Solved

Bandwidth Hogging

Posted on 2011-03-17
9
886 Views
Last Modified: 2012-05-11
Oh gurus of Networking Know How; must one pay thousands of dollars to find the IP from which bandwidth-hogging emanates?  Surely there must be a simple mechanism for doing this.  I am unschooled in such matters but my infinite wisdom and 12 years of IT experience dictates a solution must exist for which I will not go broke!  

- I own Orion by Solar Winds - only the upgrade will do this! $$$$
- I have a small environemnt (58 users 25 other devices) with a few Cisco 2960's and have tried the CNA. So...I have busy ports.  Big whoop!.  They are the server and the Internet ports.  Must I run ID every port and its connection to a PC before I can identify the IP?
- Spiceworks I have also installed only to find out that the software cannot see beyond the GPO configured and mandated firewall for all users.

Can you sense the frustration?

I am open and humbly except ANY correction, edification or solution.

JDFuller
0
Comment
Question by:jdfuller
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 2

Accepted Solution

by:
rrococi2 earned 167 total points
ID: 35160813
I use  colasoft in my line of work.  I do cybercrime investigations, it works very well.
0
 
LVL 4

Assisted Solution

by:cavp76
cavp76 earned 167 total points
ID: 35160860
PC with Linux and 2 NICs configured as a bridge (between switch and Orion appliance), Wireshark listening on the bridge, there you'll find the hog and hang it from the b*lls
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 166 total points
ID: 35160919
I just login to my Sonicwall firewall.  Shows top bandwidth consumers, top website hits, top services.  That's all statistical counters.

For real-time numbers I go to the Firewall page, Connections Monitor, then sort by Rx bytes.  Shows the sender & receiver IP addresses and the bytes transferred.

Do you have something similar on your internet routers or core router?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:jdfuller
ID: 35161062
aleghart :::  I have TZ-170.  I did as you say this morning.  I exported the entire log into CSV and culled for consistent IP traffic but nothing unusual.  I haven't tried the Rx Bytes thing but will shortly.  I just took a look at what its showing and nothing

cavp76 :::  Love your solution.  Haven't the hardware presently.  Wireshark, I've heard of so will investigate.

rrococi2 ::: Never heard of colasoft.  Investigating.

Appreciate the feedback from all...I assume, other than available hardware, all these are free?  I will check it out.

JDFuller
0
 
LVL 2

Expert Comment

by:rrococi2
ID: 35161076
COLASOFT Is a free trial....But it picks up broadcasts internally that the router may not.
0
 

Author Comment

by:jdfuller
ID: 35161108
aleghart :::  (incomplete response - sorry)  ...nothing unusual except the Barracuda back up is the biggest by far but it only operates in the evenings and only a few days aweek.

All :::  We have a 6x1 DSL (6MB Dn and 1MB Up link).  It is real.  I have sampled it with no one connected a few times and get 5.8 x .8 regularly.  During the day its between 1.5 or less Dn and .2 to .6 Up.  Understand there is traffic from users.  With no anomolies, perhaps I can consider the fact that we don't have enough bandwidth?

0
 
LVL 4

Expert Comment

by:cavp76
ID: 35161124
The only free to get is the one I gave you (apart from HW and your time); here is how to configure a bridge in Linux (I use CentOS, and WireShark is quite easy to use... perhaps a friend of yours could help you setting up this machine.

HTH
0
 
LVL 32

Expert Comment

by:aleghart
ID: 35161413
The Active Connections Monitor will only show...well, active connections.  So if the behavior has stopped, or if the bandwidth consumption is in aggregate, not to one specific IP address, it may not show here.

For instance, a user downloading torrents will be hitting many dozens (or hundreds) of different IP addresses over the course of a day, and for only a few minutes to each address.  So, current bandwidth to any one address is low..but they all add up.

Use the  Logs >  Reports  page.  Select the report  "Bandwidth use by IP address".

Here you can see me as the top in Active Connections, then second by IP address to our mail server.

Active Connections
 Log > Reports > IP Address

Another issue may be that your available bandwidth is decreased during working hours.  Simple to test.  Take a maintenance window of 10 minutes in the middle of the day when "the internet is slow".   Plug a laptop or other computer directly in to the TZ-170 and run the same tests.  Test bandwidth while users are connected.  Then disconnect the link between the TZ-170 and the LAN.  Test again.

Third possible issue besides users, and DSL connection, is wireless signal.  All traffic on a wireless access point is in the same collision domain.  So the bandwidth is shared among all connected users.  File sharing activity or flooding with other traffic will result in decreased performance to everyone on that link.
0
 

Author Closing Comment

by:jdfuller
ID: 35161506
All excellent and I can't make you all wait for points while I try them out, so, Thanks for the great feeddback and quick response.  I have a great "To Do" list to work from!

JDFuller
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
USB Error 20 189
How VPC help preventing STP Loops 4 132
CISCO Smartnet agreement 5 54
Windows Server to Cisco switch connectivity 10 74
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question