We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Traffic Monitoring in Netscreen 5GT

kelpere asked
Medium Priority
Last Modified: 2009-07-29
Dear All,
We have a Netscreen 5GT firewall and is used to create a VPN tunnel between our UK office and Middle East office. It has NAT and DHCP enabled on it. This one receives the internet connection on its UNTRUST port. Then it connects to  a switch to make it availabel on the LAN. I have almost 60 nodes connected on our corporate LAN. Recently i observed that one of my computers on our LAN is giving me a high traffic and it is affecting our internet connection speed. From the Router, i was told that i can see the traffic of various IPs but i have no idea how to check that. Does anyone know how to do this?

Can anyone help me with this.

Watch Question

What kind of information are you looking for ?

On the 5GT, you can run 'get log traffic' and after that there are many options to see. See if that helps you. Or you can enable Syslog and capture the output in a freeware syslog server like KIWI



Thanks for the reply. As I mentioned in my previous post, we have 60 nodes connected on our corporate LAN. Either due to some virus or some heavy file download some of the machines are giving me very high traffic on the network. This causes a very slow browsing speed. Its very difficult to go around all the 60 machines and check which one has virus or who is doing a download. Hope you understand my point.

Is there any freeware that shows me a traffic flow on a per computer basis in a graphical way. This will help my job a lot. I tried snifffer and Ethereal , but i prefer something vey simple.
Do you think, 5GT logs can help me in this.

Yeah, basically you can run the commands I mentioned in a broadway first to get logs of full network. Considering 60 nodes, it is a small network so the task wouldn't be difficult. Once you get at least an hour's log, you can see more using the same get log using more parameters.



Hi Rajesh,
Thanks for the reply.
I got the info through the WebUI. I also got the same from the CLI comand interface through Telnet.I got lot of information from that and the most important is Date/Time, Source Address Port,Bytes Sent & Bytes Received.  But i need some guidance from you. If i monitor the bytes sent/received size will i be able to know the traffic flowing in and out from a particular computer?
Sorry but im pretty new to this device and needs some help.

Any thoughts?
Can you post the output you got ?

Also another simple way would be to filter out the internal ip who is talking more.



Hi rajesh,
I have been observing the Sys Log traffic and it helps me to find out which computer is throwing out maximum traffic.  

What do you mean by "Also another simple way would be to filter out the internal ip who is talking more". Do you mean that i can get this info by observing the Bytes Sent/Received from the Syslog traffic. If you mean this, then yes I am getting that info from the logs. The output from the log is as follows.

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received
2006-11-05 09:57:49 TCP PORT 9000 11 sec. 336 198
2006-11-05 09:57:49 HTTPS 3 sec. 1503 1734
2006-11-05 09:57:49 HTTPS 8 sec. 1192 4784
2006-11-05 09:57:49 TCP PORT 9000 1900 sec. 1090 134
2006-11-05 09:57:49 HTTP 2 sec. 258 128
2006-11-05 09:57:47 SNMP 78 sec. 492 0
2006-11-05 09:57:47 TCP PORT 9000 20 sec. 210 0
2006-11-05 09:57:47 TCP PORT 9080 20 sec. 198 0
2006-11-05 09:57:47 TCP PORT 9000 74 sec. 470 262

Sorry the format is messsed up but im sure you can read out the info.

What do you think?

Seems like is trying out to connect to different servers and uniqueness is, at port 9000. Do you know what it is and if it is meant for ?

Now it is easy if the above observation is correct. I would suggest you to go to that machine and do a complete scan for virus and spyware.

You can get some good ones;

Use ewido (grisoft.com)

and also use adaware (www.lavasoftusa.com), choose the personal one.

then your company antivirus.

Check that out to see if anything turns out. An application listening on port 9000 is definitely not a regular one since all the regular ones will listen on 1-1024...


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Also for more granularity what I meant was to use this;

get log traffic src-address <ip address>


PS: checkout if it is src-address, I don't remember it now but you can get that info by putting a ? after 'traffic'


Hi Rajesh..
Sorry to post the comment late.. I have been away from office.
I will definitely check your suggestions and get back to you soon.




Hi rajesh,
the problem still persists. One computer was continously sending traffic on Port 9000. I unplugged it for 15mintues but my network traffic still remains high. Everytime things are ok if do a powercycle on my Netscreen device. Its really unfair to restart Netscreen almost 5-6 times in a week.
i opened up a 'support case' with Netscreen and will give you details.

Any comments frm you?

You do have problems with your internal machines.. Try to clean 'em up. the advantage now is that you can identify who is causing it.

What OS are you running on that box ? Yet onto 5.4r2 ?

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.