Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
5
Replies

Need to find out who is generating all the incoming traffic..

mbjohnson
Level 1
Level 1

‎09-09-2003 09:52 AM - edited ‎03-02-2019 10:13 AM

I have 2600 router at a remote location with an E-1 that is constantly getting hammered with traffic. The load is on the incoming side :

txload 7/255, rxload 250/255

How can I tell which device on the inside network is all this traffic going to?

Thanks for any help.

Labels:
0 Helpful
5 Replies 5

ciscoblood
Level 1
Level 1

‎09-09-2003 09:57 AM

enable netflow caching on router interfaces. You could be hit with a virus on your network. ip route-cache flow on your interfaces will enable it.

use show ip cache flow to find out statistics.

http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

check this link

0 Helpful

mbjohnson
Level 1
Level 1
In response to ciscoblood

‎09-09-2003 10:52 AM

Thanks, I did enable netflow on the serial and the ethernet ports, but I'm not sure about the output when I do a show ip cache flow, I see things like:

SreIf SrcIP DstIf

Se0/0:0 12.221.33.195 Null

Any ideas on what this is?

0 Helpful

olorunloba
Level 5
Level 5
In response to mbjohnson

‎09-10-2003 03:47 AM

SrcIf: Source interface from which the packets flow are coming on the router.

SrcIPaddress: Source IP Address of the packet flow

DstIf: Destination Interface for the packet flow on the router.

DstIPaddress: Destnation IP address of the packet flow.

Pr: IP Protocol Type of the packet flow

SrcP: Source Protocol Number of the packet flow

DstP: Destination Protocol number of the packet flow

Pkts: Number of packets in the flow

0 Helpful

drumrb0y
Level 1
Level 1
In response to olorunloba

‎09-10-2003 06:44 AM

You could also try installing a network packet sniffer such as Ethereal (www.ethereal.com) and sample the traffic being generated; if you show heavy traffic from one or a few IP sources to specific ports, they could be virus infected.

0 Helpful

a-craick
Level 1
Level 1
In response to drumrb0y

‎09-10-2003 05:04 PM

On your interface on the local side of the remote link do an ip accounting output-packets then show ip accounting.

This will list the source and destination and the number of bytes transfered. Obviously this will show which hosts are getting a belting. You'll probably find that a number of hosts are getting a large amounts of data compared to other hosts. Check these hosts first for virus or other suspicious activity.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents