?
Solved

how to find the top talker on a subnet

Posted on 2011-09-06
6
Medium Priority
?
453 Views
Last Modified: 2012-05-12
this morning something on our core site network is sending out a large amount of traffic causing congestion. Multiple remote offices are complaining of poor response. We can see it on the mpls providers online tool that all available bandwidth outgoing to the remote sites has been maxed for a couple hours. A possible suspect, a windows update server was turned off but the problem persists. Whats the best way to find out what is generating all this traffic and why?
Just some background: we have multiple remote sites on an mpls with nothing filtered. There is a separate internet circuit that goes out from our core site that is not seeing any saturation. All the high utilization is going from the core site to the remote offices. Incoming traffic is low and normal. The internet circuit traffic is also low and normal. Not sure if I have provided enough info but Im trying to get another perspective on figuring out who is the top talker and why.
0
Comment
Question by:WAMSINC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36490873
You need to use net flow or something that will produce net flow "like" data to figure this out.  So if you own the routers - and the router supports net flow, you can download the free version of scrutinizer.  Configure the router to send net flow to scrutinizer and within minutes you will know who the top talker is.

If you do not own the main mpls router you can download ntop from ntop.org.  Load up this tool and plug it into the same switch that the core mpls router is on.  Then mirror the port the router is connected to to the port that the ntop machine is plugged into.  Again, you will see the top talker in a matter of minutes.
0
 

Author Comment

by:WAMSINC
ID: 36491115
unfortunately we do not have access to the routers. My workstation is plugged in to the same core switch, a cisco 6509. Looks like it was a kaspersky AV update server. This was causing congestion for almost 4 hours. I would like to still try this tool and be prepared for next time this happens. How can I mirror the mpls port on the core switch? or would that be another question/issue ?
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 36491182
monitor session 1 source interface gig1/0/1
monitor session 1 destination interface gig1/0/2

Thats off the top of my head so the syntax might not be exact.  Just type in monitor session 1 ? and it will show you the options.

source interface is the device port we want to monitor.
destination interface is where we want the traffic mirrored to  - ntop device.

Hope that helps.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 39

Expert Comment

by:ChiefIT
ID: 36512916
Use the Real Time Netflow Analyzer from solar winds/free tools:

http://www.solarwinds.com/products/solarwinds_free_tools/
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36513323
He needs to be able to access the router to actually use net flow.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 36513447
You could mirror the port the router is on to a PC wrunning a Wireshark capture and then do a filter down to the subnet you want to look at.

Look in statistics/conversations and sort by the bps columns to see who is the heaviest hitters.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question