Is there any technique (no matter how primitive) I can use to single out high-bandwidth using private IPs behind my PIX? I am currenty using MRTG and I see a cummulative total of bandwidth usage but I need to know what individual IPs are using the bandwidth.
There really isn't much you can do with the PIX in this situation. You do have other options though. You could use MRTG to monitor your switch ports or you could use a sniffer (ie Wireshark) and see who the top talkers are.
I have a better solution. Replace the Pix
with Checkpoint Firewall. You can do this
with Checkpoint SmartView Monitor and it will
give you just about everything you need,
including top talkers.
The Wireshark sounds good but I don't have a SPAN capable switch. This would mean trying to find a hub to connect the PIX inside interface and Wireshark machine, no?
If you don't have SPAN switch on outside interface you can use hub to get copy of all PIX
traffic to the port. Hook up a machine and run either Ethereal (look for
the top talkers) or run nTop.
I have just found conversation on similar topic
Check the Perl script in last post
Google 'PIX' and 'logging' and there are some free options out there that might help. I tried PLA once and it looked decent, but the link is currently down. You may need to turn on debug level logging on the PIX for the app to work properly, check the documentation.
The Pix 506 is not supported, Pix 515 requires 128MB ram for UR licence and 64MB for restricted licence and 16MB flash, see version 8 release notes for further information.
You could try collecting the syslog data from the PIX and using a reporting tool like Sawmill to generate reports.
See this article: