Finding whose taking up the most bandwidth

fifrasco

Hello Everyone,

I was wondering if anyone knew how to identify the user whose downloading the most which is taking up most of the bandwidth. Its a remote site I'm looking into and they don't have any monitoring tools (i.e solarwinds or cascade). Is there a manual way to track the person?

when looking at the interfaces that connects to the ISP I see their over their Pipe limit which is 50mbs.



GigabitEthernet0/1 is up, line protocol is up

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 19/255, rxload 136/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is RJ45
output flow-control is unsupported, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:04, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/34 (size/max/drops/flushes); Total output drops: 343
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 53546000 bits/sec, 5308 packets/sec
30 second output rate 7508000 bits/sec, 1140 packets/sec

rsutton

If you have wireshark you can get this info pretty easily.

fifrasco

What if you're not on their network to run wireshark on a PC? I only have access to their routers and so on. In order to effectively use wireshark I would have to be on PC using wireshark, on their network?

docrice

NetFlow. If your router supports it, export flow data to a flow collector and review the results. There are open source flow collectors out there like Nfdump (with Nfsen as front-end web UI). If you need a Linux install guide, I can post one.

Note that flow exports take up some resources, so if your router's already pegged, might not be a good idea to do it. A switch could potentially do it, although lower-end managed switches like basic access switches (think 2960) won't support it. If you have a chassis-based switch, these typically will.

fifrasco

I use netflow for 6500 switches and other routers but want to see if there was a manual way to do it.

docrice,

I would really appreciate the step by step guide if you have it for Linux. I currently can't get the top talkers off my firewall since the our monitor tools doesn't know how to read ASA netflow.

docrice

ASA's flow export uses a format known as NSEL (NetFlow Secure Event Logging). There's a separate version of Nfdump to support this. At one point, the author of Nfdump was going to merge the different versions to support standard NetFlow and the NSEL NetFlow into the same binary. This might already be done, but I haven't tested recently.

My Linux install is based on CentOS 6 / RHEL 6. I'll try to do a write-up (probably on my own site and link it here).

fifrasco

Thanks for that info and great website..really looking for to that write-up. I'll attempt it on my own and see how far I get.

From your experience have you ever had to find the person hogging the bandwidth manually on a network??

docrice

All the time.

fifrasco

Would you mind sharing that info in more detail? I'm still a newbie when it comes to finding this information so any info would be great. I hate to ask many questions so sorry if I'm asking too much.

docrice

When you're looking at flow data, there's no magic button that automatically points the finger at the bandit you're looking for. If your network only has a few devices and they're talking to a small number of other hosts, it's relatively trivial to figure out which one's tying up bandwidth or producing the most traffic. When you're dealing with hundreds or thousands of nodes, each talking to ten to a hundred different other hosts both internal and external, then you have to put some human intelligence behind it.

In general, there are several ways to carve out the data. First step is to narrow down your time window to the 5, 15, 30, or 60 minute period (or more if needed). The larger the window, the more flow data you have to process and therefore will require your flow collector app to spend more time chewing through more data files (you'll need to size your collector host's size and disk space accordingly).

Once you've honed down the time range, you can sort the Top 10/50/100 talkers data based on packets/second, bits/second, Bytes-transferred, flows/second, and so on. You can also filter down based on IPs, protocols, ports, and other variables. This can significantly reduce the amount of data your collector parses for your analysis.

Sometimes you're looking for a node which has transferred the most number of Bytes within x minutes. Other times you may want to look at the number of flows generated; this looks for chatty hosts which can potentially take up a lot of connection states on a firewall, for example, even though they may not be passing a lot in terms of traffic volume. While most people think "top talkers" in respect to raw traffic volumes relative to payload size or bits transferred, tons of flows can impact L3+ devices as well.

docrice

This was a good excuse to finally get this article online (I've been lagging for over a year). The Nfdump and Nfsen versions are dated, so season to taste:

http://www.kimiushida.com/bitsandpieces/articles/netflow_collection_with_nfdump_and_nfsen/

fifrasco

Thanks for that post Docrice

kohr-ah

At my work if I need a quick answer I setup ip flow top talkers and then do a nslookup in the ip to find the machine name.

networker050184

Top talkers was my first thought as well.

fifrasco

If on a cisco 7204 router when then problem occurs...Can enabling the Netflow at the time, crash the router if its already high usage on that interface from users? Just to clarify, you mean sh ip flow top-talkers?

ande0255

Cisco IOS Switching Services Configuration?Guide, Release?12.2 - Configuring NetFlow [Cisco IOS Software Releases 12.2 Mainline] - Cisco

Specifically from that document, you will want to get on the inside interface and enable "ip route-cache flow" and let the network talk for 30 seconds or so, then issue the command "show ip cache flow" in user exec. This will show how much traffic is being generated from each individual host, and give you the offending device.

kohr-ah

fifrasco wrote: »

If on a cisco 7204 router when then problem occurs...Can enabling the Netflow at the time, crash the router if its already high usage on that interface from users? Just to clarify, you mean sh ip flow top-talkers?

Exactly what I mean. Choose that port setup ingress and egress then sort by bytes.

When you do the sh ip flow top talkers see who is the top and then just nslookup to see the machine name. If you have the ability look up the machine name in sccm and give the good old "WTF" talk to them.

Or have some fun do a sh ip arp on the ip find the Mac track down the Mac to the port and if your ports are labeled find them that way