Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
4
Helpful
7
Replies

detecting clients using excessive bandwidth

outsidein
Level 1
Level 1

‎07-11-2006 02:28 PM - edited ‎03-09-2019 03:33 PM

I wanted to find out if there is any way to indentify which clients on a particular network interface are using a certain amount of bandwidth. We have an ASA 5510 with four interfaces including the internet and one network is generating an excessive amount of inbound traffic from the internet and I want to determine which client system on that network is generating the traffic. Is there a log or a setting to allow me to identify that client system by IP or Mac address?

Labels:
0 Helpful
7 Replies 7

mohammed.ibrahim
Level 1
Level 1

‎07-11-2006 03:01 PM

There is a painfull way.

See the amount of encrypted or decrypted traffic in the IPSEC SA. Hope this helps.

0 Helpful

glen.messenger
Level 1
Level 1
In response to mohammed.ibrahim

‎07-11-2006 03:15 PM

Hi,

You could setup a rate limit using police within a policy-map and see when its triggered. This would allow you to control the amount of bandwidth used, and to log when the threshold is breached. However police is only applicable to egress traffic, and would affect all traffic defined by the match specified within the appropriate class-map, so I guess theres no way to narrow this down without knowing the culprit.

Hope this helps,

Glen

0 Helpful

Fernando_Meza
Level 7
Level 7

‎07-11-2006 10:04 PM

Hi ..

In this scenario I suggest you to use a packet analyzer such ethereal ot packetizer .. you can get them from the web just google it. You could mirror the port connected to the ASA's interface that links to te network having the problem. This will give you an good idea of top ten connections etc... Also there is another tool statseeker .. you could get a trial version for 30 days.

I hope it helps .. please rate if it it does !!!

andrew.burns
Level 7
Level 7
In response to Fernando_Meza

‎07-12-2006 03:14 AM

also...

Instead of setting up a port mirror simply perform a local capture on the ASA and export it to ethereal. (via a copy /pcap). If you make it a circular capture you could leave it running to have the data always available whenever you need it.

Another option (more long-winded though) would be to put an access-list on one of the interfaces with a separate line for each IP. A "show access-list" would then give you a quick overview of IP address activity.

HTH

Andrew.

0 Helpful

jkell
Level 1
Level 1

‎07-12-2006 07:44 AM

Not a cisco answer, but an easy one. If you have a span port of the traffic, connect a linux box and use ipaudit (http://sourceforge.net/projects/ipaudit). Very lightweight and passive. Web-based 'top-20' reports to give you exactly what you are asking.

Option #2: Netflow from border/edge router.

0 Helpful

outsidein
Level 1
Level 1
In response to jkell

‎07-12-2006 09:30 AM

Thanks for all the suggestions, so far we have applied a policy map to limit bandwidth on that interface to 256k which doesn't answer the queston but stops these clients from eating up the T1. I'm going to try a couple of the non-cisco suggestions using a linux box on that network to monitor activity more closely. Again thank you all for some very useful and interesting suggestions.

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to outsidein

‎07-12-2006 04:45 PM

Another App you could use is N-top www.ntop.org. Very good web reporting in combination with a span port. It has linux and windows versions.

Patrick

0 Helpful
Customers Also Viewed These Support Documents