Solved

Monitoring volume of internet traffic in a network

Posted on 2012-03-23
6
514 Views
Last Modified: 2012-03-26
I have a situation with a network regarding possibly unauthorised uploading from a rogue workstation.
Logs provided by the ISP indicate regular spikes in uploading traffic activity.
Its not a big network, only 15 workstations.
Initial steps taken;
- Anti-malware softwares (SEP v12.1) are all up to date and full scans performed
- AntiMalwareBytes full scans
- Changed PPPoA logon credentials
- Changed wireless password
Not likely to be an issue at ISP's end. Because spikes end when the modem-router is turned off.
The modem-router is not one which provides logging of traffic.
What has not been tried is to turn off each workstation for a few hours at a time - a rather messy and unprofessional move. There must be a more elegant way to track down the rogue workstation.
Otherwise, at a loss as to what to try next.
Any advice from the Experts would be most appreciated. Thanks
0
Comment
Question by:garychu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Accepted Solution

by:
nick_kessler earned 500 total points
ID: 37759623
Assuming there is a firewall on site, you might be able to get that data from the logs.

Another possibility is to download a demo of Spector 360, which is a monitoring program what tracks everything that happens on a PC. We use it to see who is accessing sites like facebook and youtoob, etc. It captures screenshots and is a keystroke logger, etc. It also has the ability to track down which user is using the most bandwitdth, this helps us identify who is using sites like Pandora to stream music or video, since blocking all these sites can get out of hand, we just show them the activity and bandwidth logs and it pretty much stops them cold.

The demo should allow you to get the data you need to pinpoint the workstation then you can address and then decide if you want to keep the software or not.

Of couse you have to inform your users that you are now monitoring them, but then again it's not their time nor PC, they belong to the company.

Hope that helps! Cheers...
0
 
LVL 4

Expert Comment

by:kdebugs
ID: 37759957
It's possible that one of your users has a torrent server going. That would explain occassional spikes in traffic.

I don't know what ports are used by that protocol, but it's an easy google. Try blocking those ports at the router and see if that alleviates the problem, however, Nick's suggestion seems to be a much more elegant one, not to mention that it'll give you the answer directly instead of having to poke around following mine. I'll check out spector myself, as I have a few users that, in spite of my explanations, insist on streaming music.

Alex
PS: Don't know if this would apply at all in this situation, but you could also take a look at wireshark.org. It might be able to tell you where those traffic surges are going to.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37761031
Hello,

Use wireshark and monitor packet.Your switch should have port mirroring capability.
http://www.wireshark.org/download.html

If you have managable switch you can enable SNMP and install Cacto or MRTG into one PC.You can check switchport utilization.
http://www.disorder.com/~bsod/Cacti-0.8.7i.exe

If you have Cisco device then you can use Netflow Analyzer.
And which wireless router do you use? If it is Linksys then you can monitor LAN traffic.Go to Administration>Log and enable log.Then check outgoing and incoming log
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:masnrock
ID: 37762485
What type of equipment do you have? Especially in the case of the wireless router?
0
 
LVL 4

Expert Comment

by:kdebugs
ID: 37762767
In addition to what I said before, I would also ensure the wireless router is using wpa for wifi (as opposed to wep, which is easier to crack) and change the wifi password to something not succeptible to a dictionary attack (that would be a password that has no words that exist in a dictionary, to put it in very basic terms, such as FFgjU17t-!x instead of 23potato11).

Alex
0
 

Author Comment

by:garychu
ID: 37765295
Thanks for the helpful comments and suggestions, Experts.

Hardware wise, the site is not sufficiently equipped.
A non-managed switch is in use. An SMC modem-router provides internet access.
Wireless security in use is WPA/WPA2 . Password is quite strong, exceeding 10 characters, containing mix of upper/lower cases, numbers and special characters.

Although I have not done so yet, I am tending to try Spector360. Getting past Management can be an issue with its over the top features. But from the overview, it appears to have the means to help pin down the rogue workstation(s).

Thanks again
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Comware OS Simulator and GNS3 5 219
Turning Verizon Fios Router into a Bridge? 28 121
Exchange 2013 will not send or receive 9 76
external website is 16 29
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question