In short: I need to monitor a local network to find out why the staff sometimes have problems.
This is in a small office. Although most of the time everything works fine, a bit too often problems occur. The problems reported are:
* Network is suddenly extremely slow. Mainly internet, but sometimes also over LAN. Could last for a minute or it could last most of the day.
* VPN-connections (pptp & l2tp/ipsec) are suddenly dropped, or other network-based services like remote desktop suddenly fails.

--- Edit:
And these problems do not happen to everybody at the same time!
They happen randomly, sometimes affecting just one, sometimes affecting 5 - but never affecting the whole office.
Also, these 2 problems seems not to be related - vpn with related connections might work fine but internet access slow or the other way around...


Unfortunately, I can't sit in the office until problems occur, it would of course be the best but it just can't be done.
So what I want to do is to install some good monitor-apps in a laptop, and place it in their office for a month gathering lots and lots of information.
Problem is, I don't know what tools to use? I did use MRTG some 5 years ago, but I don't think that one will do it here.
Another question (well, actually the really important one) is what to monitor! All I have to work on is what I'm told - and I guess you all know how reliable that kind of information can be...
I have, of course, checked logs on both clients & firewall, nothing interesting there.

What we have is:
* 100Mbit internet (up+down) via cable.
* Watchguard XTM firewall, HP rack-switch
* 2 wireless access-points directly connected to HP-switch
* One small server (Win7) not used much, one device for network storage (both these on static ip).
* Some 20 laps running Windows XP, Windows 7, Mac OsX (and my Linux when I'm there).
* Also connected: a whole bunch of cell phones, pads of various kinds etc. (probably watches, shoes et al also have WLAN these days! )

BUT! All in all, there has never been more than 29 devices connected via dhcp at the same time.
No video or any really heavy stuff is done over the network - or actually, at all. (Or so they say - I tend to believe that though.)

So, what tools should I investigate?

Greetings,

Well, to start off with, I will make the assumption that the "HP rack-switch" is a managed switch.
(Yes, I know you shouldn't make an 'assumption' or you might make an @ss out of 'u' and 'mption'! hehe)

If this is the case, I would first start there and see if you have any monitoring and/or logging built into the switch. You might be able to save yourself a lot of time and trouble by just checking what the switch sees as being passed and how much. If you're lucky, it might even have some management tools available for you, like graphs for network traffic, etc. to help you isolate the issue.

But, if that's not a viable option, you can try wireshark... Now, keep in mind that if you try to sniff everything, and leave it running for an extended period of time, you better have a *lot* of space on the system doing the sniffing. Wireshark caches the captured packets, and for a busy network, that could be a LOT of data. And, since it is likely that you are new to wireshark, you might benefit from watching this tutorial video.

And, you can tell the folks at your office that they aren't agents working for CONTROL (unless, of course, they are! ;-p hehe) so they can turn off the shoe-phones and two-way wrist communicators while in the office!

HTH. Let us know.

(P.S. As a "shot-in-the-dark", is anyone in your office using Carbonite? Our office recently had a similar situation when the boss installed Carbonite on his system without telling the IT guys.)

1 members found this post helpful.

Too many unknown variables. Like the former post, I would also suggest packet capture, but ON the devices experiencing the slowness, unless you have port-mirroring on your HP switch.

IF your switch has port-mirroring, then very cool. Capture everything to a file. The file will get big, so you wanna use the 'use multiple files', 'next file every x megabytes' and 'ring buffer with x files' option so that you only capture a certain amout of data (maybe one day's worth), and the files are small enough to be manageable (ever tried loading a 10GB packet capture file?).

Wireshark has many tools/stats that will help you with your analysis. Good luck.

Ah, sorry should of course have mentioned that the HP-switch is not under my control. It belongs to our Internet provider, we are not allowed any access to the management interface.
Wireshark I have used a little, but that's some years ago.
But that will only capture traffic to/from the computer it runs on, I need to somehow capture traffic in the whole LAN?
That is something worth investigating!
People are not allowed to use any kind of online-backups, but it could still be of course.
Yep, you are so right, far too little known!
Unfortunately it happens to various devices pretty randomly.
For now, I'm not going to install wireshark (or anything) on every computer, that's too much hassle.
What I can work with is the Watchguard where I can't install anything, and a separate laptop I can do whatever I want with.
The WG has a few tools for network bandwidth, load monitoring and such, I've checked that several times it is never overloaded (that is bandwidth, cpu & memory).

I decided to start "the easy way" just checking the Watchguard.
An ipsec tunnel between my office & clients office, and then Cacti on one of my servers to pull network, cpu & memory load from WG.
Hopefully it will shed some light!