HELP - bandwidth hog...

[dayg]

Hi All,

Can someone tell me which network monitoring software is the most easiest to use and to see which PC/IP address is utilizing the most bandwidth on our T1 line to Internet. We recently have a problem at work, someone in our LAN is hogging up the Internet bandwidth. We have a full T1 line to Internet and at times its at 100% utilization and it stays up close to peak for a long while. I need to find out who that person is and what machine he's using it. Any idea what kind of network monitoring softwares out there that will tell me what I'm looking for? Any help would be appreciated.

BTW, I have tried to use Sniffer Pro V4.7 on our network, but the darn thing is not that user friendly. Can't figured out how to use it.

 

[kehi]

I want to know the answer too

 

[neopipil]

dayg,

In the past I have used Anasil for network monitoring. It's not free but you can use the demo version to monitor your network. It's a very complete network monitoring tool, but it's fairly easy to use.

http://www.sniff-tech.com/english/snifftech.php

Let me know if you are able to track down the offending user.

neopipil

______________________________

My Job

 

[spidey07]

if this is a cisco router you can use IP accounting on the serial interface to see which IPs are sending/receiving the most

on the interface do "ip accounting"
then at prompt type "show ip accounting"

otherwise on sniffer start a capture and click on the objects portion of "stations" then you can sort based on tx/rx packets or bytes.

also packeteer makes some very good bandwidth shapers. I use them religously. You can also use the cisco router to limit bandwidth per application.

hope all this helps. probably newsgroups or kazaa, make sure you can enforce any action you may take.

 

[dayg]

neopipil, Thanks. I downloaded just now...I'll look into it in a bit and will post the results.


spidey07, I'm actually in the Cisco router at the prompt: cisco-gw# but gets invalid input when typing "ip accounting". Could you give me a more detailed instruction. I'm not much of a router guy. Thanks.

 

[spidey07]

What kind of router is it?

router#enable
<enter password>
router#show run ------here look for something like interface serail0/0
router#config t
router#(config) interface serial 0/0 ----------this should be your serail interface to da net.
router#(config-if) ip accounting
router#(config-if) end
router#show ip accounting

that'll get you started. to clear counters enter command "clear ip accounting"

 

[dayg]

spidey07,

Thanks for taking your time explaining this. once I typed the command 'ip accounting', how long do I wait till 'end' the command? And during ip accounting, will this slow down Internet traffic? Also what happens if I forget to clear IP accounting? I'm just a bit worry if I f##k up the Router.
Thanks again. I won't be able to test this untill Monday morning.

 

[slackware1995]

<< Hi All,

Can someone tell me which network monitoring software is the most easiest to use and to see which PC/IP address is utilizing the most bandwidth on our T1 line to Internet. We recently have a problem at work, someone in our LAN is hogging up the Internet bandwidth. We have a full T1 line to Internet and at times its at 100% utilization and it stays up close to peak for a long while. I need to find out who that person is and what machine he's using it. Any idea what kind of network monitoring softwares out there that will tell me what I'm looking for? Any help would be appreciated.

BTW, I have tried to use Sniffer Pro V4.7 on our network, but the darn thing is not that user friendly. Can't figured out how to use it. >>



Later on, you mention that you have a Cisco Router. All you have to do is enable SNMP on the Cisco, and get a SNMP monitoring agent. Do a search on Google, there are a few that you may find that have trials that may be all that you need. The other plus to SNMP monitoring is that you'll be able to be notified if any parametor is above a user defined threshold.

Hope this helps...

 

[slackware1995]

Also, you can install SNMP on any NT or better OS, Unix, Netware, high end switches/hubs.

This will allow you to track what everyone in the company is doing, where other bottlenecks are, etc.

 

[dayg]

slackware1995,

Could you tell me in detailed instructions on how to find out if our Cisco Router is already SNMP enabled? If not enabled, what's the command to enable it and at which prompt do I do it at? If you know of any links on simple router commands, that would be helpful for me and anyone here at Anandtech! Thanks.

BTW, what are some of software names I could use to monitor our Routers using SNMP?

 

[slackware1995]

<< slackware1995,

Could you tell me in detailed instructions on how to find out if our Cisco Router is already SNMP enabled? If not enabled, what's the command to enable it and at which prompt do I do it at? If you know of any links on simple router commands, that would be helpful for me and anyone here at Anandtech! Thanks.

BTW, what are some of software names I could use to monitor our Routers using SNMP? >>



First the good news:
Almost every Cisco Router does SNMP.

Now the bad news:
It's been years since I had my own ISP and used SNMP in this way. Also, I don't have any experience with Cisco Routers.

The so-so news:
Your Cisco Manual will let you know if you have it, or you can check cisco's website.
There are several programs out there like you want. You aren't the first person to want to monitor with a low budget
Lastly, I am sure that Spidey07 can give you pointers on Cisco Router commands

 

[spidey07]

unfortunately SNMP will not tell you what IP address is doing what. IP accounting is a very quick way to see what's up.

Sniffer is another method

 

[dayg]

spidey07,

I got the Router to show IP accounting. Bad news is, we have a firewall (Watchguard firebox II) so it didn't work as it suppose to. Here is a sample of what IP accounting looks like, if anyone wonders...
Source Destination Packets Bytes
64.78.234.34 65.217.216.130 45 4010
207.251.113.131 65.217.216.130 80 5904
207.251.113.130 65.217.216.130 106 62716
207.68.178.253 65.217.216.130 4 561


hmmm.....Our firewall does NATing, is there a way to get around this?

 

[N11]

Dayg, do you have a spare computer and some linux experience?

I'd recommend you be sniffing right now. There are several programs that will get you the results you need. My personal preference is NTOP

 

[dayg]

N11,

hmm..., I do have spare PC running Windows NT 4.0. But no experience in Linux, I do know a few simple commands that's about it. Just looked at your link. Where do I download NTOP?

 

[N11]

You can download it here: http://snapshot.ntop.org/

The reason I prefer NTOP is because it is an easy install, and it spits out and interprets data into some really nice web based charts/graphs. You can get a really good idea as to what is going on broken down by host, packets, time, etc. It has its own built in webserver so you don't need to worry about installing one.

It's also free.

 

[neopipil]

dayg,

No luck with Anasil?

neopipil

 

[dayg]

neopipil,

I donwloaded and installed the software. I couldn't get it to do what I needed. Some-what similar to what Sniffer Pro does. I wonder if these programs work in a Switched (rather than Hub) environment. We have DELL Powerconnect managed Switch.

 

[spidey07]

dayg,

In a switched network a sniffer plugged into port one of a 24 port switch will only see broadcasts and multicasts. not much use for your scenario. You'll need to plug the sniffer into the switch that supports the router and or firewall interior interface. then you will tell the switch to "mirror" all traffic on the switch to port one (sniffer port) or what ever port the sniffer is plugged into.

don't know how to mirror on a dell switch, aren't those rebadged Intel switches?

 

[spyordie007]

how about something simpler.

how many machines do you have connected via that T1 line and how are they connected (single 24 port switch, cascaded switches, etc)
unplug them one at a time and when you see the bandwidth get reduced you know where the problem is.

-Spy

 

[quxio]

Are you sure its managed? I thought Dell switches were unmanaged. Anyway, if it is managed, you should be able to log into the switch and look at utilization statistics for each port. If you really wanted to use a sniffer, you would have to mirror the outbound port to the port the sniffer is plugged into in order to see all packets.

 

[dayg]

spidey07 - U ta man! I got it to work now, did the port mirroring on DELL switch. Sniffer Pro sees ALL the freaking traffics!!! Talk about slowing down your system.... Sniffer is awsome! Under the host table, It sees anything that is connected LAN, it sees VPN networks and whole bunch that I had no idea what they are....LOL


Quxio, The switch we have is Dell Powerconnect 3024 Managed! They're nice and has ALL the capabilities that Cisco Switch has and at great prices. Only thing I thought it was weird was that, after a while, I can't connect to the switch via IE interface. Can't ping the switch either, only way to get in is serial connect.

I want to thank ALL that responded to my help! "Thanks"
Now I gotta do some investigation!

 

[spidey07]

you might want to be carefull if you can no longer ping switch or connect with IE.

mirroring a port is very processor intensive on lower end switch (depending on traffic it can rollover four paws), in higher end models it all occurs in the line modules themselves.

Also when you mirror a port a lot of switches disable inbound packets on the port, so pinging from the sniffer might not work. I would be sure and check proc utilization on the switch to make sure you're not really slowing down.

now nail down that sucker sucking illegal software and mp3s through your business internet connection and have him fired, or at least a written warning with a complete months worth of bandwidth charged to his boss.

 

[Tanner]

BUT, did you FIND him/her???

 

[dayg]

spidey07, point taken. Thanks. These Dell switches are pretty good besides the issue I'm having. I scheduled a call with DELL support this afternoon at 4:30pm to troubleshoot this issue.


Tanner, nope, not yet since he/she has not been hogging up the bandwidth these couple days. But I got my eyes on it now!