Despite ample bandwidth something is causing bottleneck in LAN and affecting VOIP

Over the past 2/3 months something in our network is generating a lot of traffic and it is causing VOIP calls to sound garbly and occasional web browsing hiccups. Both the VOIP and the ISP have tested their networks and said all seems well.

Question: is there a software or service that allows me to visually understand if the issue is due to a specific computer running some sort of bandwidth-sucking software or perhaps some malware generating insane outbound traffic?

We have even received a warning page when accessing Google telling us that there is too much traffic coming from our network and asking us to prove that we are humans by filling a Capcha screen.

Our basic configuration:
100mbps / 20mbps Cable Internet, consistently testing at the advertised speed
Gateway is a CheckPoint 600 appliance, doubles as UTM and firewall, QoS function enabled
3 unmanaged switches at key points in the network (including 2 Ciscos)
About 20 users on the LAN plus some stuff on wi-fi
16 VOIP phones, not very actively used
Do not believe there are any p2p/torrent users or something like that going on
Degradation in VOIP quality happened recently and NOT as a result of any significant changes in the network

I am puzzled by this, first time in 20 years that I have encountered a network issue that stumped me.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Since the switches are unmanaged then something like SNMP wouldn't be the most direct approach.
But the CheckPoint should support setting up a mirror port that mirrors the main LAN port.
Do that.
Then set up a laptop with no particularly related IP address on its NIC or with no TCP/IP at all and plug it into the mirror port.
Install Wireshark on the laptop and monitor the NIC traffic.
Then look at statistics to see which LAN IP address has the high traffic.  No particular Wireshark experience needed for this.
Bryant SchaperCommented:
You will need to wireshark/netflow your router to get insight, you will have to setup a mirror port to capture all the data.

Now remember, by the sounds of it you are running voip over the internet, QoS makes no difference once the packet leaves your network.  The internet does not honor VPN tags.  You should also be able to see the utilization of the wan interface on your router as well.  Does it provide any user activity reporting?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.