how do I determine who's a bandwidth hog?

Just assuming some things, like firewall, DSL/internet connections etc.    You could figure out where your broadband connections are coming to your main/core switch.   Mirror that port to another port where you have laptop with wireshark capturing traffic to get an idea what employees are doing on the internet.   Also, you can check your trunk lines are running at max speed and duplex between your switches.    Make sure workstations nic cards and switch port configurations match.  Make sure any server nics and switch ports are running at optimum speed/duplex.

Scan your workstations for maleware and viruses.  

Sometimes your firewall (ASA adsm interface, for example) will give you an indication of how much traffic is flowing in and out of you network.

I wasn't given the IP's by the last guy how do I determine the switch IP? I'm lucky to have FOUND the passwords. Did a network scan but nothing identifying.

Need IP's to determine if speed is set to duplex.
dedicated 10MB d/u. tested by plugging directly into the router without any other lan connection
Managed firewall by ISP which is capped at 10MB d/u
every laptop is set to daily scan for viruses/malware at 06:00

Googled the port mirroring and get it, but how do I use wireshark. Doesn't seem intuitive for a beginner....

it looks like he just plugged them in and pig tailed the switches. IDK How that's even working, but ok.

can you get to your switch console with a console cable and putty?   If you have the passwords you may be able to login into the console with a laptop and serial cable (sometimes called a rollover cable). All you need is laptop with a serial port or a usb to serial adapter and the rollover cable.  If the console prompts you for a password then may the passwords you have will get you in.   I was not familiar with dell switches but I found a video and it appears they are similar to a Cisco.  Here is the link to the video below.

wow, It looks like cisco commands.   If you can get into the console type enable <enter>,  then type show ip interface.

check out this video https://www.youtube.com/watch?v=Z18ekm6OQOM

It show you how to reset the switches to the default settings which you may or may not want to do.

https://www.youtube.com/watch?v=lPFuMAX-o1o

Yeah I'd go with the switch if you have a manic switch that you can access and see what the comparative traffic is between the different ports.

It sounds like you have a lot to learn and that's what we're here for!!  :-)

The idea of using Wireshark on a backbone node is a good one.  You can see pretty much everything that way.  But, perhaps Wireshark is a bit daunting so I'd recommend you do this IF the switches will support it.  So, I'm going to talk first about switches:

There are "dumb" switches that don't do anything but switch.  No controls, no management interfaces, etc.  I hope this isn't what you have at the core of the network.  And, no mirrors.

There are "managed" switches that don't have SNMP.  There are management interfaces though.  
I'm going to ignore these as they are rare (I think).  

There are "managed" switches that have good controls and include SNMP.  SNMP can be really helpful in getting what you need.  

So, assuming that you have switches with SNMP, here is what you do:

Install Paessler PRTG in your workstation that's connected to the network LAN.
Tell it to automatically find everything.
You may have to provide an SNMP Community String (which is essentially a password).
The default for everyone is "public" but yours may be something else.
On YOUR workstation or one you commandeer, install Paessler PRTG.  
Configure SNMP on PRTG and tell it to discover everything and to get SNMP Traffic.
With luck, you'll get the IP addresses you need this way and be getting very close if not done with getting the traffic on each switch port individually.

Doing it this way is a bit less effort than using Wireshark for the first time.
.

@JoelArmstrong: watching video
@Fred Marshall: YES A LOT TO LEARN. Downloaded some user guides today so I can RTFM and all 5 switch models are listed below for the Dell power connects. 1 maybe a layer 3?
3448P
5548P
3548P
N2048
N3048
PRTG? A lot of config?

installed ptrg, gave the snmp I am aware of, but there's a lot going on with this app. Trying to maneuver through all of it now.

YES A LOT TO LEARN

re: PRTG  You should be able to tell it to "autodiscover".  That's one key to getting things quickly.

Ok but how does that tell me who's hogging bandwidth?

Assuming that your switches support SNMP then each switch port traffic will be reported.  

I'm assuming that each switch has an "uplink" or backbone connection.
I'm assuming that all the other switch ports support one computer or device.
(If a port supports a downstream switch then it's a little different but see below).

First you find the switch that has high backbone or uplink traffic.  This becomes the target switch.
Finding this switch can be by simply looking at all the switch backbone ports to see which one has the high traffic.
Or, if the switches "hub into" an upstream switch or router ports, then you can find it by looking at the port traffic on the upstream device ports.
(In general, you will have a pair of reports for the same link or Ethernet cable - one from the "outgoing" port and one from the "incoming" port on the connected port).
Then you find the port on that switch that more or less matches the high traffic on the backbone port.
This then becomes the target port.

If the target port is connected to a single computer or device then you have your answer.
If the target port is connected to another switch then you drill down into the ports on that other switch as above.

The main sensor you want in PRTG is SNMP Traffic.

If you do go the Wiireshark route it's reaaly simple to get the info you need.  You don't need to understand the various protocols.  Just collect a sample trace - 200 MB is manageable - then go Statistics -> Conversations.  The IP conversation stats will show you which hosts are chatting.  You can order by Total Bytes.  The TCP conversations will drill down further into process-to-process comms.

OK wireshark was a little easier to run and understand (keeping PTRG)

1. closed everything
2. Opened 1 browser
3. Went to msn.com
5. Got back 679 lines of data in 5 minutes (WTF?)

Ok we need to rewind a bit.  You say that you need to know what is hogging the bandwidth.  What bandwidth do you think is being hogged?  Do you mean overload on an inter-switch link, your Internet access link, a server port or something else?

Well, I was a bit afraid that Wireshark would be a bit much but some of the guidance you received was pretty good to keep it simple.

679 lines in 5 minutes isn't very much.  Is that what you thought?  I can't tell.
A web page access isn't going to yield very many packets.  So that seems like an OK number.

More on the use of wireshark.  
You need to be monitoring a point in the network's backbone to do what's suggested.
One simple way is to insert a hub (NOT a switch) into the main line.
Then, connect your workstation to the hub to see all the traffic.
Then use Wireshark and the technique given to see end points.
Just looking at your own workstation won't do it.
So, you need to add a NIC to the workstation or dedicate a laptop for this purpose while you're monitoring.  The NIC on your workstation can have NO TCP/IP, etc.  All it needs to do is see the packets going by and record them.  So, no protocols needed.

Fred's right - I was probably being a bit naïve, particularly describing the process as "simple".  I should have said straightforward.  And Fred's description of the need to capture all the packets on the link being studied is spot on.  I also agree, 679 packets in 5 minutes isn't much.

I would advise against inserting a hub.  The links in your network will be full duplex - so a 1 Gbps Ethernet link actually shifts up to 1 Gbps in both directions simultaneously i.e. 2 Gbps.  A hub is a half duplex device and so the total bandwidth through that link is halved.  To make matters worse, a hub is a shared media device and there's an effect called collisions.  At 30% utilisation, collisions will start to impact performance, at 60% utilisation the rate of collisions will cause session failures.

None of us here can really give you best advice until we understand better what you are trying to achieve - hence my previous post.

To get the background on how to capture the packets you need you might want to take a look at https://youtu.be/pb1yb1eUlgY where a variety of techniques are explained.

Best regards...Paul

Apologies: I was trying to get a sample of the data from wireshark so I can then teach myself how to read it. Which is the reason for me testing from my laptop. And yes I thought 679 lines of data was a lot, now I know better,. It would be useless for me to attempt to utilize a tool that I have no familiarity with. Already installed onto a diff laptop that's connected directly to the switch, but practicing on mine is all.

@PaulOfford: in between 3:30 & 4:30 (not every day) we see s serious spike (4MB) in bandwidth.   Only issue is that the bulk of users are leaving around this time. So my focus was to identify the machine from the switch (then reality hit), but was unable to accomplish this due to a lack of experience.  Watching video right now...

@Fred Marshall: Exactly what I'm doing. Glad you guys R available.

Already installed onto a diff laptop that's connected directly to the switch

This is likely not going to do what you want unless you use a hub as I described.  The other approach which does the same thing is to set up, on a central switch,  an unused port as a mirror port (which takes that port off the LAN) and mirror the backbone cable port.  Then connect a laptop or other workstation to the mirror port that has Wireshark.

The reason for this is that switches don't act like hubs.  So, you will only get traffic on a LAN port that's destined for the laptop or is coming from the laptop .. just like your own workstation.  That's a limitation that you can't stand to have.  So, you have to see ALL the traffic on the backbone.  Then Wireshark will separate things out for you without much effort in learning about it at all.

from switch 1 I have mirrored port 2 as the destination port. Plugged the laptop in port 2. Since I am just capturing data I dont need to set a source port unless I want to monitor the data usage for that specific port right? If I have to monitor every port manually.... Gonna be PO'd
mirror-2.png

So when you say you see a 4Mbps spike, I'm guessing you see this on a particular port.  That's the port you want as your mirror source.  That way all the traffic passing through that port will be sent to you PC running Wireshark.  That's the only port you will need to mirror.

Spikes don't necessarily mean a problem.  PCs and servers can shift data very quickly and so you will see short periods of high utilisation.

@PaulOfford: I dont know which port it is as of yet. Thats what I'm trying to figure out. These spikes happens at least 3-4 times a week.

OK but how do you know you get the 4 Mpbs spikes?  What reporting them?  What resource is spiking at 4 Mbps?

All the switches that I've set mirror ports on DO require a source port to be specified.
You only need the one backbone port and not all the others - in view of the way you'd be using Wireshark.
But, if you insist, then the ones I've seen allow you to specify as many sources as you like.

@paul: when its noticeable we run a speed test
@fred: backbone port meaning the the port I want to monitor?

And so that I'm understanding: if monitoring 1 specific device then specify that devices port as the source port.

If monitoring all data then the port the ISP should be the source port.

If this is correct then I have to check every port 1 by 1, right,?

@ID10Tz  I read back through your posts and reading between the lines I guess your concern is that you are seeing 4 Mbps spikes on your ISP circuit.  Assuming this is the case, this is what you need to do:

1.  Identify the switch and port that your ISP router connects to - I'll call these SwitchR and PortR from here on
2.  Find a spare port on SwitchR
3.  Use the management interface for SwitchR to set up a mirror with PortR as the source and the spare port as the mirror destination
4.  Connect your laptop with Wireshark to the mirror destination port you have just configured
5.  Run a short capture and check that you see two way traffic to web sites

Be careful when you configure the mirror session. If you get the source and destination around the wrong way you may cut off your users from the Internet.  For this reason you may want to do this during a scheduled change period.

Comments passed each other in the ether.  Yes - the switch port that the ISP router is connected to should be the source.  No, you don't need to check every port.  Just capture on the ISP router port while the problem is occuring and then look at IP conversations as I stated way back up the thread.

When I refer to the "backbone" port, I mean the port with most of the traffic on it - the port to the ISP connection.  That one should be enough UNLESS the traffic problem is within the LAN.  You'll find out soon enough.

When on the backbone port or doing a speed test (speedtest.net) or data capture no problem. Thats where I believe the issue is: somewhere on the LAN

So where did the 4 Mbps figure come from?

We noticed the latency and completed a speedtest from the router. Then we completed the same test from a pc and was 4mb diff

@PaulOfford: couldn't sleep. Was worried someone was stealing data and running, BUT AHA!

disconnected all the switches from switchR in IDF1 (rest of the switches I"ll #) speed test= 10MB
reconnected tested switch2 in IDF1 to switchR test= 10MB
in IDF2 reconnected  switch3 tested= 6MB. Changed interlink cable now testing @ 10MB       =)
in IDF2 reconnected  switch4 tested=10MB            =) happy dance

Now going to sleep and fix speed and duplex on monday. I now have 2 great tools and a better understanding. Now its time to RTFM. thank you guys.......