Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX 515 Protocols in Use

I'm trying to determine what's chewing up all of my Bandwidth. Do you guys know of a way or a tool to monitor this? I'm looking for identifying the traffic.

13 REPLIES
Silver

Re: PIX 515 Protocols in Use

You can turn on CEF (if not on already) and then turn on IP NBAR PROTOCOL DISCOVERY on the interface to determine the type of traffic going thru the interface (show ip nbar protocol discovery). You can also do a IP Route Cache Flow on the interface and do a Show route cache flow to see the size and traffic flows thru the interface. These should be able to help you out in determining your culprit..happy hunting..Please rate.....

New Member

Re: PIX 515 Protocols in Use

I'll move it to my internet router it's a 2811 and should work.

New Member

Re: PIX 515 Protocols in Use

Can you explain CEF?

Silver

Re: PIX 515 Protocols in Use

On router platforms CEF is Cisco's Express Forwarding and is enabled by default on new IOS's. However it provides for a faster routing and forwarding of packets through a router. If it is enabnled then you can enable the IP NBAR on the interface to gather the layer 3 stats for the interface and the flows going through the interface. It is a mechanism used for Netflow tools however you can use the CLI to decypher your information.....

New Member

Re: PIX 515 Protocols in Use

I have a tool that uses netflow. If I turn on CEF will it drop the interface?

Silver

Re: PIX 515 Protocols in Use

By turning on CEF will not bring down the interface. All it will do is take traffic stats of the the data going through the interface and provide it to the Netflow tool for reporting. You should have CEF enabled on your router anyway. It provides for a more efficient forwarding mechanism and speeds up the packet processing time through the device.....

New Member

Re: PIX 515 Protocols in Use

Which interface should it be applied outside or inside or it doesn't matter? It's currently not on.

Silver

Re: PIX 515 Protocols in Use

Assuming this is on a router based IOS platform and not a PIX firewall then you can apply it to any interface you want. If you know the specific interface that traffic flows through then apply it to that one. If you want to you can apply to all the interfaces.... This does not work on a PIX platform....

New Member

Re: PIX 515 Protocols in Use

I've enable ip nbar protocol-discovery on int fa0/0. When I try to pull the info from my software it's not coming up. Am I missing something?

Silver

Re: PIX 515 Protocols in Use

disregard the previous response, I just realized you are running a PIX 515 and not an IOS based unit. So the only command I know to see any traffic flows on a PIX is to use the SHOW CONN command. This will show you the current connections. It will also show you the ports being used. From that point you should be able to create an access-list to log those protocols and or police them as you see fit...Good luck....

Green

Re: PIX 515 Protocols in Use

This may help you...

http://www.ethereal.com/

New Member

Re: PIX 515 Protocols in Use

For a PIX you can use the output of the "sh conn" command. The connections table will hold the amount of bytes that has passed through a connection. Typically what I do in this situation is to copy this output to a text file and open it with Excel. You can sort the bytes field to determine who has transferred the most data or you can sort by source and dest to determine if a host has multiple connections. If you dont have any infected hosts chances are it could be SMTP which is what I usually see hogging bandwidth. This is a poor mans way of doing it but it works on the fly if you have no good syslog analyzer or reporting tools.

New Member

Re: PIX 515 Protocols in Use

Do you know of a good reporting tool or syslog?

255
Views
4
Helpful
13
Replies
CreatePlease to create content