Solved

how to find the top talker on a subnet

Posted on 2011-09-06
6
441 Views
Last Modified: 2012-05-12
this morning something on our core site network is sending out a large amount of traffic causing congestion. Multiple remote offices are complaining of poor response. We can see it on the mpls providers online tool that all available bandwidth outgoing to the remote sites has been maxed for a couple hours. A possible suspect, a windows update server was turned off but the problem persists. Whats the best way to find out what is generating all this traffic and why?
Just some background: we have multiple remote sites on an mpls with nothing filtered. There is a separate internet circuit that goes out from our core site that is not seeing any saturation. All the high utilization is going from the core site to the remote offices. Incoming traffic is low and normal. The internet circuit traffic is also low and normal. Not sure if I have provided enough info but Im trying to get another perspective on figuring out who is the top talker and why.
0
Comment
Question by:WAMSINC
6 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 36490873
You need to use net flow or something that will produce net flow "like" data to figure this out.  So if you own the routers - and the router supports net flow, you can download the free version of scrutinizer.  Configure the router to send net flow to scrutinizer and within minutes you will know who the top talker is.

If you do not own the main mpls router you can download ntop from ntop.org.  Load up this tool and plug it into the same switch that the core mpls router is on.  Then mirror the port the router is connected to to the port that the ntop machine is plugged into.  Again, you will see the top talker in a matter of minutes.
0
 

Author Comment

by:WAMSINC
ID: 36491115
unfortunately we do not have access to the routers. My workstation is plugged in to the same core switch, a cisco 6509. Looks like it was a kaspersky AV update server. This was causing congestion for almost 4 hours. I would like to still try this tool and be prepared for next time this happens. How can I mirror the mpls port on the core switch? or would that be another question/issue ?
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 36491182
monitor session 1 source interface gig1/0/1
monitor session 1 destination interface gig1/0/2

Thats off the top of my head so the syntax might not be exact.  Just type in monitor session 1 ? and it will show you the options.

source interface is the device port we want to monitor.
destination interface is where we want the traffic mirrored to  - ntop device.

Hope that helps.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 36512916
Use the Real Time Netflow Analyzer from solar winds/free tools:

http://www.solarwinds.com/products/solarwinds_free_tools/
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 36513323
He needs to be able to access the router to actually use net flow.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 36513447
You could mirror the port the router is on to a PC wrunning a Wireshark capture and then do a filter down to the subnet you want to look at.

Look in statistics/conversations and sort by the bps columns to see who is the heaviest hitters.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Is your computer hacked? learn how to detect and delete malware in your PC
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now