Solved

Bandwidth activity help

Posted on 2014-07-24
11
431 Views
Last Modified: 2014-09-16
I am new to trying to read netflow data to determine usage. I found an app that seems to be giving me the information I need but I am not sure what some of it is. Can you tell me what I am looking at? I am especially wondering about the macromedia-fcs and the four above (ms-wbt-servr, oce-snmp-trap, gte-samp, sns-dispatcher) I have never had to really narrow down bandwidth but someone keeps blowing ours up.

Could you also tell me why I have one router but it is giving me three interfaces?

ifIndex2.pdfifIndex65535.pdfifIndex3.pdfdashboard bottom screen after reconnectionnetflow snapshot after reconnectiondashboard top screen after reconnection
0
Comment
Question by:Jennifer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 

Author Comment

by:Jennifer
ID: 40218048
To add to this, it seems there are times when we lose connection one of the other locations loses connection. Which I mean is expected but it seems more like their router is pushing ours to max and disconnect or vise versa ours is maxing there and disconnecting. Is this possible and how to you verify and/or rectify?
0
 
LVL 17

Accepted Solution

by:
pergr earned 250 total points
ID: 40218828
http://www.manageengine.com/products/netflow/help/netflow-misc/faq-netflow-analyzer.html#inout

You'll have to look up the application names on the Internet.

For example, ms-wbt-server is typically RDP traffic, but it is identified only based on TCP/UDP port numbers, so if some virus or worm is using that same port, the traffic could be that too.
0
 

Author Comment

by:Jennifer
ID: 40232536
Thanks for the post however this doesn't really help me. When I try to look up the names I don't seem to find any information on what is using this port. The one I have right now is sitadar port 2631. All I can find is that it is TCP well my data tells me that. I need to know who and what is using it. I also see 'unknown app' using scr port 53427 and dst port 8014 using 8.14 gb. I don't know what this is and there isn't much to go on.

If we go back to my other question about one of my site to site VPN branch locations taking the router down. Today I had an instance where our internet went down. I look at the report and I see a huge spike. I can't tell for sure what is spiking it but I do know that while I am looking at the data I get a call from one of our branches. He says they have been down for 30 minutes, no internet. If his time is accurate it would have been 10 minutes before we went down. Do these have any correlation?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Jennifer
ID: 40258754
So I have a better understanding on the flow of this however I have run into a problem that I kind of mentioned previously.
I have narrowed down an instance when the internet here goes down and of course goes down in one of the branches. What I have found is that yesterday Symantec Endpoint was sending updates to one of the branch computers. The internet spiked to full bandwidth which of course disconnected everyone. Why would Symantec be using full bandwidth to send to this branch and not the other branch or internal office? I believe I have everything setup exactly the same. If this is to happen then is there a way to have it do this during the evening?
0
 
LVL 70

Expert Comment

by:Merete
ID: 40285162
Hi Jennifer
It's a good idea to grab some video and watch how it's done, study the guides
Here's a video describing the overview of Net Flow from Solar Winds
this may help you
NetFlow Traffic Analyzer
https://www.youtube.com/watch?v=FSEjFxK4joY
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 250 total points
ID: 40286704
Hi Jennifer,

Lets break this communication down. it seems that 3 services namely ms-wbt-server, gta-samp and sns-dispatch gets most traffic. ms-wbt-server port is Microsoft Remote Desktop connection. I don't know any specific application which uses gte-samp (2346/TCP port) but it seems the traffic on ms-wbt and gta-samp is similar so it might easily be some port on the receiving end of the MS Remote Desktop.  sns-dispatch is the NAS connection port so it seems that there's a NAS placed in your network and there's a heavy traffic load on it. Also you have some Ms-Remote Desktop service activity. If you are using Ms Terminal services and thin clients this might be normal to have this traffic.

Best Regards,

K.
0
 

Author Comment

by:Jennifer
ID: 40289181
Thank you both.

I will take a look at the video.

Our branch locations are currently connecting through terminal services so that would explain those. I am not sure about the NAS though, I will have to look into it.
0
 

Author Comment

by:Jennifer
ID: 40325523
I have narrowed it down to Symantec and I am reviewing that further on a different thread so thanks for the help. The answers helped put me it the right direction.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Is your computer hacked? learn how to detect and delete malware in your PC
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question