Bandwidth Utilization Question

Posted on 2005-05-01
Last Modified: 2008-02-01
Hi guys,

Hope you can help.

The last couple of weeks we have seen a huge increase in bandwidth utilization on one of our frame relay interfaces.

We would like to know what type of protocol traffic is causing this increased bandwidth.

Wed like to know if Winsyslog would do the trick in determining exactly what type of network traffic is coming from this interface, in and out.

What do you guys recommend?

We basically want a fast, easy to setup solution, as we need to find this traffic out quickly.

Thanks a lot.

Question by:Simon336697
    LVL 7

    Assisted Solution

    If you enable netflow on the inbound and outbound interfaces of the router, and you're aware when traffic is high, you can just check it on the router in real time.

    on the interfaces:

    int fao/o
     ip route-cache flow

    And when you're seeing traffic problems, try :
    router> show ip cache flow

    If that provides too much information, you might want to look for large traffic flows by filtering the output to look for "K" to find thousands of packets thusly:

    router> sh ip cache fl | i K

    If this isn't possible to catch in real time, you might want to export these traffic flow statistics to something like ntop:

    Which is an open-source netflow collector that can help you graph out 'top talkers'' on your network.

    LVL 32

    Accepted Solution

    If you dont have the netflow collectors in place you could also craft an ACL that would help identify the offending traffic.

    for example:

    access-list permit icmp any any log-input
    access-list permit tcp any any  log-input
    access-list permit udp any any log-input

    This will allow you to view the matches on the access-list entry thus identifying the offending traffic type
    It will also log the traffic, this will allow you to view precisely what king of traffic it is in the log.

    1) make sure your log is large enough (8 Meg minimum, do you have the additional memory?)
    2) Only enable this ACL temporarily, once you have collected some data remove the ACL. Depending
        on how much traffic is "huge increase" this may or may not have a huge impact on the cpu of your router.
        enter the command to commit the ACL to the interface (access-group 101 in) then immediately turn it off
       ( no access-list 101 in), it may take awhile to come back, again it depends how much traffic is actually coming in
       and the router you have.


    LVL 79

    Assisted Solution

    I'd go with Pedrow on this one. NTOP is awesome and simple to set up.
    There's even a Win32 port at OpenXtra

    Super easy to set up and monitor...

    Although Netflow is the preferred solution, another quick/dirty option would be ip accounting. Enable accounting on the Local LAN interfaces (on routers at both ends of the frame PVC)

    Router(config)# interface FastEthernet 0/1
    Router(config-if)# ip accounting output-packets
    Router# sh ip accounting output-packets

    LVL 32

    Assisted Solution

    Just to make sure my point is understood, in conditions of spiking bandwidth this could be the first signs of a virus or some other form of malware, DOS, any attack, etc.
    I agree netflow would be the way to go if I were managing the network and had the time to implement. However, the ACL is a quick and dirty way to quickly
    identify the offending traffic. If I were running this network the ACL would allow me to rule out an attack or malware quickly so I could implement netflow. In addition, ip accounting will not show you the protocol and port, just the source and destination, total bytes, and total  packets. There may be some legitimate traffic coming from a particular source and you will want that added granularity to identify which protocol and port to formulate a proper response in the minumum amount of time.  ;}

    LVL 1

    Author Comment

    Thanks guys.

    Appreciate all your great help!


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now