[nsp] Suggestions on tracking down bandwidth offenders
Mike Lewinski
mike at rockynet.com
Wed Jul 14 13:32:32 EDT 2004
Tony Mucker wrote:
> I've got a bandwidth problem (who doesn't). Something has been
> saturating my poor little T1 for 24 hours straight now. For those of
> you curious, here's what it looks like:
>
> http://www .ghideon.com/router-day.png
>
> Remove the white space and enjoy. In the past I've used ethereal dumps
> to figure out who the big talkers were, but frankly it takes too long to
> crunch all the packets. I've also tried etherApe, but the analysis
> makes my poor little laptop crawl. Are there any tools out there that
> will speed this up? Possibly by looking at the firewall logs?
For long term monitoring I like setting up a dedicated IDS box with ipfm
and snort. Tuning the latter will take a bit of work but you can get
down the number of false alerts. I wrote a stupid perl script to extract
the ipfm data and create MRTG graphs by IP. This assumes you can do port
monitoring on a switch. Actually, assuming that you have a managed
switch, running some kind of monitoring tool on it is probably going to
be your simplest option. I had to resort to ipfm mainly because it was a
WLAN with no ports to monitor.
More information about the cisco-nsp
mailing list