• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 325
  • Last Modified:

Bandwidth Utilization Question

Hi guys,

Hope you can help.

The last couple of weeks we have seen a huge increase in bandwidth utilization on one of our frame relay interfaces.

We would like to know what type of protocol traffic is causing this increased bandwidth.

Wed like to know if Winsyslog would do the trick in determining exactly what type of network traffic is coming from this interface, in and out.

What do you guys recommend?

We basically want a fast, easy to setup solution, as we need to find this traffic out quickly.

Thanks a lot.

Simon
0
Simon336697
Asked:
Simon336697
4 Solutions
 
pedrowCommented:
If you enable netflow on the inbound and outbound interfaces of the router, and you're aware when traffic is high, you can just check it on the router in real time.

on the interfaces:

int fao/o
 ip route-cache flow

And when you're seeing traffic problems, try :
router> show ip cache flow

If that provides too much information, you might want to look for large traffic flows by filtering the output to look for "K" to find thousands of packets thusly:

router> sh ip cache fl | i K

If this isn't possible to catch in real time, you might want to export these traffic flow statistics to something like ntop:
http://www.ntop.org

Which is an open-source netflow collector that can help you graph out 'top talkers'' on your network.

0
 
harbor235Commented:
If you dont have the netflow collectors in place you could also craft an ACL that would help identify the offending traffic.

for example:

access-list permit icmp any any log-input
access-list permit tcp any any  log-input
access-list permit udp any any log-input

This will allow you to view the matches on the access-list entry thus identifying the offending traffic type
It will also log the traffic, this will allow you to view precisely what king of traffic it is in the log.

1) make sure your log is large enough (8 Meg minimum, do you have the additional memory?)
2) Only enable this ACL temporarily, once you have collected some data remove the ACL. Depending
    on how much traffic is "huge increase" this may or may not have a huge impact on the cpu of your router.
    enter the command to commit the ACL to the interface (access-group 101 in) then immediately turn it off
   ( no access-list 101 in), it may take awhile to come back, again it depends how much traffic is actually coming in
   and the router you have.

harbor235

0
 
lrmooreCommented:
I'd go with Pedrow on this one. NTOP is awesome and simple to set up.
There's even a Win32 port at OpenXtra http://www.openxtra.co.uk/products/ntop-xtra.php

Super easy to set up and monitor...

Although Netflow is the preferred solution, another quick/dirty option would be ip accounting. Enable accounting on the Local LAN interfaces (on routers at both ends of the frame PVC)

Router(config)# interface FastEthernet 0/1
Router(config-if)# ip accounting output-packets
Router# sh ip accounting output-packets

0
 
harbor235Commented:
Just to make sure my point is understood, in conditions of spiking bandwidth this could be the first signs of a virus or some other form of malware, DOS, any attack, etc.
I agree netflow would be the way to go if I were managing the network and had the time to implement. However, the ACL is a quick and dirty way to quickly
identify the offending traffic. If I were running this network the ACL would allow me to rule out an attack or malware quickly so I could implement netflow. In addition, ip accounting will not show you the protocol and port, just the source and destination, total bytes, and total  packets. There may be some legitimate traffic coming from a particular source and you will want that added granularity to identify which protocol and port to formulate a proper response in the minumum amount of time.  ;}


harbor235
0
 
Simon336697Author Commented:
Thanks guys.

Appreciate all your great help!

Simon
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now