Bandwidth monitoring by IP for whole network

C

Catiaudo

Limp Gawd
Joined
Oct 23, 2002
Messages
282
I was wondering if there is an appliance or something similar that will basically tell me real-time what IP address is using the most bandwidth.

We have an office, with about 75 computers on this network. It's an SDI connection (basically chained T1s) that is very fast in general but one user or computer can basically bring everyone else to a crawl.

We have a Cisco ASA5510 with Security Plus firewall.

Off of the firewall we have a Barracuda WebFilter 310 and a Sonicwall VPN2000.

The Barracuda is set up so users have to log in to access http and https. I can monitor bandwidth through this but it seems when something is bringing the network down it's not one of the users, it's a stray machine doing Windows updates or someone doing an FTP. This type of traffic is not included in Barracuda's reports.

Today the internet slowed to a crawl and it took me 20 minutes to find the culprit, a computer in a conference room that was rarely used was left on and was downloading years of Windows updates.

If I could have found the IP address I could have located the culprit immediately.

Is there a box I can install between my firewall and main switch that will tell me bandwidth usage by IP? Or can I somehow get the ASA to export logs and use some program to see the current usage?

I also have a Watchguard Firebox X550E that's not being used from our secondary network. It's fully loaded with all of the security features too. I haven't played with it much... it makes really pretty graphs of current usage by the whole network, but will not tell me specific ips.

Any ideas? I'd rather have something easy that costs money than something that takes forever to configure and is free. Money isn't a huge concern.

Thanks :cool:
 
PFsense has an add-on called badwidth that works well to track usage based on IP.

My question is this, don't you use a WSUS server, and, have a GPO configured to use the WSUS?

How about QOS, don't you prioritize the traffic with that many users?
 
You could try NTOP on something inbetween your clients and your internet connection. Once configured you can go to the throughput section and see what client and ip is using the most bandwidth at the moment, etc. It's pretty powerful. It's built into Endian Firewall which is what I tend to use. Just turn it on under Traffic monitoring and you are good to go. I think you could easily set up Endian as a gateway and just have all your traffic run through there and you'd be set.

I also suggest you get a WSUS server since you speak of so many Windows Updates issues. It allows you to store the updates you need on a local server so they only have to be downloaded once.
 
I thought Sonic Wall already had a built in Traffic monitoring module.
 
What version of code are you running on that ASA5510? If you have anything after 8.0.x there are some handy monitoring functions built-in to the ASDM GUI. You can look at graphs of the top ten bandwidth hogs based on incoming and outgoing destinations. Also, you could hop on the CLI and do a show xlate, that would tell you who is using the most NAT translations which could pinpoint the abusive user by IP.


Also, seriously, why aren't you using WSUS? That would save a crap ton of windows update bandwidth right there. Not to mention you can control what updates are installed on your network....
 
Yes, the Sonicwall is just for remote access and remote assistance. I like to mention everything just in case.

Firewall version is 7.2(4) but we subscribe to all the update stuff, I'll get that upgraded and check out the stuff in the ASDM. I haven't really used the ASDM at all but it sounds like there's some stuff I can use in there.

As far as a WSUS goes, there's only a handful of computers running from the server and AD so it wouldn't save that much. Windows updates just happened to be the problem the last few times.
 
Catiaudo said:
Yes, the Sonicwall is just for remote access and remote assistance. I like to mention everything just in case.

Firewall version is 7.2(4) but we subscribe to all the update stuff, I'll get that upgraded and check out the stuff in the ASDM. I haven't really used the ASDM at all but it sounds like there's some stuff I can use in there.

As far as a WSUS goes, there's only a handful of computers running from the server and AD so it wouldn't save that much. Windows updates just happened to be the problem the last few times.
Click to expand...

Even if the computers are not AD, you should still be able to use WSUS for updates, fyi.
 
You also dont have to put a device inline, you could just sniff on a port span/mirror of the firewall. That's what I do. I'll use ntop (over time), iftop (realtime), dsniff (urlsnarf will show you exact http GETs), and you could even use webspy to follow along a user's browsing session if you like. I have all that on a VM and just bridge it to a second NIC in my PC that goes to the span port.
 
Since you have a ASA check out Fireplotter, its pretty nice and can plot all IP's accessing the firewall
 
sc0tty8 said:
Even if the computers are not AD, you should still be able to use WSUS for updates, fyi.
Click to expand...
Yea but then you'd have to change the policy on each local computer to look at the WSUS server.



I've got an Untangle server at my gateway... Anyway to do this with something like that? It'd be nice sometimes, when the internet slows to a crawl, to be able to determine who is doing it.
 
TechieSooner said:
Yea but then you'd have to change the policy on each local computer to look at the WSUS server.



I've got an Untangle server at my gateway... Anyway to do this with something like that? It'd be nice sometimes, when the internet slows to a crawl, to be able to determine who is doing it.
Click to expand...

Yup Techie. He could batch file the registry entries to take care of WSUS. Should be pretty simple.
 
QHalo said:
Yup Techie. He could batch file the registry entries to take care of WSUS. Should be pretty simple.
Click to expand...

Hmmm, if I have some spare time maybe I'll do something like this. I've done WSUS in other situations before but only when everyone was AD.

I'm going to update the ASA to 8 21 this weekend and try getting one of the programs running here to monitor the bandwidth hogs.
 
You must log in or register to reply here.
Back
Top