How to start Ethereal capture at network usage threshold?

Hi,

I am trying to sniff out the source of big spikes in our bandwidth
utilization on a private school LAN. XO is the ISP. The gateway is a
Cisco router, behind which is a Netscreen firewall. Two or three times
a day, we are seeing pretty massive network spikes, which occasionally
result in slowdowns or shutdowns of the LAN.

I would like to use Ethereal or some other tool to monitor the packet
flow above a certain bandwidth, but I'm not sure how to go about doing
this. I'm currently running it on a Win2K3 server which is doing DNS
and DHCP, as well as Active Directory. It's a mixed-platform network,
lots of Mac workstations and two Mac servers (one running secondary
DNS).

Main switch is a stack of 4 3Com #C17300 24-porters... I've
successfully used SwitchMonitor to connect to these, but am seeing
nothing unhealthy.

Key point: I'm outsourced IT for this school, so I'm not on-site all
the time. I do have remote access.

Any suggestions? Should I set a timer to capture all promiscuous
packets between 6:30-7am, perhaps, when we often see a spike? How
would I go about doing that?

Thanks,
Ryan

To monitor bandwidth you must capture ALL packets on the network. Ethereal will
allow you to do just that. You can then plot the bandwidth using built-in
charting.

If you want to monitor between certain times you may need to use Windows Task
Scheduler and write a script or two. Winpcap might be easier in this case.
Windows Server 2003 also comes with a packet sniffer app similar to Ethereal.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi,
>
> I am trying to sniff out the source of big spikes in our bandwidth
> utilization on a private school LAN. XO is the ISP. The gateway is a
> Cisco router, behind which is a Netscreen firewall. Two or three times
> a day, we are seeing pretty massive network spikes, which occasionally
> result in slowdowns or shutdowns of the LAN.
>
> I would like to use Ethereal or some other tool to monitor the packet
> flow above a certain bandwidth, but I'm not sure how to go about doing
> this. I'm currently running it on a Win2K3 server which is doing DNS
> and DHCP, as well as Active Directory. It's a mixed-platform network,
> lots of Mac workstations and two Mac servers (one running secondary
> DNS).
>
> Main switch is a stack of 4 3Com #C17300 24-porters... I've
> successfully used SwitchMonitor to connect to these, but am seeing
> nothing unhealthy.
>
> Key point: I'm outsourced IT for this school, so I'm not on-site all
> the time. I do have remote access.
>
> Any suggestions? Should I set a timer to capture all promiscuous
> packets between 6:30-7am, perhaps, when we often see a spike? How
> would I go about doing that?
>
> Thanks,
> Ryan
>