2621 and pix how to find bandwidth abuser

I have about 200 users on 2 subnets 192.168.1.x and 192.168.5.x they all go to a 2621 router that forwards all but these 2 subnets to a pix that uses nat to go to the internet. The last 2 days we have had a few times where people lost connection to some servers and the internet. When I ping the router instead of

Reply to
Loading thread data ...

The fastest way might be to examine the switch port counters (e.g.: 5 minute input rate, 5 minute output rate, packets input, packets output).


switch#clear counters Clear "show interface" counters on all interfaces [confirm]

switch#sh int fa0/1

FastEthernet0/1 is up, line protocol is up (connected)

5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 852988 packets input, 705814170 bytes, 240 no buffer Received 250963 broadcasts (0 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 240 ignored 0 watchdog, 246210 multicast, 0 pause input 0 input packets with dribble condition detected 2065563 packets output, 172724912 bytes, 0 underruns 0 output errors, 15 collisions, 0 interface resets 0 babbles, 0 late collision, 448 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

There is an earlier post that you might want to read titled: "Logging traffic activity of Cisco router", posted on May 20th.

NetFlow would be very good for making this determination. However, if you need a quick fix, you might try using inspection (with auditing: ip inspect audit-trail) on the router's inside interface (if you aren't already doing so) to generate syslog messages such as the following:

11033: router-A: May 21 23:13:35.533 EDT: %FW-6-SESS_AUDIT_TRAIL: Stop nntp session: initiator (source-IP-addr:1697) sent 181 bytes -- responder (dest-IP-addr:119) sent 6773 bytes

This would be beneficial (IF) the offender is sending traffic "through" the router, vs. traffic contained within the LAN.

If you have a Cisco switch that supports SPAN (Switch Port Analyzer), you might want to place a sniffer (e.g. Wireshark) on a SPAN destination port (configurable) and monitor source ports of interest (e.g.: port to which the router connects to the switch). You should have this kind of visibility moving forward, using SPAN or a network tap.

Best Regards, News Reader

Reply to
News Reader

I prefer netflow in such cases. Implement it on your router. A lot of freeware tools are available on internet.

Not only you can find out who generates traffic but also what traffic causes your problem.

formatting link
could be a good start.


Reply to

Use IP accounting. It is built into your router and you do not have to go download third party software and install it on any PC.

interface FastEthernet0/0 ip accounting end

show ip accounting

clear ip accounting

This will show you which hosts are communicating through the interface and their byte counts. After a long day, collect the information using a copy-and-paste into a spreadsheet. A program like Excel has a "Text to Columns" option under the "Tools" pull-down menu to help seperate the data into columns. After that, sort and then you will end up with your heaviest conversations at the top of the list.


Scott Perry Indianapolis, IN


Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.