Netflow? (or any way to monitor bandwidth)

Posted on 2009-04-09
Last Modified: 2012-05-06
Ok, someone has been eating all of our bandwidth this week.  I have a t1 to the internet, connected to a 2621, with a pix 515e behind it.  

The 2621 reports net flow stats back into my network
I need to find a way to do the same at the Pix.  

I am not having any luck tracking the internal users using all of our bandwidth, when I look at the router's netflow output. By the time it hits the router, it is already natted.  I'd like to do some type of monitoring on the Pix. is this possible? I'm running 8.0(3)
Question by:dissolved
  • 4
  • 3
LVL 15

Accepted Solution

Voltz-dk earned 500 total points
ID: 24112174
The PIX doesn't have net flow, but doesn't the net flow information you get from the router include ports?

If you have the live source port, it's trivial to find the mapping..

sh xlate gport <port#>
If that doesn't help.. what info DO you have from the router's netflow?  Like how common is the destination port(s) in use?

If you have syslogs at level info+, the PIX will record how many bytes was spent when it closes a connection.  Feeding that through some parsing tool can nail it as well.

Author Comment

ID: 24113107
yea we're syslogging all of our devices at informational. What do I look for ?
thanks for the xlate command, forgot all about it

Author Comment

ID: 24113153
did the sh xlate command. Which is the source port which is the the dest port?   Local (4084)

Does this mean 67.33.189200 is listening on port 18293 and sending to 4084 of
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 15

Expert Comment

ID: 24114392
sh xlate just shows translations, for outbound connections they don't show the destination port.
Above is likely such a connection.. is an internal machine, making a connection to the outside from source port 4084.
That connection is then translated to the other port you see, and would likely be the source on your net flow.

If you wanted to see where it goes, "sh conn port 4084" should tell you.

And if you have an idea this is the "top-talker", perhaps from mapping the source port from the routers net flow, you could try:
"sh conn addr"
It will be hard to manually search syslogs, unless it's real spammy.  But you generally would look for those lines including "Teardown". Like this:

%ASA-6-302014: Teardown TCP connection 102153 for outside:x.x.x.x/110 to inside: duration 0:00:00 bytes 1909 TCP FINs
I don't know if the PIX supports threat-detection, but that would be another option to track it down.  It's hard on memory though which may be particularly problematic on PIX.

Author Comment

ID: 24114679
so the ports shown are source ports, got it.   I guess I will try this way, thanks

Author Comment

ID: 24115331
ok, I see traffic in netflow. It shows the outside address of my firewall, talking to another public IP.

However, when I go in the firewall and do a sh xlate, i do not see these ports. Basically, I can see what traffic is using my bandwidth, along with the destination host (all via netflow)

when it comes down to finding the offending host on my site, I'm not having any luck. this is where I need help    destination ip:    dest port 3906 is the outside address of our firewall. is some host on the internet one of my internal users is communicating with.
How do i find out the internal user

Open in new window

LVL 15

Expert Comment

ID: 24115434
Well, first thing to try (if there is a connection right this moment it will work) is:

sh conn addr
If you have no luck with that, just search your daily logfile.  I don't know if you syslog is on Window or Unix, but use either find or grep respectively.
For example:
find "" Syslog-090410.txt
grep Syslog-090410

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506W VPN Clients not seeing local network 12 68
Cisco Prime 2.2 7 61
VTP servers with 3650 switches 5 43
ASA 5505 packet drops 14 55
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question