t10 join:2003-05-25 Woodbridge, ON |
t10
Member
2012-Nov-28 10:07 am
Rogue/faulty device eating all bandwidth. Need to find it.Hello, Need help, hope you guys can point me in the right direction. Have a network with about 60 PCs, and under 100 devices in total. We have a 5mbit symmetrical fiber pipe. Recently around the same time during peak hours, WAN pings become really bad and half of them timeout. I thought it was an ISP issue, but unhooking the LAN from the fiber line and plugging in directly, shows excellent speed. Our cisco router does not show throughput (wtf? lol), hooked up a WRT54GL running tomato between the cisco and WAN, to see throughput, and it looks like we are maxing out the pipe. I need to find the IP address of the device which is leeching the most. Is there a network sniffer that will show me network utilization by IP/MAC? Thank you |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2012-Nov-28 10:15 am
What Cisco router you have there? Model? Do you have managed switch(es) there?
You need to deploy sniffer on LAN side and see where's the problem. Alternatively, if the Cisco router supports SNMP and some nice stats you may be able to get info you need that way.
But managed switch with monitoring (sniffing, mirroring) port is what you need. You route all LAN through the switch, hook up wireshark to your monitoring port and examine all the traffic. |
|
t10 join:2003-05-25 Woodbridge, ON |
t10
Member
2012-Nov-28 10:26 am
Thanks Brano! Total DUH on my part re Wireshark (tried SolarWinds NTA, and that didnt tell me anything unfortunately).
The Cisco is RV042. No managed switches on the premises. Would need to buy one, any recommendations (unfortunately in our case the cheaper the better). |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
1 edit |
Brano
MVM
2012-Nov-28 10:42 am
I have this one (and am very happy with it) » www.ncix.ca/products/?sk ··· oid=1448 ... it's one of the cheapest gigabit out there and will do what you need. Manual here » ftp:// ftp.dlink.com/Switch/dgs110016/Plug your RV042 to it, all other LAN connections (direct or from other switches) as well. Then designate one port as monitoring and connect to it from your sniffer machine running wireshark. The switch has per-port stats, bandwidth management and more features that you can utilize to manage your issue. There are more port versions available too (more expensive). EDIT: There's a deal on this one now » www.ncix.ca/products/?sk ··· P%20Link ...mind this is 100meg and only 2 Gb ports. ...I've never used this one so can't provide recommendations. |
|
BinkVillains... knock off all that evil join:2006-05-14 Colorado |
Bink to t10
Member
2012-Nov-28 11:50 am
to t10
IIRC, Cisco should have something called NBAR that should readily allow you to see what protocols/hosts are using most of your bandwidth. There are likely other things that the Cisco can readily do as well to help you hereI dont recall them off the top of my headbut this thread is probably best moved to the Cisco forum. That said, I also highly recommend the use of NetFlow in business networksread up on itand it would readily provide you this information as well. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Nov-28 11:59 am
The router he has is old LinkSys re-branded, not IOS based. |
|
BinkVillains... knock off all that evil join:2006-05-14 Colorado |
Bink
Member
2012-Nov-28 12:07 pm
said by Brano:The router he has is old LinkSys re-branded, not IOS based. Ahmissed thatthanks for catching it. With that being the case, I have no experience with these devices and do not recommend their use for business. |
|
t10 join:2003-05-25 Woodbridge, ON |
t10
Member
2012-Nov-28 1:57 pm
Thank you so much guys!
Wireshark busted the person. They were torrenting, as soon as I capped their MAC/IP network is healthy again.
Great learning experience, never thought someone would do that here. |
|
|
to t10
Some versions of Tomato allow you to track real time and past transfer per LAN user. If yours doesn't, install shibby or teaman's Tomato and view this under the IP Traffic menu. » tomato.groov.pl/edit: I guess I'm a little slow on the trigger, but I'll leave my post intact for historical interest. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
1 recommendation |
cramer to t10
Premium Member
2012-Nov-28 4:11 pm
to t10
That's a Linksys. If you had a Real Cisco(tm) (IOS, Pix, ASA) this would take seconds to track down... "sh ip nat tr" Why does Bob's computer have 8000 translations?
Also, with a managed switched and MRTG, you could see where all the traffic is going in an instant. (I also use netflow, so I know what you did last week.) |
|
|
to t10
Wireshark off one of the LAN ports on the RV042, Statistics -> Conversations, and away you go.... Otherwise as others have said, a managed solution gives you these sort of options built-in. Glad you got a learning experience out of it as well T10, ....and that (ex-, I hope) employee has now learned a hard lesson why company assets and company time should NOT be used in the pursuit of personal projects. said by cramer:Why does Bob's computer have 8000 translations? Bob : It's for the company, I swear! Regards |
|