On Mon, 8 Nov 1999, Eric J Merkel wrote:
>
> Looking at my mrtg stats today I noticed that one of our T1's outgoing
> traffic is just about maxed out which is abnormal. Unfortunately I am having
> a hard time tracking down what the source of the outgoing traffic is on our
> network. I do not have a sniffer to log the packets.
>
> How can I figure out the source IP address of machine(s) loading down this
> link? I am running 11.3(9)T on a 3640.
do you have netflow on this router ?
if yes these little one-lines scripts should help you if you use it on the
problem interface
( a 1 minute hack - but a rather useful one )
--
==> sum by destination <==
#!/bin/bash
rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $4}' | sort | uniq -c | sort -rn | head -20
==> sum by source <==
#!/bin/bash
rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $2}' | sort | uniq -c | sort -rn | head -20
==> sum by source ignoring the last octet ( to catch "smurf" amplifier
networks) <==
#!/bin/bash
rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $2}' | sort -t. +1 -4 | uniq -c | sort -rn | less
>
> Any help would be much appreciated!
>
> Eric
>
> Eric Merkel / MetaLink Technologies, Inc
> ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
> Email: merkel@metalink.net
> Phone: 419-782-3472 X304
> ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
>
>
--
Rafi Sadowsky rafi@noc.ilan.net.il
Network Operations Center |VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410
ILAN - IUCC -I2(Israel) | member ILAN-CERT(CERT@CERT.AC.IL)
(Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:07 EDT