garychu
asked on
Monitoring volume of internet traffic in a network
I have a situation with a network regarding possibly unauthorised uploading from a rogue workstation.
Logs provided by the ISP indicate regular spikes in uploading traffic activity.
Its not a big network, only 15 workstations.
Initial steps taken;
- Anti-malware softwares (SEP v12.1) are all up to date and full scans performed
- AntiMalwareBytes full scans
- Changed PPPoA logon credentials
- Changed wireless password
Not likely to be an issue at ISP's end. Because spikes end when the modem-router is turned off.
The modem-router is not one which provides logging of traffic.
What has not been tried is to turn off each workstation for a few hours at a time - a rather messy and unprofessional move. There must be a more elegant way to track down the rogue workstation.
Otherwise, at a loss as to what to try next.
Any advice from the Experts would be most appreciated. Thanks
Logs provided by the ISP indicate regular spikes in uploading traffic activity.
Its not a big network, only 15 workstations.
Initial steps taken;
- Anti-malware softwares (SEP v12.1) are all up to date and full scans performed
- AntiMalwareBytes full scans
- Changed PPPoA logon credentials
- Changed wireless password
Not likely to be an issue at ISP's end. Because spikes end when the modem-router is turned off.
The modem-router is not one which provides logging of traffic.
What has not been tried is to turn off each workstation for a few hours at a time - a rather messy and unprofessional move. There must be a more elegant way to track down the rogue workstation.
Otherwise, at a loss as to what to try next.
Any advice from the Experts would be most appreciated. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
Use wireshark and monitor packet.Your switch should have port mirroring capability.
http://www.wireshark.org/download.html
If you have managable switch you can enable SNMP and install Cacto or MRTG into one PC.You can check switchport utilization.
http://www.disorder.com/~bsod/Cacti-0.8.7i.exe
If you have Cisco device then you can use Netflow Analyzer.
And which wireless router do you use? If it is Linksys then you can monitor LAN traffic.Go to Administration>Log and enable log.Then check outgoing and incoming log
Use wireshark and monitor packet.Your switch should have port mirroring capability.
http://www.wireshark.org/download.html
If you have managable switch you can enable SNMP and install Cacto or MRTG into one PC.You can check switchport utilization.
http://www.disorder.com/~bsod/Cacti-0.8.7i.exe
If you have Cisco device then you can use Netflow Analyzer.
And which wireless router do you use? If it is Linksys then you can monitor LAN traffic.Go to Administration>Log and enable log.Then check outgoing and incoming log
What type of equipment do you have? Especially in the case of the wireless router?
In addition to what I said before, I would also ensure the wireless router is using wpa for wifi (as opposed to wep, which is easier to crack) and change the wifi password to something not succeptible to a dictionary attack (that would be a password that has no words that exist in a dictionary, to put it in very basic terms, such as FFgjU17t-!x instead of 23potato11).
Alex
Alex
ASKER
Thanks for the helpful comments and suggestions, Experts.
Hardware wise, the site is not sufficiently equipped.
A non-managed switch is in use. An SMC modem-router provides internet access.
Wireless security in use is WPA/WPA2 . Password is quite strong, exceeding 10 characters, containing mix of upper/lower cases, numbers and special characters.
Although I have not done so yet, I am tending to try Spector360. Getting past Management can be an issue with its over the top features. But from the overview, it appears to have the means to help pin down the rogue workstation(s).
Thanks again
Hardware wise, the site is not sufficiently equipped.
A non-managed switch is in use. An SMC modem-router provides internet access.
Wireless security in use is WPA/WPA2 . Password is quite strong, exceeding 10 characters, containing mix of upper/lower cases, numbers and special characters.
Although I have not done so yet, I am tending to try Spector360. Getting past Management can be an issue with its over the top features. But from the overview, it appears to have the means to help pin down the rogue workstation(s).
Thanks again
I don't know what ports are used by that protocol, but it's an easy google. Try blocking those ports at the router and see if that alleviates the problem, however, Nick's suggestion seems to be a much more elegant one, not to mention that it'll give you the answer directly instead of having to poke around following mine. I'll check out spector myself, as I have a few users that, in spite of my explanations, insist on streaming music.
Alex
PS: Don't know if this would apply at all in this situation, but you could also take a look at wireshark.org. It might be able to tell you where those traffic surges are going to.