Topic: Analysis of incoming traffic

[uli334]

At one of our locations some pupils we have a great amount of traffic from internet into the local net, about 15GB a day.
I want to know, from wich user and workstation this traffic is initiated. We have Sarg running, but it does'nt show anything.
I guess, the traffic ist generated by downloading big files over https from a sharehoster. Dansguardian is also installed, but it cannot show the quantity of data coming from the internet.

Can someone recommend me a tool for analyzing the amount of traffic for https?

Thanks, Uli

[Jean-Philippe Pialasse]

you could force https to go through your squid and dansguardian.
of course they will not be able to cache and filter content or the full url chain, but:

- you will be able to get some stats with sarg
- you will be able to block sites based on IP or domain (not on full url as it will be also crypted)

this could be a good configuration how to to add to dansguardian

[mmccarn]

iptraf or ntop might help you figure out what's up.

iptraf does real-time monitoring of your network traffic; ntop does long-term monitoring but may be tricky to install.


The first thought that occurred to me was to find out if your network's core switch provides traffic counters by port, then figure out which port has the most traffic.  Of course, this may not help much if your users are mostly wireless (unless your wireless router will show you traffic by client...)