Solved

Bandwidth activity help

Posted on 2014-07-24
11
452 Views
Last Modified: 2014-09-16
I am new to trying to read netflow data to determine usage. I found an app that seems to be giving me the information I need but I am not sure what some of it is. Can you tell me what I am looking at? I am especially wondering about the macromedia-fcs and the four above (ms-wbt-servr, oce-snmp-trap, gte-samp, sns-dispatcher) I have never had to really narrow down bandwidth but someone keeps blowing ours up.

Could you also tell me why I have one router but it is giving me three interfaces?

ifIndex2.pdfifIndex65535.pdfifIndex3.pdfdashboard bottom screen after reconnectionnetflow snapshot after reconnectiondashboard top screen after reconnection
0
Comment
Question by:Jennifer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 

Author Comment

by:Jennifer
ID: 40218048
To add to this, it seems there are times when we lose connection one of the other locations loses connection. Which I mean is expected but it seems more like their router is pushing ours to max and disconnect or vise versa ours is maxing there and disconnecting. Is this possible and how to you verify and/or rectify?
0
 
LVL 17

Accepted Solution

by:
pergr earned 250 total points
ID: 40218828
http://www.manageengine.com/products/netflow/help/netflow-misc/faq-netflow-analyzer.html#inout

You'll have to look up the application names on the Internet.

For example, ms-wbt-server is typically RDP traffic, but it is identified only based on TCP/UDP port numbers, so if some virus or worm is using that same port, the traffic could be that too.
0
 

Author Comment

by:Jennifer
ID: 40232536
Thanks for the post however this doesn't really help me. When I try to look up the names I don't seem to find any information on what is using this port. The one I have right now is sitadar port 2631. All I can find is that it is TCP well my data tells me that. I need to know who and what is using it. I also see 'unknown app' using scr port 53427 and dst port 8014 using 8.14 gb. I don't know what this is and there isn't much to go on.

If we go back to my other question about one of my site to site VPN branch locations taking the router down. Today I had an instance where our internet went down. I look at the report and I see a huge spike. I can't tell for sure what is spiking it but I do know that while I am looking at the data I get a call from one of our branches. He says they have been down for 30 minutes, no internet. If his time is accurate it would have been 10 minutes before we went down. Do these have any correlation?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:Jennifer
ID: 40258754
So I have a better understanding on the flow of this however I have run into a problem that I kind of mentioned previously.
I have narrowed down an instance when the internet here goes down and of course goes down in one of the branches. What I have found is that yesterday Symantec Endpoint was sending updates to one of the branch computers. The internet spiked to full bandwidth which of course disconnected everyone. Why would Symantec be using full bandwidth to send to this branch and not the other branch or internal office? I believe I have everything setup exactly the same. If this is to happen then is there a way to have it do this during the evening?
0
 
LVL 70

Expert Comment

by:Merete
ID: 40285162
Hi Jennifer
It's a good idea to grab some video and watch how it's done, study the guides
Here's a video describing the overview of Net Flow from Solar Winds
this may help you
NetFlow Traffic Analyzer
https://www.youtube.com/watch?v=FSEjFxK4joY
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 250 total points
ID: 40286704
Hi Jennifer,

Lets break this communication down. it seems that 3 services namely ms-wbt-server, gta-samp and sns-dispatch gets most traffic. ms-wbt-server port is Microsoft Remote Desktop connection. I don't know any specific application which uses gte-samp (2346/TCP port) but it seems the traffic on ms-wbt and gta-samp is similar so it might easily be some port on the receiving end of the MS Remote Desktop.  sns-dispatch is the NAS connection port so it seems that there's a NAS placed in your network and there's a heavy traffic load on it. Also you have some Ms-Remote Desktop service activity. If you are using Ms Terminal services and thin clients this might be normal to have this traffic.

Best Regards,

K.
0
 

Author Comment

by:Jennifer
ID: 40289181
Thank you both.

I will take a look at the video.

Our branch locations are currently connecting through terminal services so that would explain those. I am not sure about the NAS though, I will have to look into it.
0
 

Author Comment

by:Jennifer
ID: 40325523
I have narrowed it down to Symantec and I am reviewing that further on a different thread so thanks for the help. The answers helped put me it the right direction.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question