Bandwidth monitoring by IP for whole network

Discussion in 'Networking & Security' started by Catiaudo, Jun 9, 2009.

  1. Catiaudo

    Catiaudo Limp Gawd

    Messages:
    282
    Joined:
    Oct 23, 2002
    I was wondering if there is an appliance or something similar that will basically tell me real-time what IP address is using the most bandwidth.

    We have an office, with about 75 computers on this network. It's an SDI connection (basically chained T1s) that is very fast in general but one user or computer can basically bring everyone else to a crawl.

    We have a Cisco ASA5510 with Security Plus firewall.

    Off of the firewall we have a Barracuda WebFilter 310 and a Sonicwall VPN2000.

    The Barracuda is set up so users have to log in to access http and https. I can monitor bandwidth through this but it seems when something is bringing the network down it's not one of the users, it's a stray machine doing Windows updates or someone doing an FTP. This type of traffic is not included in Barracuda's reports.

    Today the internet slowed to a crawl and it took me 20 minutes to find the culprit, a computer in a conference room that was rarely used was left on and was downloading years of Windows updates.

    If I could have found the IP address I could have located the culprit immediately.

    Is there a box I can install between my firewall and main switch that will tell me bandwidth usage by IP? Or can I somehow get the ASA to export logs and use some program to see the current usage?

    I also have a Watchguard Firebox X550E that's not being used from our secondary network. It's fully loaded with all of the security features too. I haven't played with it much... it makes really pretty graphs of current usage by the whole network, but will not tell me specific ips.

    Any ideas? I'd rather have something easy that costs money than something that takes forever to configure and is free. Money isn't a huge concern.

    Thanks :cool:
     
  2. scobar

    scobar .

    Messages:
    34,044
    Joined:
    Jan 2, 2001
    PFsense has an add-on called badwidth that works well to track usage based on IP.

    My question is this, don't you use a WSUS server, and, have a GPO configured to use the WSUS?

    How about QOS, don't you prioritize the traffic with that many users?
     
  3. CaseyBlackburn

    CaseyBlackburn Gawd

    Messages:
    540
    Joined:
    Dec 10, 2006
    You could try NTOP on something inbetween your clients and your internet connection. Once configured you can go to the throughput section and see what client and ip is using the most bandwidth at the moment, etc. It's pretty powerful. It's built into Endian Firewall which is what I tend to use. Just turn it on under Traffic monitoring and you are good to go. I think you could easily set up Endian as a gateway and just have all your traffic run through there and you'd be set.

    I also suggest you get a WSUS server since you speak of so many Windows Updates issues. It allows you to store the updates you need on a local server so they only have to be downloaded once.
     
  4. Kaiga

    Kaiga Gawd

    Messages:
    827
    Joined:
    Feb 2, 2005
    I thought Sonic Wall already had a built in Traffic monitoring module.
     
  5. CaseyBlackburn

    CaseyBlackburn Gawd

    Messages:
    540
    Joined:
    Dec 10, 2006
    It looks like the Sonicwall VPN2000 is just a VPN server basically, not a firewall, so not all internet traffic would be going through it
     
  6. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    What version of code are you running on that ASA5510? If you have anything after 8.0.x there are some handy monitoring functions built-in to the ASDM GUI. You can look at graphs of the top ten bandwidth hogs based on incoming and outgoing destinations. Also, you could hop on the CLI and do a show xlate, that would tell you who is using the most NAT translations which could pinpoint the abusive user by IP.


    Also, seriously, why aren't you using WSUS? That would save a crap ton of windows update bandwidth right there. Not to mention you can control what updates are installed on your network....
     
  7. Catiaudo

    Catiaudo Limp Gawd

    Messages:
    282
    Joined:
    Oct 23, 2002
    Yes, the Sonicwall is just for remote access and remote assistance. I like to mention everything just in case.

    Firewall version is 7.2(4) but we subscribe to all the update stuff, I'll get that upgraded and check out the stuff in the ASDM. I haven't really used the ASDM at all but it sounds like there's some stuff I can use in there.

    As far as a WSUS goes, there's only a handful of computers running from the server and AD so it wouldn't save that much. Windows updates just happened to be the problem the last few times.
     
  8. scobar

    scobar .

    Messages:
    34,044
    Joined:
    Jan 2, 2001
    Even if the computers are not AD, you should still be able to use WSUS for updates, fyi.
     
  9. SpaceHonkey

    SpaceHonkey Gawd

    Messages:
    983
    Joined:
    Jan 25, 2007
    You also dont have to put a device inline, you could just sniff on a port span/mirror of the firewall. That's what I do. I'll use ntop (over time), iftop (realtime), dsniff (urlsnarf will show you exact http GETs), and you could even use webspy to follow along a user's browsing session if you like. I have all that on a VM and just bridge it to a second NIC in my PC that goes to the span port.
     
  10. k1pp3r

    k1pp3r [H]ardness Supreme

    Messages:
    7,891
    Joined:
    Jun 16, 2004
    Since you have a ASA check out Fireplotter, its pretty nice and can plot all IP's accessing the firewall
     
  11. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    Yea but then you'd have to change the policy on each local computer to look at the WSUS server.



    I've got an Untangle server at my gateway... Anyway to do this with something like that? It'd be nice sometimes, when the internet slows to a crawl, to be able to determine who is doing it.
     
  12. QHalo

    QHalo 2[H]4U

    Messages:
    3,432
    Joined:
    Sep 30, 2002
    Yup Techie. He could batch file the registry entries to take care of WSUS. Should be pretty simple.
     
  13. Catiaudo

    Catiaudo Limp Gawd

    Messages:
    282
    Joined:
    Oct 23, 2002
    Hmmm, if I have some spare time maybe I'll do something like this. I've done WSUS in other situations before but only when everyone was AD.

    I'm going to update the ASA to 8 21 this weekend and try getting one of the programs running here to monitor the bandwidth hogs.