Bandwidth Hogging

Oh gurus of Networking Know How; must one pay thousands of dollars to find the IP from which bandwidth-hogging emanates?  Surely there must be a simple mechanism for doing this.  I am unschooled in such matters but my infinite wisdom and 12 years of IT experience dictates a solution must exist for which I will not go broke!  

- I own Orion by Solar Winds - only the upgrade will do this! $$$$
- I have a small environemnt (58 users 25 other devices) with a few Cisco 2960's and have tried the CNA. So...I have busy ports.  Big whoop!.  They are the server and the Internet ports.  Must I run ID every port and its connection to a PC before I can identify the IP?
- Spiceworks I have also installed only to find out that the software cannot see beyond the GPO configured and mandated firewall for all users.

Can you sense the frustration?

I am open and humbly except ANY correction, edification or solution.

Who is Participating?
rrococi2Connect With a Mentor Commented:
I use  colasoft in my line of work.  I do cybercrime investigations, it works very well.
cavp76Connect With a Mentor Commented:
PC with Linux and 2 NICs configured as a bridge (between switch and Orion appliance), Wireshark listening on the bridge, there you'll find the hog and hang it from the b*lls
aleghartConnect With a Mentor Commented:
I just login to my Sonicwall firewall.  Shows top bandwidth consumers, top website hits, top services.  That's all statistical counters.

For real-time numbers I go to the Firewall page, Connections Monitor, then sort by Rx bytes.  Shows the sender & receiver IP addresses and the bytes transferred.

Do you have something similar on your internet routers or core router?
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

jdfullerAuthor Commented:
aleghart :::  I have TZ-170.  I did as you say this morning.  I exported the entire log into CSV and culled for consistent IP traffic but nothing unusual.  I haven't tried the Rx Bytes thing but will shortly.  I just took a look at what its showing and nothing

cavp76 :::  Love your solution.  Haven't the hardware presently.  Wireshark, I've heard of so will investigate.

rrococi2 ::: Never heard of colasoft.  Investigating.

Appreciate the feedback from all...I assume, other than available hardware, all these are free?  I will check it out.

COLASOFT Is a free trial....But it picks up broadcasts internally that the router may not.
jdfullerAuthor Commented:
aleghart :::  (incomplete response - sorry)  ...nothing unusual except the Barracuda back up is the biggest by far but it only operates in the evenings and only a few days aweek.

All :::  We have a 6x1 DSL (6MB Dn and 1MB Up link).  It is real.  I have sampled it with no one connected a few times and get 5.8 x .8 regularly.  During the day its between 1.5 or less Dn and .2 to .6 Up.  Understand there is traffic from users.  With no anomolies, perhaps I can consider the fact that we don't have enough bandwidth?

The only free to get is the one I gave you (apart from HW and your time); here is how to configure a bridge in Linux (I use CentOS, and WireShark is quite easy to use... perhaps a friend of yours could help you setting up this machine.

The Active Connections Monitor will only show...well, active connections.  So if the behavior has stopped, or if the bandwidth consumption is in aggregate, not to one specific IP address, it may not show here.

For instance, a user downloading torrents will be hitting many dozens (or hundreds) of different IP addresses over the course of a day, and for only a few minutes to each address.  So, current bandwidth to any one address is low..but they all add up.

Use the  Logs >  Reports  page.  Select the report  "Bandwidth use by IP address".

Here you can see me as the top in Active Connections, then second by IP address to our mail server.

Active Connections
 Log > Reports > IP Address

Another issue may be that your available bandwidth is decreased during working hours.  Simple to test.  Take a maintenance window of 10 minutes in the middle of the day when "the internet is slow".   Plug a laptop or other computer directly in to the TZ-170 and run the same tests.  Test bandwidth while users are connected.  Then disconnect the link between the TZ-170 and the LAN.  Test again.

Third possible issue besides users, and DSL connection, is wireless signal.  All traffic on a wireless access point is in the same collision domain.  So the bandwidth is shared among all connected users.  File sharing activity or flooding with other traffic will result in decreased performance to everyone on that link.
jdfullerAuthor Commented:
All excellent and I can't make you all wait for points while I try them out, so, Thanks for the great feeddback and quick response.  I have a great "To Do" list to work from!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.