We help IT Professionals succeed at work.

Identify cause of bandwith by server

This regards a Windows 2003 server running AD DNS, and sitting behind a SonicWALL Pro 2040. The 2040 is running the Enhanced OS. There is no viewpoint software available.

A simple bandwidth report from the SonicWALL last week shows that this DNS server has the highest bandwidth usage of any system behind the firewall. This has us concerned, as there are no services on the server published to the outside world.

There are however, two remote branches on SonicWALL SA's. Could the bandwidth report be counting those packets going across the SonicWALL to SonicWALL VPNs?

I am looking for a easy to emplement method of identifying the traffic passing through the SonicWall and why the traffic is high.
Comment
Watch Question

Top Expert 2010

Commented:
That's going to be hard to tell without knowing where the data is going and what the data is.  This is a DNS server so does this server provide external DNS resolution for internal clients?  Do you have a mail server that uses DNS for blocklists?  They'll use this server to resolve external DNS.  If you don't have this server configured as a public server on the sonicwall, then it's most likely DNS.

You could perform a packet capture to see what type of traffic is being generated by this server.  Click System > Packet Capture.  Click Configure > Capture Filter.  Set the Source IP as your DNS server.  Click OK > Start.  Then click Refresh once in a while to see what traffic is being generated.

Author

Commented:
digitap:

I'm not familiar enough with the packet capture. Please suggest settings.
DNS server is at 172.30.1.4.  I want to be able to identify what kind of packets, and where they are going.

Thanks!
Top Expert 2010

Commented:
Once you are in the Packet Capture area, click Configure.  Click the tab that's in the image and type the IP address as show in the image attached.  Click OK, then click Start.

Please review the document I have attached regarding the Packet Capture.  The OS version looks different in the doc, but the principles are the same.

Also, you can see how many connections are being established through your Sonicwall by clicking Firewall > Connections.  You will see a total number of connections.  You can sort by Source and see which host has the most connections to the Internet.  If you have one host that has several hundred, then it's probably got a virus of some type.
greenshot-2010-06-15-13-11-19.jpg
Packet-Capture-5.0e-Feature-Modu.pdf

Author

Commented:
following your screenshot, I get a Status "Error: Invalid Port Number Specified"
Top Expert 2010
Commented:
Sigh...that IP address needs to be one line up.  Please enter the IP into Source IP Address....sorry.
Top Expert 2010

Commented:
Glad I could help and thanks for the points!