Who's using up all the bandwidth?

Discussion in 'General Cisco Certifications' started by zr79, Apr 20, 2009.

  1. zr79

    zr79 Byte Poster

    199
    1
    0
    Say you have a medium or so LAN on a workgroup(internet cafe or so) and somebody is doing a lot of downloading, how would you best discretely find out who it was...?

    Ok so you are the admin to the router, you could log onto the router and look at the dhcp table which would give you all the ips, if you were using dhcp. But still then how would this help?? And then what if you were using all static ips what then?

    Would the arp cache in the router be of any use here?
     
    Certifications: A+
  2. Adam Banner

    Adam Banner Poster Galore

     
  3. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,790
    349
    341
    Do you have an ISA box or a 3rd party vendor appliance like Sophos websecurity? These products give you access to reports that you can run off.

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: MCE and PM Cert
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Ethereal or MRTG to the rescue...

    Depending on whether you've got a managed or unmanaged switch you have two routes - one potentially easier than the other.

    If you have a managed switch its simple - just configure a mirror port (SPAN port on a Cisco) and plug a PC running ethereal into it - that way you can let it run for a while then take a look at which IPs are talking the most

    If you have an unmanaged switch its slightly more complicated - you could get a hub in 'behind' the router and sniff traffic there (depending on what sort of bandwidth you have) but you'd have to deal with the traffic having been NATed so you probably won't see anything useful. What you'd be better off doing in this scenario is getting a box running MRTG (easiest using Cacti) and talking to the router via SNMP - that would let you run some form of top talkers accounting which would be nice and simple and give you instant, archivable results.

    Other solutions to look at:

    If your switch is 'semi-managed' it may have the ability to respond to SNMP requests - if it can, consider using MRTG/Cacti on the switch.

    Can you configure Syslogging on your firewall? If you can, configure it to send to a box with a Syslog daemon on it (Kiwi is my favourite) and ruin it for a day - then take a look at which IPs have been doing the most talking (output it to csv and run it through Excel)
     
    Certifications: A few
    WIP: None - f*** 'em
  5. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Zebulebu has your answer - having a dedicated network management box is the way to go, if possible. Just a few bits to add, if you are in a situation where you don't have a seperate box, there are some tools available on the router/fw, depending on your equipment.

    For example, I often use ip accounting on cisco gear for quick bandwidth usage checks. Run ip accounting for some period of time then display the output, which will show total bytes transferred for each source/destination pair. Very handy for quickly checking usage per host. Netflow (and JFlow on Juniper, Sflow on hp, etc.) gathers detailed information about flows and is widely supported and is quite useful for analyzing usage. You can also view the flow information directly on the router, it is much more detailed than simple ip accounting data. It is best to have a dedicated box for syslog, snmp, flow, etc., but it is handy to be able to quickly check on the router/fw/switch directly.

    Also, many platforms support packet capture directly on the router/fw, I use this for small remote sites that have no dedicated local monitoring. Just run the capture directly on the network hardware and drop it into ethereal where I am for more detailed analysis.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...