monitoring bandwidth with PIX

tato386 · ‎01-28-2008

Is there any technique (no matter how primitive) I can use to single out high-bandwidth using private IPs behind my PIX? I am currenty using MRTG and I see a cummulative total of bandwidth usage but I need to know what individual IPs are using the bandwidth.

Thanks,

Diego

Collin Clark · ‎01-28-2008

There really isn't much you can do with the PIX in this situation. You do have other options though. You could use MRTG to monitor your switch ports or you could use a sniffer (ie Wireshark) and see who the top talkers are.

HTH

cisco24x7 · ‎01-28-2008

I have a better solution. Replace the Pix

with Checkpoint Firewall. You can do this

with Checkpoint SmartView Monitor and it will

give you just about everything you need,

including top talkers.

CCIE Security

tato386 · ‎01-28-2008

The Wireshark sounds good but I don't have a SPAN capable switch. This would mean trying to find a hub to connect the PIX inside interface and Wireshark machine, no?

Collin Clark · ‎01-28-2008

I'm afraid so.

m.sir · ‎01-28-2008

If you don't have SPAN switch on outside interface you can use hub to get copy of all PIX

traffic to the port. Hook up a machine and run either Ethereal (look for

the top talkers) or run nTop.

http://www.ntop.org/

Collin Clark · ‎01-28-2008

Good idea, but you will probably only see your NAT'd address not the internal IPs.

m.sir · ‎01-28-2008

I have just found conversation on similar topic

http://groups.google.pl/group/comp.dcom.sys.cisco/browse_frm/thread/972a527ba458f06/2d9638c4e38063ef?tvc=1&q=consumes#2d9638c4e38063ef

Check the Perl script in last post

M.

Collin Clark · ‎01-28-2008

Google 'PIX' and 'logging' and there are some free options out there that might help. I tried PLA once and it looked decent, but the link is currently down. You may need to turn on debug level logging on the PIX for the app to work properly, check the documentation.

russ · ‎01-29-2008

Version 8 ASDM gives you top 10 services, talkers and destinations based on IP address, with intervals of 1hr, 8hr and 24hr.

tato386 · ‎01-29-2008

What are the hardware requirements? I have 506 and 515 PIXes running V6.2 and V6.3 images.

Thanks,

Diego

russ · ‎01-29-2008

The Pix 506 is not supported, Pix 515 requires 128MB ram for UR licence and 64MB for restricted licence and 16MB flash, see version 8 release notes for further information.

Alejandro Cortes Rivera · ‎01-31-2008

Another way is to use th tool Netflow but you should do this in a router pix do not support netflow

mmcsweeny · ‎01-31-2008

Hi,

You could try collecting the syslog data from the PIX and using a reporting tool like Sawmill to generate reports.

See this article:

http://lachniet.com/cheaplogging/

Cheers!

paulovalverde · ‎02-01-2008

Hello Diego,

try NTOP (http://www.ntop.org/news.html)

best regards,

Paulo Valverde