector).


The collector program can collect information from many sources at once, being able to distinguish between their traffic even with overlapping address spaces. With the help of additional tools, such as nprobe, it is also possible to carry out additional data aggregation, stream bifurcation or protocol conversion, which is important when managing a large and distributed network with dozens of routers.

The netflow export functions support routers from Cisco Systems, Mikrotik, and some others. Similar functionality (with other export protocols) is supported by all major network equipment manufacturers.

libpcap "outside"
Let's complicate the task a little. What if your access device is a third party hardware router? For example, D-Link, ASUS, Trendnet, etc. On it, most likely, it is impossible to put an additional software tool for retrieving data. Alternatively, you have an intelligent access device, but it is not possible to configure it (no rights, or it is controlled by your provider). In this case, it is possible to collect information about traffic directly at the junction point of the access device with the internal network, using the "hardware" means of copying packets. In this case, you will certainly need a separate server with a dedicated network card to receive copies of Ethernet packets.
The server must use the packet collection mechanism according to the libpcap method described above, and our task is to submit a data stream identical to the output from the access server to the input of the network card allocated for this. For this you can use:
  • Ethernet hub: A device that simply forwards packets between all of its ports indiscriminately. In modern realities, it can be found somewhere in a dusty warehouse, and this method is not recommended: unreliable, low speed (there are no hubs at a speed of 1 Gbps)
  • Ethernet - a switch with the ability to mirror (mirroring, SPAN ports. Modern intelligent (and expensive) switches allow you to copy all traffic (incoming, outgoing, both) to the specified port of another physical interface, VLAN, including remote (RSPAN)
  • Hardware splitter, which may require installation to collect two network cards instead of one - and this is in addition to the main, system one.


Naturally, you can configure the SPAN port on the access device itself (router), if it allows it - Cisco Catalyst 6500, Cisco ASA. Here is an example of such a configuration for a Cisco switch:
monitor session 1 source vlan 100 ! where do we get packages from
monitor session 1 destination interface Gi6/3! where do we ship packages?

SNMP
What if there is no router under our control, there is no desire to contact netflow, we are not interested in the details of the traffic of our users. They are simply connected to the network through a managed switch, and we just need to roughly estimate the amount of traffic that falls on each of its ports. As you know, remotely managed network devices support and can display counters of packets (bytes) passing through network interfaces. To poll them, it would be correct to use the standardized SNMP remote management protocol. Using it, you can quite simply get not only the values ​​of the specified counters, but also other parameters, such as the name and description of the interface, MAC addresses visible through it, and other useful information. This is done both by command line utilities (snmpwalk), graphical SNMP browsers, and more sophisticated network monitoring programs (rrdtools , cacti , zabbix , whats up gold, etc.). However, this method has two significant drawbacks:
  • traffic blocking can only be done by completely disabling the interface, using the same SNMP
  • traffic counters taken via SNMP refer to the sum of the lengths of Ethernet packets (with unicast, broadcast and multicast separately), while the rest of the tools described earlier give values ​​relative to IP packets. This creates a noticeable discrepancy (especially on short packets) due to the overhead caused by the length of the Ethernet header (however, this can be dealt with approximately: L3_bytes = L2_bytes - L2_packets*38).
VPN
Separately, it is worth considering the case of user access to the network by explicitly establishing a connection to the access server. A classic example is the good old dial-up, the analogue of which in the modern world is remote access VPN services (PPTP, PPPoE, L2TP, OpenVPN, IPSEC)


The access device not only routes user IP traffic, but also acts as a specialized VPN server and terminates logical tunnels (often encrypted) within which user traffic is transmitted.
To account for such traffic, you can use both all the tools described above (and they are well suited for in-depth analysis by ports / protocols), as well as additional mechanisms that provide VPN access control tools. First of all, we will talk about the RADIUS protocol. His work is a rather complex topic. We will briefly mention that control (authorization) of access to the VPN server (RADIUS client) is controlled by a special application (RADIUS server), which has a database (text file, SQL, Active Directory) of valid users with their attributes (restrictions on connection speed, assigned IP addresses). In addition to the authorization process, the client periodically sends accounting messages to the server, information about the status of each currently running VPN session, including counters of transmitted bytes and packets.

Conclusion

Let's summarize all the methods of collecting traffic information described above together:

Let's sum up a little. In practice, there are a large number of methods for connecting the network you manage (with clients or office subscribers) to an external network infrastructure using a number of access tools - software and hardware routers, switches, VPN servers. However, in almost any case, you can come up with a scheme when information about the traffic transmitted over the network can be directed to a software or hardware tool for its analysis and management. It is also possible that this tool will allow feedback from the access device, applying intelligent access restriction algorithms for individual clients, protocols, and more.
This concludes the analysis of materiel. Of the unresolved topics remained:

  • how and where the collected traffic data goes
  • traffic accounting software
  • what is the difference between billing and a simple “counter”
  • how to limit traffic
  • recording and limiting visited websites

Tags: Add tags