Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Monitoring bandwidth usage on a cisco router with netflow analyzer

Posted on 2010-09-10
6
Medium Priority
?
775 Views
Last Modified: 2012-05-10
I have a cisco router connected to a T1 with some users behind it. Every now and then someone is downloading something during an inconvenient time and using up all the bandwidth. I am trying to use netflow analyzer to determine which IP address is requesting the download.

However its giving me inconsistent data (see picture). This picture is the OUTBOUND traffic of our INTERNAL interface fa0/1. It clearly says in the lower right the outbound traffic is 1.44mbps, however when you look at the top 4 "endpoints" in the traffic column it says they have only downloaded 69.7KB, 63.6KB, 26.7KB, and 26.3KB respectively. This was after the monitor had been running for close to a minute. During that time the person downloading should have been able to get up to 60mb of data, clearly not reflected in the chart.

Furthermore when I test this with myself as the downloader and I KNOW I am the only person using up the 99% of the T1 pipe, it fails to register on this chart, even though it does say the corrrect traffic utilization in the lower right.

Can anyone help with this?

 netflow output
0
Comment
Question by:steiner470
6 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 33649074
If they (you) are downloading shouldn't check INBOUND traffic?
0
 

Author Comment

by:steiner470
ID: 33649229
As I explained, the chart is outbound traffic for the internal interface. Both interfaces fa0/0 (external) and fa0/1 (internal) have inbound and outbound data.

Since the download stream is flowing from the internet to the LAN, it should register as inbound traffic on fa0/0 and outbound traffic on fa0/1.
0
 
LVL 27

Expert Comment

by:davorin
ID: 33649551
Sorry, I was a little bit distracted. I'm not really familiar with netflow analyzer and yours like quite different from this online demo (http://demo.netflowanalyzer.com)
On this you have option to select from trafic/application/source/destination/... table view in and time windows (15 min, 30min, 1h,...) when you are on certain interface.
Do some other views offer some more logical data? Maybe you have set too small time window -e.g 1 second?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points
ID: 33650147
or run ntop on a linux box connected to a span port...

you might find it gives you quite a bit more information :-)
0
 
LVL 10

Assisted Solution

by:cstosgale
cstosgale earned 1000 total points
ID: 33654828
Netflow top talkers might be the easiest way of getting the answer to who is doing the large download:-

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/cfg_nflow_top_talk.html
0
 

Author Closing Comment

by:steiner470
ID: 33664516
Never did get netflow analyzer to show what I needed. But ntop and netflow top talkers are good alternatives.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question