Bandwidth Maxed - Monitoring Suggestions?

danielappleby · 2014-11-12T11:28:18.000Z

Our ISP has told us that our bandwidth is maxed on our network, which incidentally has caused the whole network across the country to slow to a crawl. Are there any tools out there that I could use to identify who is causing this. Our ISP has said there wasn’t a way that they could do it, however, it is getting crucial that we identify the source of the bandwidth usage.

@SolarWinds

archielocke5573 · 2014-11-12T11:48:27.000Z

Port mirror at a main router and run Wireshark on a laptop. This might help identify offending party or at least trace it back to the office causing the issue. This assumes you have a nationwide internal network and a single ISP connection at one location.

jordanwharton · 2014-11-12T11:50:46.000Z

Ideally you will want to use netflow on your edge router/firewall. This will show you who the top talkers are on your network and exactly what type of traffic you are dealing with. We use Solarwinds for monitoring all of our sites and netflow data. It is license based but I am sure there are other alternatives out there.

@SolarWinds

danielappleby · 2014-11-12T11:55:05.000Z

We’ve got SolarWinds on ours, do you know if there is a way of monitoring the traffic on there when I don’t have the SNMP settings for the routers?

jordanwharton · 2014-11-12T12:02:50.000Z

D_Appleby:

We’ve got SolarWinds on ours, do you know if there is a way of monitoring the traffic on there when I don’t have the SNMP settings for the routers?

It doesn’t necessarily have to be the routers, it could be a switch or something behind the router. You just need to set the flow up on an interface that all of the traffic is passing through.

Do you manage your routers in house or are they managed by a third-party / ISP? Setting up SNMP on them paired with Solarwinds will definitely give you a better view into what’s going on.

I can give you the netflow configuration required if you have Juniper or Cisco equipment.

justsayin · 2014-11-12T12:02:53.000Z

Can you log into the routers?

If they are Cisco then run this command;

show run | include snmp

That should read through the running config and only include lines with snmp in them. From that you can see the community string.

Example output;

snmp-server community “this is where your community string will be” RO

snmp-server enable traps entity-sensor threshold

If you get no data from running that command then your router is probably not running snmp.

chadcoley7711 · 2014-11-12T12:06:47.000Z

What I would do is first, talk to the upper management (not assuming you haven’t already… ) Explain the situation. Suggest a formal email to be sent to all users that the bandwidth is nearing capacity and all Internet usage will be monitored closely effective immediately. Should anyone be found using company assets inappropriately they will be reported to said upper management. …

Give it a couple hours …

Then check your utilization again. This will give you a true measure of what’s using what without sorting through all the crap’ola. … just my.02

I dont know about you, but the last thing I have to do is police the internet usage. Weather streaming, of course internet radio, etc. you can start filtering them out as needed. I use port mirroring and Wireshark personally but several good ones have been mentioned.

I promise you though, get in their head that big brother is watching from now on. Sort of the ‘Smile you’re on camera’ approach and watch the usage drop. It’s almost comical and will save you a bunch of time.

danielappleby · 2014-11-12T12:10:55.000Z

It is Cisco equipment that we are using Jordan W, however, I cannot log into the routers themselves as they are handled by our ISP. Please can you show me the netflow configuration that I need?

jordanwharton · 2014-11-12T12:25:36.000Z

This guy runs through the setup of netflow on Cisco IOS. Just make sure to have it set for the correct direction you wish to collect data on (ingress, egress).

sheldonbeer · 2014-11-12T12:28:59.000Z

Hi There,

We had the same issue a few month back . Dropped in an Untangle Firewall in bridge mode - Used the Bandwidth monitor on a 14 day trial _ More than enough time to figure out who the culprit is . After one day I was able to exactly see who used what amount of bandwidth on the reports which was a nice indication. Then when the internet was slow I went to the untangle box(Gui interface) had a look @ current bandwidth flow and could Identify who using the internet at that moment. We still use the untangle server - All the free apps and I’m still able to get the bandwidth monitor report even though the trial expired - Just not able to see the live info anymore.

I turned off the spam and phishing monitors as this caused some email issues - I’m only running the web filter , Firewall and captive app @ the moment.

Untangle is very easy to install - Download the OS from their website and install on a old box with 2 nic’s in .Update the Apps and connect between your LAN and Gateway router and Bob’s your Uncle.

Hope this helps.

PS Found the culprit before I left work the same day & blocked him with the Firewall

danielappleby · 2014-11-12T12:41:55.000Z

I’ve got no access to the routers as they’re managed by our ISP.

chadcoley7711 · 2014-11-12T12:51:41.000Z

How many seats do you have on the network compared to available bandwidth ?

danielappleby · 2014-11-12T12:54:55.000Z

I don’t have that information to hand. Also, I tried using the switches instead of the routers on SolarWinds and still cannot get any data on the graphs for current traffic.

chadcoley7711 · 2014-11-12T12:59:48.000Z

www.speedtest.net Just to see what you’re working with (?) What’s the download / upload? Are you getting what you’re paying for ?

danielappleby · 2014-11-12T13:04:10.000Z

Speedtest will just hoard the remainder of the network, with how little we’ve got I’d rather not use that. We know the speed is due to someone hoarding the network, we just need to find out who.

sheldonbeer · 2014-11-12T13:06:50.000Z

I still think untangle will solve your issue the quickest . You don’t need any Switch or Gateway passwords. Just plug and play.

Put the untangle between your pc and the router to test.

danielappleby · 2014-11-12T13:09:27.000Z

Unfortunately we don’t have access to the Firewall either. Will that make a difference when trying to use Untangle?

sheldonbeer · 2014-11-12T13:17:46.000Z

Nope - Untangle has it’s own firewall App built in if you want to use it - That’s what I mean’t by using the firewall to block the culprit (I used untangles Firewall)

Arista - Edge Threat Management – 4 Feb 21

NG Firewall Free Trial | Edge Threat Management - Arista

Security, Visibility & Control NG Firewall is an award-winning unified threat management solution trusted by over 40,000 customers around the world. From content filtering to advanced threat protection, VPN connectivity to application-based...

danielappleby · 2014-11-12T13:23:38.000Z

It says that it will need a dedicated machine to run on, we don’t have a spare machine that we can use for that.

chadcoley7711 · 2014-11-12T13:23:47.000Z

It could be a number of things:

Infected PC(s)
Someone downloading / streaming ( I found a guy downloading p0rn movies one time, some guy hosting a gaming server under his desk, etc… people are crazy )
a loop in the patch cables
rouge switch somewhere
Etc, etc. .

I know it’s goofy man, but in all seriousness maybe the scary email from management would be a good place to start. It would open up a little room for you to at least troubleshoot the problem without completely bringing the network to it’s knees.