Let me explain my network a little bit before coming to the problem.
I have a Windows Network with only one Linux machine running Red Hat Enterprise 5 and Squid 3.0 serving as a proxy server and gateway to the Internet. I have a Fiber Optic link terminated at a Cisco 1841. The router has a real IP and is connected to Linux box through a cross over cable. There is a second NIC on Linux box which has a local IP and is facing my local network. I am running PRTG on a Windows machine to monitor bandwidth coming from ISP by listening to router’s real IP. I am also running bandwidthD on Linux box to monitor bandwidth usage.
In this scenario, none of my local computer can bypass Linux box to access the Internet directly. Every one has to go through Linux. BandwidthD is recording every single computer’s access and puts it on its charts.
I have my own Mail Server running Mdaemon on a local IP. The NAT is done through IPTables on Linux.
Now the probem:
Many times our Internet becomes deadly slow. When we check PRTG, it shows that we are utilizing 100% of our available bandwidth while bandwidthD doesn’t show any computer consuming that bandwidth. It’s a real mystry for me because I – technically – think that none of the computer can bypass the proxy server (or Linux- to be more precise). Then where in the world that bandwidth is going?
Another issue is that sometimes bandwidthD shows that either Mail Server or Proxy itself sends Gigs of data out. I am wondering is this a normal behaviour?
I am really feeling helpless at the moment because I’m not familiar with packet sniffing etc and one of my friend says that it’s the only option to find out what’s going on. Please advise.