Re: 2621 and pix how to find bandwidth abuser
- From: News Reader <user@xxxxxxxxxxx>
- Date: Wed, 21 May 2008 23:51:59 -0400
estctech@xxxxxxxxx wrote:
I have about 200 users on 2 subnets 192.168.1.x and 192.168.5.x they
all go to a 2621 router that forwards all but these 2 subnets to a pix
that uses nat to go to the internet. The last 2 days we have had a
few times where people lost connection to some servers and the
internet. When I ping the router instead of <1ms (normal) I am
getting 1000-3000ms. It is a user or users doing it rather than a
virus or hardware item because if my boss sends an email asking
whether someone is doing something questionable, within minutes it
stops and all is well. Likewise, at lunch and at 4:00pm it goes to
normal speed. What can I do to find who is generating the most
traffic? I will even buy some software if necessary if there is
something out there. Any help would be appreciated, I am afraid
tomorrow will bring more of the same. Thanks!
The fastest way might be to examine the switch port counters (e.g.: 5 minute input rate, 5 minute output rate, packets input, packets output).
e.g.:
switch#clear counters
Clear "show interface" counters on all interfaces [confirm]
switch#sh int fa0/1
FastEthernet0/1 is up, line protocol is up (connected)
<output cut>
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
852988 packets input, 705814170 bytes, 240 no buffer
Received 250963 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 240 ignored
0 watchdog, 246210 multicast, 0 pause input
0 input packets with dribble condition detected
2065563 packets output, 172724912 bytes, 0 underruns
0 output errors, 15 collisions, 0 interface resets
0 babbles, 0 late collision, 448 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
There is an earlier post that you might want to read titled: "Logging traffic activity of Cisco router", posted on May 20th.
NetFlow would be very good for making this determination. However, if you need a quick fix, you might try using inspection (with auditing: ip inspect audit-trail) on the router's inside interface (if you aren't already doing so) to generate syslog messages such as the following:
11033: router-A: May 21 23:13:35.533 EDT: %FW-6-SESS_AUDIT_TRAIL: Stop nntp session: initiator (source-IP-addr:1697) sent 181 bytes -- responder (dest-IP-addr:119) sent 6773 bytes
This would be beneficial (IF) the offender is sending traffic "through" the router, vs. traffic contained within the LAN.
If you have a Cisco switch that supports SPAN (Switch Port Analyzer), you might want to place a sniffer (e.g. Wireshark) on a SPAN destination port (configurable) and monitor source ports of interest (e.g.: port to which the router connects to the switch). You should have this kind of visibility moving forward, using SPAN or a network tap.
Best Regards,
News Reader
.
- References:
- 2621 and pix how to find bandwidth abuser
- From: estctech
- 2621 and pix how to find bandwidth abuser
- Prev by Date: Re: PIX 501 blocking inside to out arp requests
- Next by Date: Re: Logging traffic activity of Cisco router
- Previous by thread: 2621 and pix how to find bandwidth abuser
- Next by thread: Re: 2621 and pix how to find bandwidth abuser
- Index(es):
Relevant Pages
|
