PIX 515 Protocols in Use

Unanswered Question
Jun 22nd, 2007

I'm trying to determine what's chewing up all of my Bandwidth. Do you guys know of a way or a tool to monitor this? I'm looking for identifying the traffic.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pciaccio Fri, 06/22/2007 - 07:15

You can turn on CEF (if not on already) and then turn on IP NBAR PROTOCOL DISCOVERY on the interface to determine the type of traffic going thru the interface (show ip nbar protocol discovery). You can also do a IP Route Cache Flow on the interface and do a Show route cache flow to see the size and traffic flows thru the interface. These should be able to help you out in determining your culprit..happy hunting..Please rate.....

jobegates Fri, 06/22/2007 - 08:21

I'll move it to my internet router it's a 2811 and should work.

pciaccio Fri, 06/22/2007 - 09:01

On router platforms CEF is Cisco's Express Forwarding and is enabled by default on new IOS's. However it provides for a faster routing and forwarding of packets through a router. If it is enabnled then you can enable the IP NBAR on the interface to gather the layer 3 stats for the interface and the flows going through the interface. It is a mechanism used for Netflow tools however you can use the CLI to decypher your information.....

jobegates Fri, 06/22/2007 - 09:42

I have a tool that uses netflow. If I turn on CEF will it drop the interface?

pciaccio Fri, 06/22/2007 - 09:56

By turning on CEF will not bring down the interface. All it will do is take traffic stats of the the data going through the interface and provide it to the Netflow tool for reporting. You should have CEF enabled on your router anyway. It provides for a more efficient forwarding mechanism and speeds up the packet processing time through the device.....

jobegates Fri, 06/22/2007 - 09:59

Which interface should it be applied outside or inside or it doesn't matter? It's currently not on.

pciaccio Fri, 06/22/2007 - 10:01

Assuming this is on a router based IOS platform and not a PIX firewall then you can apply it to any interface you want. If you know the specific interface that traffic flows through then apply it to that one. If you want to you can apply to all the interfaces.... This does not work on a PIX platform....

jobegates Fri, 06/22/2007 - 10:07

I've enable ip nbar protocol-discovery on int fa0/0. When I try to pull the info from my software it's not coming up. Am I missing something?

pciaccio Fri, 06/22/2007 - 07:19

disregard the previous response, I just realized you are running a PIX 515 and not an IOS based unit. So the only command I know to see any traffic flows on a PIX is to use the SHOW CONN command. This will show you the current connections. It will also show you the ports being used. From that point you should be able to create an access-list to log those protocols and or police them as you see fit...Good luck....

JBDanford2002 Sat, 06/23/2007 - 06:14

For a PIX you can use the output of the "sh conn" command. The connections table will hold the amount of bytes that has passed through a connection. Typically what I do in this situation is to copy this output to a text file and open it with Excel. You can sort the bytes field to determine who has transferred the most data or you can sort by source and dest to determine if a host has multiple connections. If you dont have any infected hosts chances are it could be SMTP which is what I usually see hogging bandwidth. This is a poor mans way of doing it but it works on the fly if you have no good syslog analyzer or reporting tools.


This Discussion