• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1489
  • Last Modified:

Decipher Top talker cisco router with net flow

I am trying to decipher the ip addresses here as they are having a steady impact on my network and causing me to repeatedly go over my bandwidth threshold. Right-now for troubleshooting purposes I ran ' sho ip flow top-talkers' (See attachment) with only one computer online and one switch, and one router (cisco 877). Below is what I came up with:

So far this is what I got.
IP  10.11.116.42 is a valid network device
IP  202.99.82.74 < only know that this address is from china> destination is my public static ip address for the network.
IP 10.20.25.1 <this IP, I have the faintest clue>
IP 0.0.0.0 <don't understand why this is here>
IP 10.11.116.41 is a valid network device
IP 192.168.1.1 <this IP shouldnt be here at all, nothing on this computer nor network is configured with this>
IP 10.20.225.74 <this IP, I have the faintest clue>

* Frequently, I have other IPs  coming from the 10.20.0.0 network that show up here.

Note: VL1 = Vlan 1 (local lan on the router)
Note: VL10 = Vlan10 (Static Wan interface)

I have used 3 different computers to test this (2 linux OS (one bare bone) and 1 windows), checking malware, spyware, and applications...for bandwidth hogging... All came out with the exact results.  Also, most of the interfaces I am questioning are going null (what does this mean exactly?)


RouteME#sh ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress      Pr SrcP DstP  Pkts
Vl1           10.11.116.42     Vl10         63.209.12.71      11 BD1F 142D   117 
Vl10         202.99.82.74     Local         Static Wan Inter  06 A9F1 0016    10 
Vl10         10.20.25.1       Null          255.255.255.255   11 0043 0044     8 
Vl10          0.0.0.0         Null          255.255.255.255   11 0044 0043     6 
Vl1           10.11.116.41    Local         10.11.116.45      06 A13C 0017     5 
Vl10         192.168.1.1      Null          239.255.255.250   11 0D8F 076C     3 
Vl10         192.168.1.1      Null          239.255.255.250   11 0D90 076C     2 
Vl10          192.168.1.1     Null          239.255.255.250   11 0D91 076C     2 
Vl10          10.20.225.74    Vl10         10.20.225.255      11 19F6 19F6     1 
Vl10          192.168.1.1     Null          239.255.255.250   11 0D94 076C     1

Open in new window

0
Ituser
Asked:
Ituser
  • 6
  • 3
1 Solution
 
ItuserAuthor Commented:
I just shutdown the WAN interface. Ran 'sh ip flow top-talkers' . none of the questionable IPs showed.
See below:
RouteMe#sh ip flow top-talkers 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Vl1           10.11.116.42    Vl10          63.209.12.71    11 BD1F 142D    99 
Vl1           10.11.116.41    Null          69.64.155.197   06 9A65 006E     4 
Vl1           10.11.116.41    Local         10.11.116.45    06 A0B9 0017     4 
Vl1           10.11.116.41    Null          174.120.233.251 06 C901 006E     1 
4 of 10 top talkers shown. 4 flows processed.

Open in new window

0
 
giltjrCommented:
I am assuming your WAN interface allows you access to the Internet.  So any IP address that gets to you via the WAN interface will "go away."

Do you have VPN?  The 192.168.1.1 address could be somebody's home computer that is connected via a PPTP/L2TP/IPSec VPN.  Possibly even a client based SSL VPN connection.
0
 
ItuserAuthor Commented:
Thanks for responding. Wan => Internet.  I beg to differ on that, The IPs that I have listed are steady Top talkers (they actually bring friends from the same subnet). Also, if someone was accessing the network via VPN, then the top talkers would show the virtual-interface for that connection and 192.168.1.1 would point in that direction. Nevertheless, I finally found out what was going on.  Just got off the phone with ISP, and apparently the rogue ip addresses are different customers and bleeding into my network. Also, to my surprise they had redundant gateways which reflected some of the routes also (5). (Really, how much talking is needed to establish a connection, really....) They are looking into this, probably faulty equipment. As far as the 192.168.1.1 network, I don't see how it ended up in my network. It has a destination of a multicast address. Maybe once they do the fix, it will fix all. Meanwhile, as a quick fix i have block all ip address from these networks inside and out. Bandwidth issue temporary resolved.
However, I would still like an explanation of the 0.0.0.0 network?

Thanks Ituser
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ItuserAuthor Commented:
FYI:

When I did speak with the ISP.

-I was consoled into the router
-Only ethernet connection was the WAN connection from the isp

   *Which showed the 1st code snippet minus the verified(valid) ip addresses.

-Then I let them explain the traffic.

Hope this helps someone who is experiencing high ISP bills (metered bandwidth) or worse slow bandwidth.

Ituser
0
 
giltjrCommented:
--> Just got off the phone with ISP, and apparently the rogue ip addresses are different customers and bleeding into my network.

What kind of connection to do you have?  I would be highly upset with my ISP if that happened to me, but with some types of ISP connections it can't be helped, like cable.

--> Also, if someone was accessing the network via VPN, then the top talkers would show the virtual-interface

Not necessarily, it depends on what type of VPN you have.  If you have a site-to-site VPN using PPTP/L2TP/IPSec and the remote site is not setup to do NAT you will see the remote sites native IP addresses.  You may not be able to talk to any of the hosts because of the absence of route entries, but you would see their IP addresses.  Especially if they are sending out multicast packets.

The 0.0.0.0 with a mask of 255.255.255.255 is  the all network broadcast IP address.  This is used by various things, such as bootp/dhcp.
0
 
ItuserAuthor Commented:
What kind of connection to do you have?  I would be highly upset with my ISP if that happened to me, but with some types of ISP connections it can't be helped, like cable.

>I have regular static public address (high speed wireless), the paid version (1.4 up and 1.544 down)--its decent for what i do.

Not necessarily, it depends on what type of VPN you have.  If you have a site-to-site VPN using PPTP/L2TP/IPSec and the remote site is not setup to do NAT you will see the remote sites native IP addresses.  You may not be able to talk to any of the hosts because of the absence of route entries, but you would see their IP addresses.  Especially if they are sending out multicast packets.

> Actually my router is configured for PPTP/L2TP/IPSec all....when they are access ...a virtual template is used hence bringing up virtual interface. So i would see the interface come up with 'sh ip int brief' and then I look at vpn traffic sessions. So for me its that way. I actually contained the multicast traffic and send it to a null interface. Now I use firewall to block the multicast from the external interface

The 0.0.0.0 with a mask of 255.255.255.255 is  the all network broadcast IP address.  This is used by various things, such as bootp/dhcp

> Yeh, understand that. But it shouldnt be a top talker.  (I am talking 200 - 300 packets a minute) Plus it is coming Vlan 10, which is WAN interface. Bootp is disabled and dhcp is used internally on vlan 1


Ituser
0
 
giltjrCommented:
According to your top talker output 0.0.0.0 had 6 packets, not a whole lot.

You may only use bootp/dhcp internally, but since your ISP had other networks bleeding through to yours, who to say they were using it.  According to your display it was using port 67 (x'43'), which is bootp.
0
 
ItuserAuthor Commented:
The average packets was 200 -300 per minute for those connections. Thats why I started digging in the first place. Hopefully they will fix whats is malfunctioning.  Bootp has always been disabled in the router configs, so they can try. (Almost sound like a malicious attacker on my tail.) Thanks for your help. Hopefully, the ISP will do their part.

Ituser
0
 
ItuserAuthor Commented:
Thank you for your input.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now