cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
4
Helpful
13
Replies

PIX 515 Protocols in Use

gates1150
Level 1
Level 1

I'm trying to determine what's chewing up all of my Bandwidth. Do you guys know of a way or a tool to monitor this? I'm looking for identifying the traffic.

13 Replies 13

pciaccio
Level 4
Level 4

You can turn on CEF (if not on already) and then turn on IP NBAR PROTOCOL DISCOVERY on the interface to determine the type of traffic going thru the interface (show ip nbar protocol discovery). You can also do a IP Route Cache Flow on the interface and do a Show route cache flow to see the size and traffic flows thru the interface. These should be able to help you out in determining your culprit..happy hunting..Please rate.....

I'll move it to my internet router it's a 2811 and should work.

Can you explain CEF?

On router platforms CEF is Cisco's Express Forwarding and is enabled by default on new IOS's. However it provides for a faster routing and forwarding of packets through a router. If it is enabnled then you can enable the IP NBAR on the interface to gather the layer 3 stats for the interface and the flows going through the interface. It is a mechanism used for Netflow tools however you can use the CLI to decypher your information.....

I have a tool that uses netflow. If I turn on CEF will it drop the interface?

By turning on CEF will not bring down the interface. All it will do is take traffic stats of the the data going through the interface and provide it to the Netflow tool for reporting. You should have CEF enabled on your router anyway. It provides for a more efficient forwarding mechanism and speeds up the packet processing time through the device.....

Which interface should it be applied outside or inside or it doesn't matter? It's currently not on.

Assuming this is on a router based IOS platform and not a PIX firewall then you can apply it to any interface you want. If you know the specific interface that traffic flows through then apply it to that one. If you want to you can apply to all the interfaces.... This does not work on a PIX platform....

I've enable ip nbar protocol-discovery on int fa0/0. When I try to pull the info from my software it's not coming up. Am I missing something?

pciaccio
Level 4
Level 4

disregard the previous response, I just realized you are running a PIX 515 and not an IOS based unit. So the only command I know to see any traffic flows on a PIX is to use the SHOW CONN command. This will show you the current connections. It will also show you the ports being used. From that point you should be able to create an access-list to log those protocols and or police them as you see fit...Good luck....

This may help you...

http://www.ethereal.com/

JBDanford2002
Level 1
Level 1

For a PIX you can use the output of the "sh conn" command. The connections table will hold the amount of bytes that has passed through a connection. Typically what I do in this situation is to copy this output to a text file and open it with Excel. You can sort the bytes field to determine who has transferred the most data or you can sort by source and dest to determine if a host has multiple connections. If you dont have any infected hosts chances are it could be SMTP which is what I usually see hogging bandwidth. This is a poor mans way of doing it but it works on the fly if you have no good syslog analyzer or reporting tools.

Do you know of a good reporting tool or syslog?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: