[clug] Measuring Bandwidth usage by Application Protocol

Dale Shaw dale.shaw at gmail.com
Sun Nov 1 23:52:14 MST 2009

Hi Jeff,

On Mon, Nov 2, 2009 at 3:53 PM, jm <jeffm at ghostgun.com> wrote:
> I'm looking at generating some network
> usage statistics on an open network with a large number of users. The data
> I'm looking to collect is
>  Source IP
>  Source Port
>  Destination IP
>  Destination Port
>  Application Protocol
>  Packets
>  Octets
>  Duration


> of each session or flow on a 15 minute basis. NetFlow is close to giving me
> with this, but lacks the application level protocol information that I'm
> after. Any thought, or suggestions on how to collect this data?

What application-layer detail do you need that a NetFlow-based
solution doesn't give you? Usually (from what I've seen) this is done
in the reporting engine, rather than the collector itself -- sometimes
these functions are combined into one system/product. It's usually
limited (again, based on my experience) to application recognition
based on network and transport layer information (e.g. src/dst IP
addresses, IP protocol numbers, TCP/UDP port numbers).

Digging deeper into the packet gets pretty expensive in terms of
network device resources, so perhaps a port mirror or TAP solution
utilising a passive probe would give you the insight you need.

Anyway, which collector are you using? Are you strictly looking for a
$free solution?

Have you had a play with 'ntop'?


More information about the linux mailing list