kelpere
asked on
Traffic Monitoring in Netscreen 5GT
Dear All,
We have a Netscreen 5GT firewall and is used to create a VPN tunnel between our UK office and Middle East office. It has NAT and DHCP enabled on it. This one receives the internet connection on its UNTRUST port. Then it connects to a switch to make it availabel on the LAN. I have almost 60 nodes connected on our corporate LAN. Recently i observed that one of my computers on our LAN is giving me a high traffic and it is affecting our internet connection speed. From the Router, i was told that i can see the traffic of various IPs but i have no idea how to check that. Does anyone know how to do this?
Can anyone help me with this.
Thanks
Seige
We have a Netscreen 5GT firewall and is used to create a VPN tunnel between our UK office and Middle East office. It has NAT and DHCP enabled on it. This one receives the internet connection on its UNTRUST port. Then it connects to a switch to make it availabel on the LAN. I have almost 60 nodes connected on our corporate LAN. Recently i observed that one of my computers on our LAN is giving me a high traffic and it is affecting our internet connection speed. From the Router, i was told that i can see the traffic of various IPs but i have no idea how to check that. Does anyone know how to do this?
Can anyone help me with this.
Thanks
Seige
ASKER
Hi,
Thanks for the reply. As I mentioned in my previous post, we have 60 nodes connected on our corporate LAN. Either due to some virus or some heavy file download some of the machines are giving me very high traffic on the network. This causes a very slow browsing speed. Its very difficult to go around all the 60 machines and check which one has virus or who is doing a download. Hope you understand my point.
Is there any freeware that shows me a traffic flow on a per computer basis in a graphical way. This will help my job a lot. I tried snifffer and Ethereal , but i prefer something vey simple.
Do you think, 5GT logs can help me in this.
Thanks
Thanks for the reply. As I mentioned in my previous post, we have 60 nodes connected on our corporate LAN. Either due to some virus or some heavy file download some of the machines are giving me very high traffic on the network. This causes a very slow browsing speed. Its very difficult to go around all the 60 machines and check which one has virus or who is doing a download. Hope you understand my point.
Is there any freeware that shows me a traffic flow on a per computer basis in a graphical way. This will help my job a lot. I tried snifffer and Ethereal , but i prefer something vey simple.
Do you think, 5GT logs can help me in this.
Thanks
Yeah, basically you can run the commands I mentioned in a broadway first to get logs of full network. Considering 60 nodes, it is a small network so the task wouldn't be difficult. Once you get at least an hour's log, you can see more using the same get log using more parameters.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Hi Rajesh,
Thanks for the reply.
I got the info through the WebUI. I also got the same from the CLI comand interface through Telnet.I got lot of information from that and the most important is Date/Time, Source Address Port,Bytes Sent & Bytes Received. But i need some guidance from you. If i monitor the bytes sent/received size will i be able to know the traffic flowing in and out from a particular computer?
Sorry but im pretty new to this device and needs some help.
Any thoughts?
Thanks for the reply.
I got the info through the WebUI. I also got the same from the CLI comand interface through Telnet.I got lot of information from that and the most important is Date/Time, Source Address Port,Bytes Sent & Bytes Received. But i need some guidance from you. If i monitor the bytes sent/received size will i be able to know the traffic flowing in and out from a particular computer?
Sorry but im pretty new to this device and needs some help.
Any thoughts?
Can you post the output you got ?
Also another simple way would be to filter out the internal ip who is talking more.
Cheers,
Rajesh
Also another simple way would be to filter out the internal ip who is talking more.
Cheers,
Rajesh
ASKER
Hi rajesh,
I have been observing the Sys Log traffic and it helps me to find out which computer is throwing out maximum traffic.
What do you mean by "Also another simple way would be to filter out the internal ip who is talking more". Do you mean that i can get this info by observing the Bytes Sent/Received from the Syslog traffic. If you mean this, then yes I am getting that info from the logs. The output from the log is as follows.
Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received
2006-11-05 09:57:49 192.168.2.113:1311 222.165.4.25:9000 62.215.189.115:2586 222.165.4.25:9000 TCP PORT 9000 11 sec. 336 198
2006-11-05 09:57:49 192.168.2.41:1443 209.191.92.114:443 62.215.189.115:1212 209.191.92.114:443 HTTPS 3 sec. 1503 1734
2006-11-05 09:57:49 192.168.2.43:3568 216.49.88.125:443 62.215.189.124:3568 216.49.88.125:443 HTTPS 8 sec. 1192 4784
2006-11-05 09:57:49 192.168.2.113:1943 172.134.123.23:9000 62.215.189.115:1122 172.134.123.23:9000 TCP PORT 9000 1900 sec. 1090 134
2006-11-05 09:57:49 192.168.2.43:3571 216.49.88.118:80 62.215.189.124:3571 216.49.88.118:80 HTTP 2 sec. 258 128
2006-11-05 09:57:47 192.168.2.100:1040 172.16.100.167:161 62.215.189.115:1315 172.16.100.167:161 SNMP 78 sec. 492 0
2006-11-05 09:57:47 192.168.2.113:1293 82.154.162.93:9000 62.215.189.115:1615 82.154.162.93:9000 TCP PORT 9000 20 sec. 210 0
2006-11-05 09:57:47 192.168.2.101:3474 192.168.200.70:9080 62.215.189.115:2982 192.168.200.70:9080 TCP PORT 9080 20 sec. 198 0
2006-11-05 09:57:47 192.168.2.113:1197 88.203.34.68:9000 62.215.189.115:1922 88.203.34.68:9000 TCP PORT 9000 74 sec. 470 262
Sorry the format is messsed up but im sure you can read out the info.
What do you think?
Seige
I have been observing the Sys Log traffic and it helps me to find out which computer is throwing out maximum traffic.
What do you mean by "Also another simple way would be to filter out the internal ip who is talking more". Do you mean that i can get this info by observing the Bytes Sent/Received from the Syslog traffic. If you mean this, then yes I am getting that info from the logs. The output from the log is as follows.
Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received
2006-11-05 09:57:49 192.168.2.113:1311 222.165.4.25:9000 62.215.189.115:2586 222.165.4.25:9000 TCP PORT 9000 11 sec. 336 198
2006-11-05 09:57:49 192.168.2.41:1443 209.191.92.114:443 62.215.189.115:1212 209.191.92.114:443 HTTPS 3 sec. 1503 1734
2006-11-05 09:57:49 192.168.2.43:3568 216.49.88.125:443 62.215.189.124:3568 216.49.88.125:443 HTTPS 8 sec. 1192 4784
2006-11-05 09:57:49 192.168.2.113:1943 172.134.123.23:9000 62.215.189.115:1122 172.134.123.23:9000 TCP PORT 9000 1900 sec. 1090 134
2006-11-05 09:57:49 192.168.2.43:3571 216.49.88.118:80 62.215.189.124:3571 216.49.88.118:80 HTTP 2 sec. 258 128
2006-11-05 09:57:47 192.168.2.100:1040 172.16.100.167:161 62.215.189.115:1315 172.16.100.167:161 SNMP 78 sec. 492 0
2006-11-05 09:57:47 192.168.2.113:1293 82.154.162.93:9000 62.215.189.115:1615 82.154.162.93:9000 TCP PORT 9000 20 sec. 210 0
2006-11-05 09:57:47 192.168.2.101:3474 192.168.200.70:9080 62.215.189.115:2982 192.168.200.70:9080 TCP PORT 9080 20 sec. 198 0
2006-11-05 09:57:47 192.168.2.113:1197 88.203.34.68:9000 62.215.189.115:1922 88.203.34.68:9000 TCP PORT 9000 74 sec. 470 262
Sorry the format is messsed up but im sure you can read out the info.
What do you think?
Seige
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also for more granularity what I meant was to use this;
get log traffic src-address <ip address>
Cheers,
Rajesh
PS: checkout if it is src-address, I don't remember it now but you can get that info by putting a ? after 'traffic'
get log traffic src-address <ip address>
Cheers,
Rajesh
PS: checkout if it is src-address, I don't remember it now but you can get that info by putting a ? after 'traffic'
ASKER
Hi Rajesh..
Sorry to post the comment late.. I have been away from office.
I will definitely check your suggestions and get back to you soon.
Seige
Sorry to post the comment late.. I have been away from office.
I will definitely check your suggestions and get back to you soon.
Seige
NP.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Hi rajesh,
the problem still persists. One computer was continously sending traffic on Port 9000. I unplugged it for 15mintues but my network traffic still remains high. Everytime things are ok if do a powercycle on my Netscreen device. Its really unfair to restart Netscreen almost 5-6 times in a week.
i opened up a 'support case' with Netscreen and will give you details.
Any comments frm you?
Cheers
Kevin
the problem still persists. One computer was continously sending traffic on Port 9000. I unplugged it for 15mintues but my network traffic still remains high. Everytime things are ok if do a powercycle on my Netscreen device. Its really unfair to restart Netscreen almost 5-6 times in a week.
i opened up a 'support case' with Netscreen and will give you details.
Any comments frm you?
Cheers
Kevin
You do have problems with your internal machines.. Try to clean 'em up. the advantage now is that you can identify who is causing it.
What OS are you running on that box ? Yet onto 5.4r2 ?
Cheers,
Rajesh
What OS are you running on that box ? Yet onto 5.4r2 ?
Cheers,
Rajesh
On the 5GT, you can run 'get log traffic' and after that there are many options to see. See if that helps you. Or you can enable Syslog and capture the output in a freeware syslog server like KIWI
Cheers,
Rajesh