The previous post described basic setup of the Dell PowerConnect 2824 switch. One of the reasons I bought this switch is its ability to “mirror” a port. This allows a properly-configured computer to sniff all the packets going through the mirrored port. If you mirror the port that goes to your external router, you should be able to monitor all the traffic between your router and all internal computers.
Setting up the switch and the free PRTG Network Monitor was pretty easy. Setting up the computer itself (an old Windows XP Home box) took some fiddling. Here in brief are the steps.
Set Up the Switch
I connected my router to port 23 of the switch. Then, using the switch’s web interface, I went to Switch > Ports > Port Mirroring and added port 23 as a Source Port with port 24 as the Destination Port:
Now all traffic on port 23 is duplicated to port 24.
Set Up the Computer
First let me say that Dell support has been a great help here. There is a whole department that supports switches. Both technicians I spoke with were knowledgeable, immediately understood my questions, and worked to help even when the questions went beyond pure functioning of the switch.
One thing I learned is that a mirrored switch port does not pass normal traffic, so if you want the monitoring computer to be on the network (e.g. for remote management), you need to install a second NIC.
I also turned off the Windows Firewall to make sure that no traffic would be prevented from reaching the monitoring software.
Even with two NICs, after connecting one NIC to the mirrored port 24 and another NIC to a non-mirrored port, I was not able to get on the Internet from the monitoring computer, nor could I access the computer from the network. In the end, the solution was to give the NIC connected to the mirrored port a “bogus” IP address. That apparently prevents Windows XP from trying to use that NIC for network connectivity, so it routes all “normal” traffic through the NIC connected to the non-mirrored port.
Here are the network settings.
NIC on Non-Mirrored Port
NIC on Mirrored Port
On the left, note that I unchecked all roles except Internet Protocol (TCP/IP).
On the right, note that the 10.50.1.1 address is not on our local network.
Advanced Settings
I’m not sure if it matters, but under Network Connections, I chose Advanced > Advanced Settings and made sure that the NIC on the non-mirrored port has first priority:
Set Up PRTG
PRTG Network Monitor is an incredibly powerful program and I’m sure I’m only scratching the surface of its capabilities. But for what I’m trying to do (monitor traffic on the mirrored port), the main “trick” seems to be adding a Bandwidth Monitoring > Packet Sniffer (Content) sensor to the local probe:
In the sensor setup’s second page, I chose to monitor only the adapter connected to the mirrored port. I also set all Channel Selections to Detail:
Finally, I paused or deleted the default WMI Network Card sensors attached to the local NICs. (In fact, the one on the mirror-port NIC was shown in red.)
Viewing Results
After some data has been collected, a quick way to view it is to go to the sensor and click on the Toplists tab. Here you can list top connections, protocols, and “talkers” (devices):
The other tabs show graphs and breakdowns of live data (the last two hours), the last 2 days, 30 days, etc.
I know this is about 2 years old, but I just had to say that this is very helpful. Our company has dell powerconnects and wanted me to find a way to monitor our network traffic. I found PRTG, but I wasn’t sure what I needed to configure. After I change the dell powerconnects to managed mode I’ll use these instructions for setting up network monitoring.
Thanks a lot.
Nelson – thanks for taking a minute to post. Now let’s hope that PRTG hasn’t changed so much that the information is useless ;). Post back if you have updates.
Hi, thanks for your helpful article. I’m thinking about buying this switch and I was wondering if it is possible to monitor traffic on each port separately via SNMP? Documentation says that there is a limited SNMP support, but without further description…
Vasek, I was going to say No, but just for fun I pointed snmputil at my switch and asked it to walk the OID tree. The results were scrolling by for several minutes–there must be thousands of them! Of course that’s pretty useless unless you have the MIB to describe them. I don’t see any MIB listed at ftp://ftp.dell.com/network/ for the 28xx, but maybe something from the next level up would be relevant, e.g. ftp://ftp.dell.com/network/pc_3024-3048-5012_v604_mibs.zip. I suspect the info available via SNMP is more about statistics than actual traffic, i.e. you probably won’t get to see who is browsing what web sites. The switch also has RMON, which is some kind of internal statistics aggregator that is supposedly an extension of SNMP.
My other suggestion would be to call Dell Tech Support, tell them you have a pre-sales question, and you need the MIB and SNMP instructions for a 2824.