Re: Determine IP that is generating traffic

jeff.saucier · ‎10-31-2002

We have 20+ Frame connected sites ranging from 256k to 2 - banded 1.55MB T1's. Occasionally I have a need to determing what/who is using all the Bandwidth at a specific site. We have Cisco 1750's, 2600's and 3600's running various versions of IOS's. Can this be acoomplished by connecting to the router and issuing a command? Thanks in advance.

thisisshanky · ‎10-31-2002

The best bet would be to use, MRTG to get real time statistics

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

steve.barlow · ‎10-31-2002

If you are looking for specific hosts and their traffic ouput, look into using the "ip accounting" command. Be careful due to the increased cpu load on the router that is doing it but it will help you.

The ip accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics.

"show ip accounting" will display the output.

eg:

Router# show ip accounting

Source Destination Packets Bytes

131.108.19.40 192.67.67.20 7 306

131.108.20.2 128.18.6.100 39 2184

131.108.13.55 192.12.33.51 214669 9806659

131.108.13.111 128.18.6.23 27739 1126607

131.108.13.44 192.12.33.51 35412 1523980

This link gives a little more detail: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfip1.htm#1018817

Hope it helps.

Steve

warren · ‎11-01-2002

IP accounting will do this for you but will eat up LOTS of CPU / memeory. Another option is to create ACL's that permit every host in the subnet and then apply them to the interface. You can then see who is using the bandwidth. EG:

ip access-list ex BoopSrc

permit ip host 1.2.3.1 any

permit ip host 1.2.3.2 any

...

permit ip host 1.2.3.254 any

permit ip any any !(just to be safe!)

now make another ACL that permits on destination:

ip access-list ex BoopDst

permit ip any host 1.2.3.1 !etc...

int E0

ip access-group BoopSrc in

ip access-group BoopDst out

^Z

sho ip access-list Boop

you should get a count of how many times each line has matched. You can leave these ACL's in the config to make testing really fast and easy, but you probably don't always want them on the interface as it just wastes resources...

The other option is NetFlow, but this is probably an overkill.... See my earlier reply to a thread titled "Stealing Bandwidth" or something similar...

Good luck and have fun...

--Warren.

jeff.saucier · ‎11-01-2002

Thanks for the reply. Acutally, IP Accounting was the command I was looking for. However, I will look at the ACL option due to the CPU concern. Question: What is the router command to view the current CPU load? Thanks again. I'm impressed with this forum.

thisisshanky · ‎11-01-2002

show process cpu

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jeff.saucier · ‎11-01-2002

Thanks for the quick and acurate reply.