[mrtg] Re: Network Bandwidth

Bigelow, Andrea L. BigelowA at SEC.GOV
Thu Jun 3 22:06:42 MEST 2004 

Deb,

If your boss is looking for DOS attacks, those will be painfully obvious on
MRTG. 

In order to determine that something is statistically significant, you need
to define not just a mean (an 'average value'), but also a standard
deviation. Say I've got a link that carries 100K of traffic on average. Is
it normal to see 300K on that link? Sure, if the normal range is 0-400K. If
the normal range is 50-150, then yeah, I'd be raising an eyebrow at 300K,
but not if up to 400K is in my normal range. 

What I'm saying is that you need to establish not just what is average, but
what falls within normal ranges. To do that. go back through your archived
information and look at your weekly and monthly averages, and draw a few
data points from that. 

I wish I could help you more on this. Every link on every network has
slightly different norm ranges -- some may have a small range and a high
average, others may have a small average and a huge range. The latter is
common if your traffic is 'bursty'. The only way to pin down what is normal
for any given link is to monitor over a period of time (which you've done)
and plot out a series of data points to establish a known range. Once you've
done that, then I believe there is a way to set thresholds. Can someone else
advise?

HTH, 

Andi
-----Original Message-----
From: Deb.Brackman at crown.com [mailto:Deb.Brackman at crown.com]
Sent: Thursday, June 03, 2004 3:48 PM
To: Bigelow, Andrea L.
Subject: RE: [mrtg] Re: Network Bandwidth



Thanks Andi: 

I have been monitoring our branch sites for ages, and each branch site
utilization is different....how do I detect that Pittsburgh is out of the
norm from the day before.???? 

Deb 


"Bigelow, Andrea L." <BigelowA at SEC.GOV> 
06/03/2004 03:45 PM To"'Deb.Brackman at crown.com'" <Deb.Brackman at crown.com>,
mrtg at list.ee.ethz.ch 
cc
SubjectRE: [mrtg] Re: Network Bandwidth







> Can someone advise or help me on the following question from 
> my boss, what 
> would be the best way to monitor this?
> "Deb, have you made any progress in detecting bandwidth usage 
> outside a 
> norm?"

Sure, but you have to know what you're looking for. You can't detect
anything outside of a "norm" if you don't know what that norm is. Trace the
bandwidth patterns over a period of time, preferably a month or two at
least, and that will give you a good baseline, but find out from your boss
how he defines 'norm'.

Andi L. Bigelow
Dyncorp EOS - Network Engineering Group
bigelowa{at}sec{dot}gov
(202) 942-4368

"Every man dies, but not every man really lives." -- Braveheart

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list