Solved

Traffic Monitoring in Netscreen 5GT

Posted on 2006-10-28
15
2,007 Views
Last Modified: 2009-07-29
Dear All,
We have a Netscreen 5GT firewall and is used to create a VPN tunnel between our UK office and Middle East office. It has NAT and DHCP enabled on it. This one receives the internet connection on its UNTRUST port. Then it connects to  a switch to make it availabel on the LAN. I have almost 60 nodes connected on our corporate LAN. Recently i observed that one of my computers on our LAN is giving me a high traffic and it is affecting our internet connection speed. From the Router, i was told that i can see the traffic of various IPs but i have no idea how to check that. Does anyone know how to do this?

Can anyone help me with this.

Thanks
Seige
0
Comment
Question by:kelpere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17825698
What kind of information are you looking for ?

On the 5GT, you can run 'get log traffic' and after that there are many options to see. See if that helps you. Or you can enable Syslog and capture the output in a freeware syslog server like KIWI

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 17828023
Hi,
Thanks for the reply. As I mentioned in my previous post, we have 60 nodes connected on our corporate LAN. Either due to some virus or some heavy file download some of the machines are giving me very high traffic on the network. This causes a very slow browsing speed. Its very difficult to go around all the 60 machines and check which one has virus or who is doing a download. Hope you understand my point.

Is there any freeware that shows me a traffic flow on a per computer basis in a graphical way. This will help my job a lot. I tried snifffer and Ethereal , but i prefer something vey simple.
Do you think, 5GT logs can help me in this.

Thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17828710
Yeah, basically you can run the commands I mentioned in a broadway first to get logs of full network. Considering 60 nodes, it is a small network so the task wouldn't be difficult. Once you get at least an hour's log, you can see more using the same get log using more parameters.

Cheers,
Rajesh
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:kelpere
ID: 17832070
Hi Rajesh,
Thanks for the reply.
I got the info through the WebUI. I also got the same from the CLI comand interface through Telnet.I got lot of information from that and the most important is Date/Time, Source Address Port,Bytes Sent & Bytes Received.  But i need some guidance from you. If i monitor the bytes sent/received size will i be able to know the traffic flowing in and out from a particular computer?
Sorry but im pretty new to this device and needs some help.

Any thoughts?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17832150
Can you post the output you got ?

Also another simple way would be to filter out the internal ip who is talking more.

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 17875616
Hi rajesh,
I have been observing the Sys Log traffic and it helps me to find out which computer is throwing out maximum traffic.  

What do you mean by "Also another simple way would be to filter out the internal ip who is talking more". Do you mean that i can get this info by observing the Bytes Sent/Received from the Syslog traffic. If you mean this, then yes I am getting that info from the logs. The output from the log is as follows.

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received
2006-11-05 09:57:49 192.168.2.113:1311 222.165.4.25:9000 62.215.189.115:2586 222.165.4.25:9000 TCP PORT 9000 11 sec. 336 198
2006-11-05 09:57:49 192.168.2.41:1443 209.191.92.114:443 62.215.189.115:1212 209.191.92.114:443 HTTPS 3 sec. 1503 1734
2006-11-05 09:57:49 192.168.2.43:3568 216.49.88.125:443 62.215.189.124:3568 216.49.88.125:443 HTTPS 8 sec. 1192 4784
2006-11-05 09:57:49 192.168.2.113:1943 172.134.123.23:9000 62.215.189.115:1122 172.134.123.23:9000 TCP PORT 9000 1900 sec. 1090 134
2006-11-05 09:57:49 192.168.2.43:3571 216.49.88.118:80 62.215.189.124:3571 216.49.88.118:80 HTTP 2 sec. 258 128
2006-11-05 09:57:47 192.168.2.100:1040 172.16.100.167:161 62.215.189.115:1315 172.16.100.167:161 SNMP 78 sec. 492 0
2006-11-05 09:57:47 192.168.2.113:1293 82.154.162.93:9000 62.215.189.115:1615 82.154.162.93:9000 TCP PORT 9000 20 sec. 210 0
2006-11-05 09:57:47 192.168.2.101:3474 192.168.200.70:9080 62.215.189.115:2982 192.168.200.70:9080 TCP PORT 9080 20 sec. 198 0
2006-11-05 09:57:47 192.168.2.113:1197 88.203.34.68:9000 62.215.189.115:1922 88.203.34.68:9000 TCP PORT 9000 74 sec. 470 262


Sorry the format is messsed up but im sure you can read out the info.

What do you think?

Seige
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 50 total points
ID: 17875859
Seems like 192.168.2.113 is trying out to connect to different servers and uniqueness is, at port 9000. Do you know what it is and if it is meant for ?

Now it is easy if the above observation is correct. I would suggest you to go to that machine and do a complete scan for virus and spyware.

You can get some good ones;

Use ewido (grisoft.com)

and also use adaware (www.lavasoftusa.com), choose the personal one.

then your company antivirus.

Check that out to see if anything turns out. An application listening on port 9000 is definitely not a regular one since all the regular ones will listen on 1-1024...

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17875864
Also for more granularity what I meant was to use this;

get log traffic src-address <ip address>

Cheers,
Rajesh

PS: checkout if it is src-address, I don't remember it now but you can get that info by putting a ? after 'traffic'
0
 

Author Comment

by:kelpere
ID: 18066710
Hi Rajesh..
Sorry to post the comment late.. I have been away from office.
I will definitely check your suggestions and get back to you soon.

Seige
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18066924
NP.

Cheers,
Rajesh
0
 

Author Comment

by:kelpere
ID: 18110617
Hi rajesh,
the problem still persists. One computer was continously sending traffic on Port 9000. I unplugged it for 15mintues but my network traffic still remains high. Everytime things are ok if do a powercycle on my Netscreen device. Its really unfair to restart Netscreen almost 5-6 times in a week.
i opened up a 'support case' with Netscreen and will give you details.

Any comments frm you?

Cheers
Kevin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18110971
You do have problems with your internal machines.. Try to clean 'em up. the advantage now is that you can identify who is causing it.

What OS are you running on that box ? Yet onto 5.4r2 ?

Cheers,
Rajesh
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question