Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Bandwidth activity help

Posted on 2014-07-24
11
Medium Priority
?
507 Views
Last Modified: 2014-09-16
I am new to trying to read netflow data to determine usage. I found an app that seems to be giving me the information I need but I am not sure what some of it is. Can you tell me what I am looking at? I am especially wondering about the macromedia-fcs and the four above (ms-wbt-servr, oce-snmp-trap, gte-samp, sns-dispatcher) I have never had to really narrow down bandwidth but someone keeps blowing ours up.

Could you also tell me why I have one router but it is giving me three interfaces?

ifIndex2.pdfifIndex65535.pdfifIndex3.pdfdashboard bottom screen after reconnectionnetflow snapshot after reconnectiondashboard top screen after reconnection
0
Comment
Question by:Jennifer
8 Comments
 

Author Comment

by:Jennifer
ID: 40218048
To add to this, it seems there are times when we lose connection one of the other locations loses connection. Which I mean is expected but it seems more like their router is pushing ours to max and disconnect or vise versa ours is maxing there and disconnecting. Is this possible and how to you verify and/or rectify?
0
 
LVL 17

Accepted Solution

by:
pergr earned 750 total points
ID: 40218828
http://www.manageengine.com/products/netflow/help/netflow-misc/faq-netflow-analyzer.html#inout

You'll have to look up the application names on the Internet.

For example, ms-wbt-server is typically RDP traffic, but it is identified only based on TCP/UDP port numbers, so if some virus or worm is using that same port, the traffic could be that too.
0
 

Author Comment

by:Jennifer
ID: 40232536
Thanks for the post however this doesn't really help me. When I try to look up the names I don't seem to find any information on what is using this port. The one I have right now is sitadar port 2631. All I can find is that it is TCP well my data tells me that. I need to know who and what is using it. I also see 'unknown app' using scr port 53427 and dst port 8014 using 8.14 gb. I don't know what this is and there isn't much to go on.

If we go back to my other question about one of my site to site VPN branch locations taking the router down. Today I had an instance where our internet went down. I look at the report and I see a huge spike. I can't tell for sure what is spiking it but I do know that while I am looking at the data I get a call from one of our branches. He says they have been down for 30 minutes, no internet. If his time is accurate it would have been 10 minutes before we went down. Do these have any correlation?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:Jennifer
ID: 40258754
So I have a better understanding on the flow of this however I have run into a problem that I kind of mentioned previously.
I have narrowed down an instance when the internet here goes down and of course goes down in one of the branches. What I have found is that yesterday Symantec Endpoint was sending updates to one of the branch computers. The internet spiked to full bandwidth which of course disconnected everyone. Why would Symantec be using full bandwidth to send to this branch and not the other branch or internal office? I believe I have everything setup exactly the same. If this is to happen then is there a way to have it do this during the evening?
0
 
LVL 70

Expert Comment

by:Merete
ID: 40285162
Hi Jennifer
It's a good idea to grab some video and watch how it's done, study the guides
Here's a video describing the overview of Net Flow from Solar Winds
this may help you
NetFlow Traffic Analyzer
https://www.youtube.com/watch?v=FSEjFxK4joY
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 750 total points
ID: 40286704
Hi Jennifer,

Lets break this communication down. it seems that 3 services namely ms-wbt-server, gta-samp and sns-dispatch gets most traffic. ms-wbt-server port is Microsoft Remote Desktop connection. I don't know any specific application which uses gte-samp (2346/TCP port) but it seems the traffic on ms-wbt and gta-samp is similar so it might easily be some port on the receiving end of the MS Remote Desktop.  sns-dispatch is the NAS connection port so it seems that there's a NAS placed in your network and there's a heavy traffic load on it. Also you have some Ms-Remote Desktop service activity. If you are using Ms Terminal services and thin clients this might be normal to have this traffic.

Best Regards,

K.
0
 

Author Comment

by:Jennifer
ID: 40289181
Thank you both.

I will take a look at the video.

Our branch locations are currently connecting through terminal services so that would explain those. I am not sure about the NAS though, I will have to look into it.
0
 

Author Comment

by:Jennifer
ID: 40325523
I have narrowed it down to Symantec and I am reviewing that further on a different thread so thanks for the help. The answers helped put me it the right direction.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question