Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How can i determine who's using all my bandwidth?

Posted on 2006-10-25
9
Medium Priority
?
2,660 Views
Last Modified: 2012-06-27
I have one T1 Internet connection which goes through a Cisco 2600 to a Cisco ASA 5520, with user connected to a Cisco 4503 switch.  Someone is using all my 1.5 Mb of bandwidth!  

My question is:
1.  Is there a way that I can tell who is using how much bandwidth?
2.  Is there a way to dymanically view this infomation?
3.  Can you give me detailed instructions?

It would be nice to get the user and/or computer name, but it not neccessary.  Our computer names have port numbers in them, so I could easy find the offender if knew what port was using the bandwidth.  (I know I could also find it from IP address, just trying to give as much info as I can)

I'm familar with setting up and configuring routers for T1's, Frame, and the basics on routers, but port spanning, trunking, syslogging etc, is beyond me.  I would gladly give 500 point for detailed instruction that go beyond "conf t" and the basics.
0
Comment
Question by:FSYR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808135
There isn't a good on-router or on-switch solution.  NetFlow tools would likely work well, but that involves downloading software onto a server and customizing it for your application, etc.

A crude and dirty method would be, assuming you're doing NAT on the router, writing a permit access list that you'd use to "divide and conquer" your subnet(s) and find the high packet rate (you'd have to hope that the offender is consistently "winning" the packet races as well as the bandwidth races; no easy way to directly measure bandwidth).  Assuming your LAN was 192.168.1.0/24, you'd apply ACL 101 to your router's internal interface in the outbound direction:

access-list 101 permit ip any 192.168.1.0 0.0.0.127
access-list 101 permit ip any 192.168.1.128 0.0.0.127
access-list 101 permit ip any any

The third line is optional for now, but you want to see which half of your subnet had a higher packet rate of matches.  Assuming it was the upper half, write ACL 102 and then apply it to the internal interface in the outbound direction (overriding the setting to use ACL 101):

access-list 102 permit ip any 192.168.1.128 0.0.0.63
access-list 102 permit ip any 192.168.1.192 0.0.0.63
access-list 102 permit ip any any

Figure out which quarter of the subnet had the higher packet rate, then kill and replace ACL 101:

no access-list 101
access-list 101 permit ip any 192.168.1.128 0.0.0.31
access-list 101 permit ip any 192.168.1.160 0.0.0.31
access-list 101 permit ip any any

Once rewritten, apply ACL 101 to the internal interface in the outbound direction.  Continue the divide and conquer until you've narrowed it down.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17810980
I would also install NTOP to find the little buggers...
http://www.ntop.org

Win32 version if you don't use linux
http://www.openxtra.co.uk/freestuff/ntop-xtra.php

The 4503 probably doesn't support netflow. The ASA does not. The router does, but it's already in front of the ASA and you only see the natted addresses.
Put the netflow in promiscuous mode with a hub between the PIX and the switch. Or on a span port of the switch.

It won't take long to figure out what's going on.

0
 
LVL 2

Expert Comment

by:skylarktech
ID: 17816532
There's a cool tool out there call onlineeye It is free and quite easy to use Just download it and install it on a comp on the network and you can see just what everyone is doing on the network. or like lrmoore said above NTOP is a great tool also.
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17830867
Hello???
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17831127
Oh, you wanted the OP to follow up?  Ha...
0
 
LVL 1

Author Comment

by:FSYR
ID: 17833671
I found this out about netflow:
NetFlow on Cisco 4000/4500 switches
The 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Can I span a port on the switch, and direct it to a second card on my workstation?  Then I guess I would use NTop-XTRA on that same workstation?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17836826
Yes, you can do that easily since the 4500 does not support netflow with the configuration you have.
0
 
LVL 1

Author Comment

by:FSYR
ID: 17857872
I downloaded the NTOP software from above.

Can you give a brief run down on how to set this up to do what I need? Do I need to span the port that goes to ASA?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 750 total points
ID: 17862595
Yes, span the port that goes to the ASA, connect the NTOP box in promiscuous mode to the span destination interface. That's about all there is to it.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question