• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 779
  • Last Modified:

Monitoring bandwidth usage on a cisco router with netflow analyzer

I have a cisco router connected to a T1 with some users behind it. Every now and then someone is downloading something during an inconvenient time and using up all the bandwidth. I am trying to use netflow analyzer to determine which IP address is requesting the download.

However its giving me inconsistent data (see picture). This picture is the OUTBOUND traffic of our INTERNAL interface fa0/1. It clearly says in the lower right the outbound traffic is 1.44mbps, however when you look at the top 4 "endpoints" in the traffic column it says they have only downloaded 69.7KB, 63.6KB, 26.7KB, and 26.3KB respectively. This was after the monitor had been running for close to a minute. During that time the person downloading should have been able to get up to 60mb of data, clearly not reflected in the chart.

Furthermore when I test this with myself as the downloader and I KNOW I am the only person using up the 99% of the T1 pipe, it fails to register on this chart, even though it does say the corrrect traffic utilization in the lower right.

Can anyone help with this?

 netflow output
0
steiner470
Asked:
steiner470
2 Solutions
 
davorinCommented:
If they (you) are downloading shouldn't check INBOUND traffic?
0
 
steiner470Author Commented:
As I explained, the chart is outbound traffic for the internal interface. Both interfaces fa0/0 (external) and fa0/1 (internal) have inbound and outbound data.

Since the download stream is flowing from the internet to the LAN, it should register as inbound traffic on fa0/0 and outbound traffic on fa0/1.
0
 
davorinCommented:
Sorry, I was a little bit distracted. I'm not really familiar with netflow analyzer and yours like quite different from this online demo (http://demo.netflowanalyzer.com)
On this you have option to select from trafic/application/source/destination/... table view in and time windows (15 min, 30min, 1h,...) when you are on certain interface.
Do some other views offer some more logical data? Maybe you have set too small time window -e.g 1 second?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
ArneLoviusCommented:
or run ntop on a linux box connected to a span port...

you might find it gives you quite a bit more information :-)
0
 
cstosgaleCommented:
Netflow top talkers might be the easiest way of getting the answer to who is doing the large download:-

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/cfg_nflow_top_talk.html
0
 
steiner470Author Commented:
Never did get netflow analyzer to show what I needed. But ntop and netflow top talkers are good alternatives.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now