Solved

how to find the top talker on a subnet

Posted on 2011-09-06
6
437 Views
Last Modified: 2012-05-12
this morning something on our core site network is sending out a large amount of traffic causing congestion. Multiple remote offices are complaining of poor response. We can see it on the mpls providers online tool that all available bandwidth outgoing to the remote sites has been maxed for a couple hours. A possible suspect, a windows update server was turned off but the problem persists. Whats the best way to find out what is generating all this traffic and why?
Just some background: we have multiple remote sites on an mpls with nothing filtered. There is a separate internet circuit that goes out from our core site that is not seeing any saturation. All the high utilization is going from the core site to the remote offices. Incoming traffic is low and normal. The internet circuit traffic is also low and normal. Not sure if I have provided enough info but Im trying to get another perspective on figuring out who is the top talker and why.
0
Comment
Question by:WAMSINC
6 Comments
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
You need to use net flow or something that will produce net flow "like" data to figure this out.  So if you own the routers - and the router supports net flow, you can download the free version of scrutinizer.  Configure the router to send net flow to scrutinizer and within minutes you will know who the top talker is.

If you do not own the main mpls router you can download ntop from ntop.org.  Load up this tool and plug it into the same switch that the core mpls router is on.  Then mirror the port the router is connected to to the port that the ntop machine is plugged into.  Again, you will see the top talker in a matter of minutes.
0
 

Author Comment

by:WAMSINC
Comment Utility
unfortunately we do not have access to the routers. My workstation is plugged in to the same core switch, a cisco 6509. Looks like it was a kaspersky AV update server. This was causing congestion for almost 4 hours. I would like to still try this tool and be prepared for next time this happens. How can I mirror the mpls port on the core switch? or would that be another question/issue ?
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
Comment Utility
monitor session 1 source interface gig1/0/1
monitor session 1 destination interface gig1/0/2

Thats off the top of my head so the syntax might not be exact.  Just type in monitor session 1 ? and it will show you the options.

source interface is the device port we want to monitor.
destination interface is where we want the traffic mirrored to  - ntop device.

Hope that helps.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Use the Real Time Netflow Analyzer from solar winds/free tools:

http://www.solarwinds.com/products/solarwinds_free_tools/
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
He needs to be able to access the router to actually use net flow.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
You could mirror the port the router is on to a PC wrunning a Wireshark capture and then do a filter down to the subnet you want to look at.

Look in statistics/conversations and sort by the bps columns to see who is the heaviest hitters.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now