[c-nsp] OT: Following Up on Netflow Information

[Jeff Cartier]

Hi All,

This might be a little off-topic to Cisco, but what the heck.

I'm just curious as to how 'you' would go about tracking down a user that *may* possibly be downloading large amounts of data causing congestion on a link.  For instance, I had a case this morning with an internal IP address of 10.x.x.x that showed a 900MB conversation over TCP 80 (HTTP) to an ip address of 174.120.5.220.

Great - so its not that hard to track down the internal user.  Yell at him to stop, talking to him about what he's doing to the network.  No biggie.

I'm more curious about options/tools available to find out what he was doing.  I know that he was downloading something, I know that it was over HTTP and I know the outside IP address he was accessing.  So I start off by looking at 174.120.5.220.  I can check the A record which tells me nothing....
Name:    dc.5.78ae.static.theplanet.com....

I can't browse to that IP address.  I can see who owns that IP address (XO Communications) though, but in this case its all useless.

The question, more or less, is do I have any options to keep moving forward in finding out what this user was actually doing?

Thanks in advance!

__________________________________________________________________
DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged.  It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail.  If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail.

This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.