How do you trace problem traffic?



  • I have PRTG monitoring SNMP traffic at my branches, I have seen a branch capped for 3 hours at 1.5M upload. I had limited all HTTP/HTTPS traffic to 1.5 out of 2M possible so it didn't effect our main service that uses telnet. Well of course everyone is complaining about the slow internet speeds. I am trying to find out what device is causing the issues, I don't care to be big brother but when you are impeding others from business then we have a problem.

    Recently deployed Open DNS at my branches for extra protection and URL filtering. It lets me see the DNS requests but it's hard to discern from those which domain would be likely to be pulling high traffic. I do not have the licensing that allows you to bind Open DNS to AD and for it to resolve all requests to internal IP addresses either so when I find suspicious domains I can't verify the device. Is there freeware others might use to achieve this? I have tried Wireshark in the past but I didn't have the time to learn what I was looking at with the massive amount of data it collects. Do you have a good resource to learn it?

    How do you guys find the culprit?



  • Of course the traffic falls off once I ask for input, but still curious!



  • Best option is a proxy server. You get control, monitoring and caching all in one. Find the problem, fix the problem and improve the offering all at once.



  • How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.



  • I used Bandwidthd on a mirrored port on the switch to see what was hogging all my internet traffic. It uses easy to read charts and graphs. You'll want to mirror the port going to the firewall.



  • @Seth-Cooper said:

    How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

    I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

    Don't need much.



  • @PSX_Defector said:

    @Seth-Cooper said:

    How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

    I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

    Don't need much.

    Good deal, because that is about the exact specs of the spare hardware I have to use!



  • @Seth-Cooper said:

    @PSX_Defector said:

    @Seth-Cooper said:

    How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

    I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

    Don't need much.

    Good deal, because that is about the exact specs of the spare hardware I have to use!

    Need a better machine? I have that box sitting on my shelf, a Compaq with three NICs, 2GB of RAM, and decent sized hard drive. Get it for ya cheap, even load ntop for ya. 🙂



  • @PSX_Defector I appreciate the generous offer and I will let you know if I do. But this is a backseat project for me at best. Might try the port mirroring first but all this has to be done in my non-existent free time. I am sure you know how that goes.

    Thanks.



  • A Proxy needs more power than a router but not much. It does very little work. I bet a PIII 600 would do the trick.



  • Is this crossing a firewall? If so, it should be able to tell you which devices are the nosiest.



  • @alexntg Yep, my branches use Juniper SSG-5's but I haven't seen any logging to do what you speak of.



  • This post is deleted!


  • @Seth-Cooper said:

    @alexntg Yep, my branches use Juniper SSG-5's but I haven't seen any logging to do what you speak of.

    What logging options does it have?



  • Very limited, only logs on the policy level for short increments (up to an hour) and looking across the Juniper boards it looks like everyone states to get good traffic logs you need to do port mirroring.



  • @Seth-Cooper said:

    Very limited, only logs on the policy level for short increments (up to an hour) and looking across the Juniper boards it looks like everyone states to get good traffic logs you need to do port mirroring.

    That's unfortunate.


Log in to reply