I wrote several articles to deploy monitoring software in enterprise network such as Cacti and Nagios. These monitoring tools are based on so-called passive monitoring technique. In other words, they were activated to monitor and collect network metrics very fixed interval, says 5 minutes. There are another technique called active monitoring which is much more powerful. By actively monitoring enterprise network, you can track all bandwidth usage per IP for both local and remote ones. Sometimes, it was called sniffer. This technique usually used for short-period debugging network related issues, e.g., wrong network configuration, worm, DDoS, and etc. Anyway, it is possible to actively monitor enterprise network to track bandwidth usage or to find bottleneck which needs to run all time, day and night. ntop is my favorite for long-term network monitoring tool. It is free, feature-rich, and easy to install.

Though, I got some bad experience after deploying ntop inside enterprise network with ADSL connection to the internet. Actually, it was my fault to use default setting with only a few tweaks. The problem was that sometimes new connections could not be established successfully because NAT table of the ADSL router was full. The cause of this problem was ntop. It tried to resolve lots of IP address to its hostname. Unfortunately, there were too many IP addresses because all users tried to access several web pages at the same time. To resolve this problem, I recommend all you to use one of below options.

1. -m, --local-subnets
2. -n, --numeric-ip-addresses

Above options will help ntop to reduce large amount of resolving IP address requests. Hopefully, you can survive in your network.

Technorati Tags: English, IT, Security, Tips and Tricks, Ntop, Enterprise Network, Monitoring