• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

how to find the top talker on a subnet

this morning something on our core site network is sending out a large amount of traffic causing congestion. Multiple remote offices are complaining of poor response. We can see it on the mpls providers online tool that all available bandwidth outgoing to the remote sites has been maxed for a couple hours. A possible suspect, a windows update server was turned off but the problem persists. Whats the best way to find out what is generating all this traffic and why?
Just some background: we have multiple remote sites on an mpls with nothing filtered. There is a separate internet circuit that goes out from our core site that is not seeing any saturation. All the high utilization is going from the core site to the remote offices. Incoming traffic is low and normal. The internet circuit traffic is also low and normal. Not sure if I have provided enough info but Im trying to get another perspective on figuring out who is the top talker and why.
0
WAMSINC
Asked:
WAMSINC
1 Solution
 
Ken BooneNetwork ConsultantCommented:
You need to use net flow or something that will produce net flow "like" data to figure this out.  So if you own the routers - and the router supports net flow, you can download the free version of scrutinizer.  Configure the router to send net flow to scrutinizer and within minutes you will know who the top talker is.

If you do not own the main mpls router you can download ntop from ntop.org.  Load up this tool and plug it into the same switch that the core mpls router is on.  Then mirror the port the router is connected to to the port that the ntop machine is plugged into.  Again, you will see the top talker in a matter of minutes.
0
 
WAMSINCAuthor Commented:
unfortunately we do not have access to the routers. My workstation is plugged in to the same core switch, a cisco 6509. Looks like it was a kaspersky AV update server. This was causing congestion for almost 4 hours. I would like to still try this tool and be prepared for next time this happens. How can I mirror the mpls port on the core switch? or would that be another question/issue ?
0
 
Ken BooneNetwork ConsultantCommented:
monitor session 1 source interface gig1/0/1
monitor session 1 destination interface gig1/0/2

Thats off the top of my head so the syntax might not be exact.  Just type in monitor session 1 ? and it will show you the options.

source interface is the device port we want to monitor.
destination interface is where we want the traffic mirrored to  - ntop device.

Hope that helps.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ChiefITCommented:
Use the Real Time Netflow Analyzer from solar winds/free tools:

http://www.solarwinds.com/products/solarwinds_free_tools/
0
 
Ken BooneNetwork ConsultantCommented:
He needs to be able to access the router to actually use net flow.
0
 
Rick_O_ShayCommented:
You could mirror the port the router is on to a PC wrunning a Wireshark capture and then do a filter down to the subnet you want to look at.

Look in statistics/conversations and sort by the bps columns to see who is the heaviest hitters.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now