[nsp] Suggestions on tracking down bandwidth offenders

David J. Hughes bambi at Hughes.com.au
Wed Jul 14 19:11:44 EDT 2004 

The implementation of NBAR in 12.2s is badly broken with respect
to fragmented packets.  Its easy to bring an NPE-G1 to it's knees
without really trying very hard.  NBAR was reimplemented for
12.3T and our tests show that it doesn't have the same problems.



Bambi
...

 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
> Sent: Thursday, 15 July 2004 8:17 AM
> To: 'Earls, Michael'; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Suggestions on tracking down bandwidth offenders
> 
> 
> We've had a lot of trouble with NBAR in that it cannot deal 
> with fragmented
> packets.
> 
> On a link we are testing it on users are still able to use 
> peer-to-peer even
> though we have the drop QoS statements in there.
> 
> ...Skeeve
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Earls, Michael
> Sent: Thursday, 15 July 2004 6:01 AM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Suggestions on tracking down bandwidth offenders
> 
> You can also run MRTG with NBAR to figure out the protocol 
> that is eating up
> your bandwidth. Then you should be able to look at the 
> firewall logs based
> on the protocol and time frame.
> 
> http://www.vermeer.org/display_doc.php?doc_id=6
> 
> -----Original Message-----
> From: Noriega, Alejandro [mailto:ANoriega at prima.com.ar]
> Sent: Wednesday, July 14, 2004 3:19 PM
> To: Tony Mucker; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Suggestions on tracking down bandwidth offenders
> 
> 
> You can start to know what kind of traffic is saturating your link.
> 
> Interface X
>  ip nbar protocol-discovery
>  load-interval 60
> !
> show ip nbar protocol-discovery Stats Byte-R | e 00
> 
> Be careful about cpu usage.
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Mucker
> Sent: Wednesday, July 14, 2004 2:24 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Suggestions on tracking down bandwidth offenders
> 
> 
> I've got a bandwidth problem (who doesn't).  Something has 
> been saturating
> my poor little T1 for 24 hours straight now.  For those of 
> you curious,
> here's what it looks like:
> 
> http://www .ghideon.com/router-day.png
> 
> Remove the white space and enjoy.  In the past I've used 
> ethereal dumps to
> figure out who the big talkers were, but frankly it takes too long to
> 
> crunch all the packets.  I've also tried etherApe, but the 
> analysis makes my
> poor little laptop crawl.  Are there any tools out there that 
> will speed
> this up?  Possibly by looking at the firewall logs?
> 
> Thanks
> Tony
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> This e-mail transmission contains information that is 
> confidential and may
> be privileged.   It is intended only for the addressee(s) 
> named above. If
> you receive this e-mail in error, please do not read, copy or 
> disseminate it
> in any manner. If you are not the intended recipient, any disclosure,
> copying, distribution or use of the contents of this information is
> prohibited. Please reply to the message immediately by 
> informing the sender
> that the message was misdirected. After replying, please 
> erase it from your
> computer system. Your assistance in correcting this error is 
> appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ==============================================================
> ==========
>  Pain free spam & virus protection by:          
> www.mailsecurity.net.au
>  Forward undetected SPAM to:                   
> spam at mailsecurity.net.au
> ==============================================================
> ==========
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list