About

The Bandwidth Monitoring module can be used to create simple reports on bandwidth usage by port, host, protocol and time for traffic sent from or routed through your system. It is useful for both stand-alone hosts, and those that act as a gateway (possibly with NAT) for a network.

Before it can be used, the module must setup several firewall rules and a syslog entry to capture traffic sent and received via your system. At setup time you must select the system’s external network interface, on which traffic will be monitored. This will typically be the PPP interface used for your dialup or ADSL connection, or the Ethernet interface connected to your cable modem or upstream router.

Once at least an hour’s worth of traffic has been captured, the module can by used to generate reports summarizing the traffic by one of the following categories:

  • Hour

    The date and hour in which the data was received.

  • Day

    The date on which the data was received.

  • Host

    The host on your internal network, or the firewall host, that sent or received the data.

  • Internal port

    The port on your internal or firewall host to which the data was sent. This mode is useful for determining how much traffic is generated by connections to each of your servers.

  • External port

    The port on some server outside your network to which data was sent. This can be used to determine which services users of your network are accessing.

  • Port

    Both internal and external ports. Useful for comparing all network usage by service type.

You can also choose to limit the report to a selecting host, port or protocol. The host can be entered by IP address, hostname or network address like 192.168.1.0. The port can be entered by name or number, and will match both TCP and UDP.

The report can also be limited to traffic collected between selected hours, using the For traffic after and For traffic before fields. Because traffic is summarized by hour, you cannot limit the report with any greater precision than hourly.

The option Server ports only? is useful when reporting by incoming, outgoing or all ports. It restricts the display to ports commonly used by servers (those below 1024 or with names), to avoid cluttering the display with counts for client-side ports that are not commonly useful.

The option Resolve hostnames? can be selected when reporting by host. It will cause all IP addresses to be reverse-resolved to hostnames, where possible.