dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1013
t10
join:2003-05-25
Woodbridge, ON

t10

Member

Rogue/faulty device eating all bandwidth. Need to find it.

Hello,

Need help, hope you guys can point me in the right direction.
Have a network with about 60 PCs, and under 100 devices in total. We have a 5mbit symmetrical fiber pipe. Recently around the same time during peak hours, WAN pings become really bad and half of them timeout. I thought it was an ISP issue, but unhooking the LAN from the fiber line and plugging in directly, shows excellent speed.

Our cisco router does not show throughput (wtf? lol), hooked up a WRT54GL running tomato between the cisco and WAN, to see throughput, and it looks like we are maxing out the pipe. I need to find the IP address of the device which is leeching the most. Is there a network sniffer that will show me network utilization by IP/MAC?

Thank you

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

What Cisco router you have there? Model?
Do you have managed switch(es) there?

You need to deploy sniffer on LAN side and see where's the problem.
Alternatively, if the Cisco router supports SNMP and some nice stats you may be able to get info you need that way.

But managed switch with monitoring (sniffing, mirroring) port is what you need. You route all LAN through the switch, hook up wireshark to your monitoring port and examine all the traffic.
t10
join:2003-05-25
Woodbridge, ON

t10

Member

Thanks Brano! Total DUH on my part re Wireshark (tried SolarWinds NTA, and that didnt tell me anything unfortunately).

The Cisco is RV042.
No managed switches on the premises. Would need to buy one, any recommendations (unfortunately in our case the cheaper the better).

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano

MVM

I have this one (and am very happy with it) »www.ncix.ca/products/?sk ··· oid=1448 ... it's one of the cheapest gigabit out there and will do what you need.
Manual here »ftp://ftp.dlink.com/Switch/dgs110016/

Plug your RV042 to it, all other LAN connections (direct or from other switches) as well.
Then designate one port as monitoring and connect to it from your sniffer machine running wireshark.

The switch has per-port stats, bandwidth management and more features that you can utilize to manage your issue.

There are more port versions available too (more expensive).

EDIT: There's a deal on this one now »www.ncix.ca/products/?sk ··· P%20Link ...mind this is 100meg and only 2 Gb ports. ...I've never used this one so can't provide recommendations.
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink to t10

Member

to t10
IIRC, Cisco should have something called NBAR that should readily allow you to see what protocols/hosts are using most of your bandwidth. There are likely other things that the Cisco can readily do as well to help you here—I don’t recall them off the top of my head—but this thread is probably best moved to the Cisco forum. That said, I also highly recommend the use of NetFlow in business networks—read up on it—and it would readily provide you this information as well.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

The router he has is old LinkSys re-branded, not IOS based.
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink

Member

said by Brano:

The router he has is old LinkSys re-branded, not IOS based.

Ah—missed that—thanks for catching it. With that being the case, I have no experience with these devices and do not recommend their use for business.
t10
join:2003-05-25
Woodbridge, ON

t10

Member

Thank you so much guys!

Wireshark busted the person. They were torrenting, as soon as I capped their MAC/IP network is healthy again.

Great learning experience, never thought someone would do that here.

clarknova
join:2010-02-23
Grande Prairie, AB

clarknova to t10

Member

to t10
Some versions of Tomato allow you to track real time and past transfer per LAN user. If yours doesn't, install shibby or teaman's Tomato and view this under the IP Traffic menu.

»tomato.groov.pl/

edit: I guess I'm a little slow on the trigger, but I'll leave my post intact for historical interest.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 recommendation

cramer to t10

Premium Member

to t10
That's a Linksys. If you had a Real Cisco(tm) (IOS, Pix, ASA) this would take seconds to track down... "sh ip nat tr" Why does Bob's computer have 8000 translations?

Also, with a managed switched and MRTG, you could see where all the traffic is going in an instant. (I also use netflow, so I know what you did last week.)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to t10

MVM

to t10
Wireshark off one of the LAN ports on the RV042, Statistics -> Conversations, and away you go....
Otherwise as others have said, a managed solution gives you these sort of options built-in.

Glad you got a learning experience out of it as well T10, ....and that (ex-, I hope) employee has now
learned a hard lesson why company assets and company time should NOT be used in the pursuit of
personal projects.
said by cramer:

Why does Bob's computer have 8000 translations?

Bob : It's for the company, I swear!

Regards