dissolved
asked on
Netflow? (or any way to monitor bandwidth)
Ok, someone has been eating all of our bandwidth this week. I have a t1 to the internet, connected to a 2621, with a pix 515e behind it.
The 2621 reports net flow stats back into my network
I need to find a way to do the same at the Pix.
I am not having any luck tracking the internal users using all of our bandwidth, when I look at the router's netflow output. By the time it hits the router, it is already natted. I'd like to do some type of monitoring on the Pix. is this possible? I'm running 8.0(3)
The 2621 reports net flow stats back into my network
I need to find a way to do the same at the Pix.
I am not having any luck tracking the internal users using all of our bandwidth, when I look at the router's netflow output. By the time it hits the router, it is already natted. I'd like to do some type of monitoring on the Pix. is this possible? I'm running 8.0(3)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
did the sh xlate command. Which is the source port which is the the dest port?
67.133.189.200(18293) Local 172.16.1.84 (4084)
Does this mean 67.33.189200 is listening on port 18293 and sending to 4084 of 172.16.1.84?
67.133.189.200(18293) Local 172.16.1.84 (4084)
Does this mean 67.33.189200 is listening on port 18293 and sending to 4084 of 172.16.1.84?
sh xlate just shows translations, for outbound connections they don't show the destination port.
Above is likely such a connection.. 172.16.1.84 is an internal machine, making a connection to the outside from source port 4084.
That connection is then translated to the other port you see, and would likely be the source on your net flow.
If you wanted to see where it goes, "sh conn port 4084" should tell you.
And if you have an idea this is the "top-talker", perhaps from mapping the source port from the routers net flow, you could try:
"sh conn addr 172.16.1.84"
---
It will be hard to manually search syslogs, unless it's real spammy. But you generally would look for those lines including "Teardown". Like this:
%ASA-6-302014: Teardown TCP connection 102153 for outside:x.x.x.x/110 to inside:192.168.0.10/1561 duration 0:00:00 bytes 1909 TCP FINs
---
I don't know if the PIX supports threat-detection, but that would be another option to track it down. It's hard on memory though which may be particularly problematic on PIX.
Above is likely such a connection.. 172.16.1.84 is an internal machine, making a connection to the outside from source port 4084.
That connection is then translated to the other port you see, and would likely be the source on your net flow.
If you wanted to see where it goes, "sh conn port 4084" should tell you.
And if you have an idea this is the "top-talker", perhaps from mapping the source port from the routers net flow, you could try:
"sh conn addr 172.16.1.84"
---
It will be hard to manually search syslogs, unless it's real spammy. But you generally would look for those lines including "Teardown". Like this:
%ASA-6-302014: Teardown TCP connection 102153 for outside:x.x.x.x/110 to inside:192.168.0.10/1561 duration 0:00:00 bytes 1909 TCP FINs
---
I don't know if the PIX supports threat-detection, but that would be another option to track it down. It's hard on memory though which may be particularly problematic on PIX.
ASKER
so the ports shown are source ports, got it. I guess I will try this way, thanks
ASKER
ok, I see traffic in netflow. It shows the outside address of my firewall, talking to another public IP.
However, when I go in the firewall and do a sh xlate, i do not see these ports. Basically, I can see what traffic is using my bandwidth, along with the destination host (all via netflow)
when it comes down to finding the offending host on my site, I'm not having any luck. this is where I need help
However, when I go in the firewall and do a sh xlate, i do not see these ports. Basically, I can see what traffic is using my bandwidth, along with the destination host (all via netflow)
when it comes down to finding the offending host on my site, I'm not having any luck. this is where I need help
69.2.166.75:23187 destination ip: 67.133.189.200 dest port 3906
67.133.189.200 is the outside address of our firewall. 69.2.166.75 is some host on the internet one of my internal users is communicating with.
How do i find out the internal user
Well, first thing to try (if there is a connection right this moment it will work) is:
sh conn addr 69.2.166.75
---
If you have no luck with that, just search your daily logfile. I don't know if you syslog is on Window or Unix, but use either find or grep respectively.
For example:
find "69.2.166.75" Syslog-090410.txt
or
grep 69.2.166.75 Syslog-090410
sh conn addr 69.2.166.75
---
If you have no luck with that, just search your daily logfile. I don't know if you syslog is on Window or Unix, but use either find or grep respectively.
For example:
find "69.2.166.75" Syslog-090410.txt
or
grep 69.2.166.75 Syslog-090410
ASKER
thanks for the xlate command, forgot all about it