Solved

Traffic Monitoring in Netscreen 5GT

Posted on 2006-10-28
15
1,988 Views
Last Modified: 2009-07-29
Dear All,
We have a Netscreen 5GT firewall and is used to create a VPN tunnel between our UK office and Middle East office. It has NAT and DHCP enabled on it. This one receives the internet connection on its UNTRUST port. Then it connects to  a switch to make it availabel on the LAN. I have almost 60 nodes connected on our corporate LAN. Recently i observed that one of my computers on our LAN is giving me a high traffic and it is affecting our internet connection speed. From the Router, i was told that i can see the traffic of various IPs but i have no idea how to check that. Does anyone know how to do this?

Can anyone help me with this.

Thanks
Seige
0
Comment
Question by:kelpere
  • 7
  • 5
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17825698
What kind of information are you looking for ?

On the 5GT, you can run 'get log traffic' and after that there are many options to see. See if that helps you. Or you can enable Syslog and capture the output in a freeware syslog server like KIWI

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 17828023
Hi,
Thanks for the reply. As I mentioned in my previous post, we have 60 nodes connected on our corporate LAN. Either due to some virus or some heavy file download some of the machines are giving me very high traffic on the network. This causes a very slow browsing speed. Its very difficult to go around all the 60 machines and check which one has virus or who is doing a download. Hope you understand my point.

Is there any freeware that shows me a traffic flow on a per computer basis in a graphical way. This will help my job a lot. I tried snifffer and Ethereal , but i prefer something vey simple.
Do you think, 5GT logs can help me in this.

Thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17828710
Yeah, basically you can run the commands I mentioned in a broadway first to get logs of full network. Considering 60 nodes, it is a small network so the task wouldn't be difficult. Once you get at least an hour's log, you can see more using the same get log using more parameters.

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 17832070
Hi Rajesh,
Thanks for the reply.
I got the info through the WebUI. I also got the same from the CLI comand interface through Telnet.I got lot of information from that and the most important is Date/Time, Source Address Port,Bytes Sent & Bytes Received.  But i need some guidance from you. If i monitor the bytes sent/received size will i be able to know the traffic flowing in and out from a particular computer?
Sorry but im pretty new to this device and needs some help.

Any thoughts?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17832150
Can you post the output you got ?

Also another simple way would be to filter out the internal ip who is talking more.

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 17875616
Hi rajesh,
I have been observing the Sys Log traffic and it helps me to find out which computer is throwing out maximum traffic.  

What do you mean by "Also another simple way would be to filter out the internal ip who is talking more". Do you mean that i can get this info by observing the Bytes Sent/Received from the Syslog traffic. If you mean this, then yes I am getting that info from the logs. The output from the log is as follows.

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received
2006-11-05 09:57:49 192.168.2.113:1311 222.165.4.25:9000 62.215.189.115:2586 222.165.4.25:9000 TCP PORT 9000 11 sec. 336 198
2006-11-05 09:57:49 192.168.2.41:1443 209.191.92.114:443 62.215.189.115:1212 209.191.92.114:443 HTTPS 3 sec. 1503 1734
2006-11-05 09:57:49 192.168.2.43:3568 216.49.88.125:443 62.215.189.124:3568 216.49.88.125:443 HTTPS 8 sec. 1192 4784
2006-11-05 09:57:49 192.168.2.113:1943 172.134.123.23:9000 62.215.189.115:1122 172.134.123.23:9000 TCP PORT 9000 1900 sec. 1090 134
2006-11-05 09:57:49 192.168.2.43:3571 216.49.88.118:80 62.215.189.124:3571 216.49.88.118:80 HTTP 2 sec. 258 128
2006-11-05 09:57:47 192.168.2.100:1040 172.16.100.167:161 62.215.189.115:1315 172.16.100.167:161 SNMP 78 sec. 492 0
2006-11-05 09:57:47 192.168.2.113:1293 82.154.162.93:9000 62.215.189.115:1615 82.154.162.93:9000 TCP PORT 9000 20 sec. 210 0
2006-11-05 09:57:47 192.168.2.101:3474 192.168.200.70:9080 62.215.189.115:2982 192.168.200.70:9080 TCP PORT 9080 20 sec. 198 0
2006-11-05 09:57:47 192.168.2.113:1197 88.203.34.68:9000 62.215.189.115:1922 88.203.34.68:9000 TCP PORT 9000 74 sec. 470 262


Sorry the format is messsed up but im sure you can read out the info.

What do you think?

Seige
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Accepted Solution

by:
rsivanandan earned 50 total points
ID: 17875859
Seems like 192.168.2.113 is trying out to connect to different servers and uniqueness is, at port 9000. Do you know what it is and if it is meant for ?

Now it is easy if the above observation is correct. I would suggest you to go to that machine and do a complete scan for virus and spyware.

You can get some good ones;

Use ewido (grisoft.com)

and also use adaware (www.lavasoftusa.com), choose the personal one.

then your company antivirus.

Check that out to see if anything turns out. An application listening on port 9000 is definitely not a regular one since all the regular ones will listen on 1-1024...

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17875864
Also for more granularity what I meant was to use this;

get log traffic src-address <ip address>

Cheers,
Rajesh

PS: checkout if it is src-address, I don't remember it now but you can get that info by putting a ? after 'traffic'
0
 

Author Comment

by:kelpere
ID: 18066710
Hi Rajesh..
Sorry to post the comment late.. I have been away from office.
I will definitely check your suggestions and get back to you soon.

Seige
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18066924
NP.

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 18110617
Hi rajesh,
the problem still persists. One computer was continously sending traffic on Port 9000. I unplugged it for 15mintues but my network traffic still remains high. Everytime things are ok if do a powercycle on my Netscreen device. Its really unfair to restart Netscreen almost 5-6 times in a week.
i opened up a 'support case' with Netscreen and will give you details.

Any comments frm you?

Cheers
Kevin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18110971
You do have problems with your internal machines.. Try to clean 'em up. the advantage now is that you can identify who is causing it.

What OS are you running on that box ? Yet onto 5.4r2 ?

Cheers,
Rajesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now