Packet capture with PRTG

Network packet capture means making copies of the data packets flowing through your network so you can review and analyze them. It's useful for spotting performance issues, identifying potential vulnerabilities, and helping you understand what might have caused network disruption, security breaches, or other incidents. 

• Traffic analysis and monitoring: Packet capture enables detailed analysis of network traffic. By examining packets, cybersecurity professionals can identify abnormal patterns that may indicate malicious activities, such as distributed denial-of-service (DDoS) attacks or data exfiltration.
• Malware detection: Packet capture allows for the inspection of payloads within packets, which can help identify malicious software. By analyzing packet contents, specialized tools can detect the presence of malware communicating with command and control servers or attempting to spread across the network.
• Network performance and health monitoring: Packet capture can also identify network performance issues, which, while not directly security-related, can impact the overall health and security of the network. Slow or unreliable networks can leave vulnerabilities unpatched or expose the network to certain types of attacks.
• Network anomaly detection: Packet capture data can be used to establish baselines of normal network behavior. Deviations from these baselines can indicate potential security issues that require further investigation.
• Vulnerability management: Packet capture can reveal unpatched systems and vulnerable applications communicating on the network, allowing security teams to prioritize and address these weaknesses.

Because PRTG makes analyzing network traffic, and spotting (and fixing) issues much easier. Where Wireshark data is live and unfiltered, PRTG enables you to filter by variable. You can scan your network for potential problems, then get more granular should you spot something that doesn't look right. Which means you'll get to the bottom of an issue much more quickly.

The most common method is to connect PRTG to your routers' monitoring ports. Alternatively, send traffic from your router to PRTG and use sensors to capture the data packets. You can also capture data packets:

• On individual switches
• On individual servers, such as email and web servers
• With VMware. Use port mirroring on routers or access points to see how much data your ESXi server sends and receives.

The basic difference between sFlow, NetFlow, IPFIX, and jFlow is that they use different methodologies to capture data:

• Owned by Cisco, NetFlow collects traffic flow metadata, such as source and destination IP addresses, ports, and packet counts
• sFlow samples packet headers and partial payloads, so it keeps CPU load, bandwidth use, and memory use to a minimum – ideal if you have a very large network or limited resources
• IPFIX is an open standard based on NetFlow. It's template-based (though it can be configured to work with random samples, too), which gives you more flexibility in the way you record and export data
• jFlow works in a similar way to NetFlow, but it's owned by Juniper Networks

If you want to monitor the traffic on your network without deep packet inspection, SNMP might be the technology of your choice.

In PRTG, “sensors” are the basic monitoring elements. One sensor usually monitors one measured value in your network, for example the traffic of a switch port, the CPU load of a server, or the free space on a disk drive.

On average, you need about 5-10 sensors per device or one sensor per switch port.