How to see who's eating the bandwidth

A

Asgorath

[H]ard|Gawd
Joined
Jul 12, 2004
Messages
1,253
Someone on our network is eating the bandwidth and killing it for everyone else.

The network is segmented into different subnets, all of the users in question are on the 192.168.4.0 network. All of these users go into a Cisco 3650 switch on their own VLAN. Is there a way I can figure out who's eating up how much bandwidth at any one time? Preferably, I'd like to see who's eating how much bandwidth if their destination is out on the WAN...

Any tips on how to do this?
 
One method is to set up a network monitoring app and have it monitor the ports on the switch. MRTG takes a little bit of work to set up but it's bomb-proof on either Windows or Linux and does a good job of monitoring SNMP-aware hardware devices.

It will produce a bunch of graphs of bandwidth usage per port on the switch, so you'll know at a glace where the peak utilizer is.
 
Cool program. Is there a way to configure it so that I can only view traffic that is not going to a 192.168.0.0/16 network?
 
I use reports from Untangle. Can break down details rather well...show the user, hours of usage, what sites are being visited.
 
Oh, my bad haha, I should have described it a bit more.

netflow is an IOS feature. You apply it on a per-interface basis, and then can export the data to a server, or even look at the stats directly on the router. As you can see from the options below, there's a bunch of crap you can do with it. Not sure if your equipment supports this.. try seeing if these commands are available (has to be a L3/SVI interface)

Code: 
Router(config)#int g0/1
Router(config-if)#ip flow ?
  egress   Enable outbound NetFlow
  ingress  Enable inbound NetFlow
  monitor  Apply a Flow Monitor to this interface

Router(config-if)#exi
Router(config)#ip fl?
flow-aggregation  flow-cache        flow-capture  flow-egress
flow-export       flow-top-talkers

Router(config)#ip flow-export ?
  destination      Specify the Destination IP address
  interface-names  Export interface names
  source           Specify the interface for source address
  template         Specify the template specific configurations
  version          Specify the version number
 
I don't have the ip flow :-(

Under ip ? I get...

Code: 
Switch(config-if)#ip ?
Interface IP configuration subcommands:
  access-group  Specify access control for packets
  admission     Apply Network Admission Control
  arp           Configure ARP features
  dhcp          Configure DHCP parameters for this interface
  dhcp          DHCP
  igmp          IGMP interface commands
  verify        verify
  vrf           VPN Routing/Forwarding parameters on the interface
So I guess I'll have to go another way.
 
Is your switch doing routing? If so, you'll need this on a VLAN interface or a router interface (the "no switchport" command). Otherwise, none of this netflow stuff will apply.
 
Same commands, just do them under your L3 interface.

I was assuming you weren't doing that before because when you did "ip ?", not even "address" wasn't listed there.

You still might not have it though, but it never hurts to try haha. I also don't know if you might need another build other than ipbase.. might need advanced ip services/ent.
 
:-/ I still don't think I have IP Flow
Code: 
Switch#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int vlan4
Switch(config-if)#ip ?
Interface IP configuration subcommands:
  access-group        Specify access control for packets
  accounting          Enable IP accounting on this interface
  address             Set the IP address of an interface
  admission           Apply Network Admission Control
  authentication      authentication subcommands
  bandwidth-percent   Set EIGRP bandwidth limit
  broadcast-address   Set the broadcast address of an interface
  cef                 Cisco Express Forwarding interface commands
  dhcp                Configure DHCP parameters for this interface
  directed-broadcast  Enable forwarding of directed broadcasts
  hello-interval      Configures IP-EIGRP hello interval
  helper-address      Specify a destination address for UDP broadcasts
  hold-time           Configures IP-EIGRP hold time
  information-reply   Enable sending ICMP Information Reply messages
  irdp                ICMP Router Discovery Protocol
  load-sharing        Style of load sharing
  local-proxy-arp     Enable local-proxy ARP
  mask-reply          Enable sending ICMP Mask Reply messages
  next-hop-self       Configures IP-EIGRP next-hop-self
  probe               Enable HP Probe support
  proxy-arp           Enable proxy ARP
  rarp-server         Enable RARP server for static arp entries
  redirects           Enable sending ICMP Redirect messages
  rip                 Router Information Protocol
  route-cache         Enable fast-switching cache for outgoing packets
  security            DDN IP Security Option
  split-horizon       Perform split horizon
  summary-address     Perform address summarization
  unnumbered          Enable IP processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  vrf                 VPN Routing/Forwarding parameters on the interface
 
Yeah.. netflow isn't in IOS IP base. Are you running at least IP services? If you are, then I guess it's not supported for your hardware.
 
I think we're on IP Base.

But anyways...I went the MRTG route and I think I'm incompetent..I can't get that infernal program running properly.

However, I installed PRTG Traffic grapher (not free) and imported all my switches and interfaces into it. I can see live and historical traffic data across the interfaces. The bummer here is pretty much what I expected about SNMP...it is only giving me the bandwidth used by an interface. Which means if someone is pulling a PDF from the file server it shows up the same as someone going and watching youtube.

I think I need to set up a port mirror on the cisco and monitor all traffic then analyze that using some other software. Untangle maybe?
 
I think you may be approaching this from the wrong angle, not to say that tracking your user's won't work but it sounds like a bit of trouble.

Send out a company wide email stating that IT is aware of all internet traffic/downloads and if the individuals responsible do not stop then corrective action will be taken including written warnings up to termination.

It'll prob stop for a couple months till you can install the tracking software at least. :)
 
riot8ap said:
I think you may be approaching this from the wrong angle, not to say that tracking your user's won't work but it sounds like a bit of trouble.

Send out a company wide email stating that IT is aware of all internet traffic/downloads and if the individuals responsible do not stop then corrective action will be taken including written warnings up to termination.

It'll prob stop for a couple months till you can install the tracking software at least. :)
Click to expand...

Everyone is good about it for the most part. My guess is that the users that are causing the spikes aren't aware of what they're doing. Maybe some flash animations that are bloated or something.

I'm in the real estate business and the websites that people create in this business SUCK. IE optimized, bloated, clunky, crashing randomly, on old ASP codel, outdated.

Or it could be a virus on the network causing traffic. I really don't know. And everyone know that it is a problem and are trying their best right now.

I need software to help me track this down. My users are doing their best.

And PS...My boss has already sent out just that sort of email. There's been layoffs recently, so everyone knows to be careful.
 
Look into ntop. Set it up on a box and put it on a span port. It will show actual conversations and how much data. I use it on a span of our pix inside interface. Plus you can sniff with wireshark and look at the statistics. That's the way I'd go about it atleast...
 
Except per port with I further rules on it will give me total usage, not just internet usage... Which is my problem. We have alot of LAN traffic past just wan traffic
 
Heres a second for Ntop. If you want to see who is going where and how much this is a great tool. The windows version is a little trickey to get, because they dont supply a compiled version, but if you know how to use google to search for executables, you can find it. It's Gnu License.

SpaceHonkey said:
Look into ntop. Set it up on a box and put it on a span port. It will show actual conversations and how much data. I use it on a span of our pix inside interface. Plus you can sniff with wireshark and look at the statistics. That's the way I'd go about it atleast...
Click to expand...
 
moetop said:
Heres a second for Ntop. If you want to see who is going where and how much this is a great tool. The windows version is a little trickey to get, because they dont supply a compiled version, but if you know how to use google to search for executables, you can find it. It's Gnu License.
Click to expand...

The network security toolkit i have listed above has it. Check it out. Very cool stuff.
 
You must log in or register to reply here.
Back
Top