Solved

Bandwidth Hogging

Posted on 2011-03-17
9
899 Views
Last Modified: 2012-05-11
Oh gurus of Networking Know How; must one pay thousands of dollars to find the IP from which bandwidth-hogging emanates?  Surely there must be a simple mechanism for doing this.  I am unschooled in such matters but my infinite wisdom and 12 years of IT experience dictates a solution must exist for which I will not go broke!  

- I own Orion by Solar Winds - only the upgrade will do this! $$$$
- I have a small environemnt (58 users 25 other devices) with a few Cisco 2960's and have tried the CNA. So...I have busy ports.  Big whoop!.  They are the server and the Internet ports.  Must I run ID every port and its connection to a PC before I can identify the IP?
- Spiceworks I have also installed only to find out that the software cannot see beyond the GPO configured and mandated firewall for all users.

Can you sense the frustration?

I am open and humbly except ANY correction, edification or solution.

JDFuller
0
Comment
Question by:jdfuller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 2

Accepted Solution

by:
rrococi2 earned 167 total points
ID: 35160813
I use  colasoft in my line of work.  I do cybercrime investigations, it works very well.
0
 
LVL 4

Assisted Solution

by:cavp76
cavp76 earned 167 total points
ID: 35160860
PC with Linux and 2 NICs configured as a bridge (between switch and Orion appliance), Wireshark listening on the bridge, there you'll find the hog and hang it from the b*lls
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 166 total points
ID: 35160919
I just login to my Sonicwall firewall.  Shows top bandwidth consumers, top website hits, top services.  That's all statistical counters.

For real-time numbers I go to the Firewall page, Connections Monitor, then sort by Rx bytes.  Shows the sender & receiver IP addresses and the bytes transferred.

Do you have something similar on your internet routers or core router?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:jdfuller
ID: 35161062
aleghart :::  I have TZ-170.  I did as you say this morning.  I exported the entire log into CSV and culled for consistent IP traffic but nothing unusual.  I haven't tried the Rx Bytes thing but will shortly.  I just took a look at what its showing and nothing

cavp76 :::  Love your solution.  Haven't the hardware presently.  Wireshark, I've heard of so will investigate.

rrococi2 ::: Never heard of colasoft.  Investigating.

Appreciate the feedback from all...I assume, other than available hardware, all these are free?  I will check it out.

JDFuller
0
 
LVL 2

Expert Comment

by:rrococi2
ID: 35161076
COLASOFT Is a free trial....But it picks up broadcasts internally that the router may not.
0
 

Author Comment

by:jdfuller
ID: 35161108
aleghart :::  (incomplete response - sorry)  ...nothing unusual except the Barracuda back up is the biggest by far but it only operates in the evenings and only a few days aweek.

All :::  We have a 6x1 DSL (6MB Dn and 1MB Up link).  It is real.  I have sampled it with no one connected a few times and get 5.8 x .8 regularly.  During the day its between 1.5 or less Dn and .2 to .6 Up.  Understand there is traffic from users.  With no anomolies, perhaps I can consider the fact that we don't have enough bandwidth?

0
 
LVL 4

Expert Comment

by:cavp76
ID: 35161124
The only free to get is the one I gave you (apart from HW and your time); here is how to configure a bridge in Linux (I use CentOS, and WireShark is quite easy to use... perhaps a friend of yours could help you setting up this machine.

HTH
0
 
LVL 32

Expert Comment

by:aleghart
ID: 35161413
The Active Connections Monitor will only show...well, active connections.  So if the behavior has stopped, or if the bandwidth consumption is in aggregate, not to one specific IP address, it may not show here.

For instance, a user downloading torrents will be hitting many dozens (or hundreds) of different IP addresses over the course of a day, and for only a few minutes to each address.  So, current bandwidth to any one address is low..but they all add up.

Use the  Logs >  Reports  page.  Select the report  "Bandwidth use by IP address".

Here you can see me as the top in Active Connections, then second by IP address to our mail server.

Active Connections
 Log > Reports > IP Address

Another issue may be that your available bandwidth is decreased during working hours.  Simple to test.  Take a maintenance window of 10 minutes in the middle of the day when "the internet is slow".   Plug a laptop or other computer directly in to the TZ-170 and run the same tests.  Test bandwidth while users are connected.  Then disconnect the link between the TZ-170 and the LAN.  Test again.

Third possible issue besides users, and DSL connection, is wireless signal.  All traffic on a wireless access point is in the same collision domain.  So the bandwidth is shared among all connected users.  File sharing activity or flooding with other traffic will result in decreased performance to everyone on that link.
0
 

Author Closing Comment

by:jdfuller
ID: 35161506
All excellent and I can't make you all wait for points while I try them out, so, Thanks for the great feeddback and quick response.  I have a great "To Do" list to work from!

JDFuller
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question