On Mon, 8 Nov 1999, Eric J Merkel wrote:
>
> Looking at my mrtg stats today I noticed that one of our T1's outgoing
> traffic is just about maxed out which is abnormal. Unfortunately I am having
> a hard time tracking down what the source of the outgoing traffic is on our
> network. I do not have a sniffer to log the packets.
>
> How can I figure out the source IP address of machine(s) loading down this
> link? I am running 11.3(9)T on a 3640.
do you have netflow on this router ?
if yes these little one-lines scripts should help you if you use it on the
problem interface
( a 1 minute hack - but a rather useful one )
-- ==> sum by destination <== #!/bin/bash rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $4}' | sort | uniq -c | sort -rn | head -20==> sum by source <== #!/bin/bash rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $2}' | sort | uniq -c | sort -rn | head -20
==> sum by source ignoring the last octet ( to catch "smurf" amplifier networks) <== #!/bin/bash rsh <XXX> sh ip cache flow | nawk '$1 ~ "^[AFNEST]" {print $2}' | sort -t. +1 -4 | uniq -c | sort -rn | less > > Any help would be much appreciated! > > Eric > > Eric Merkel / MetaLink Technologies, Inc > ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* > Email: merkel@metalink.net > Phone: 419-782-3472 X304 > ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* > >
-- Rafi Sadowsky rafi@noc.ilan.net.il Network Operations Center |VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410 ILAN - IUCC -I2(Israel) | member ILAN-CERT(CERT@CERT.AC.IL) (Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:07 EDT