I have about 200 users on 2 subnets 192.168.1.x and 192.168.5.x they all go to a 2621 router that forwards all but these 2 subnets to a pix that uses nat to go to the internet. The last 2 days we have had a few times where people lost connection to some servers and the internet. When I ping the router instead of
There is an earlier post that you might want to read titled: "Logging traffic activity of Cisco router", posted on May 20th.
NetFlow would be very good for making this determination. However, if you need a quick fix, you might try using inspection (with auditing: ip inspect audit-trail) on the router's inside interface (if you aren't already doing so) to generate syslog messages such as the following:
11033: router-A: May 21 23:13:35.533 EDT: %FW-6-SESS_AUDIT_TRAIL: Stop nntp session: initiator (source-IP-addr:1697) sent 181 bytes -- responder (dest-IP-addr:119) sent 6773 bytes
This would be beneficial (IF) the offender is sending traffic "through" the router, vs. traffic contained within the LAN.
If you have a Cisco switch that supports SPAN (Switch Port Analyzer), you might want to place a sniffer (e.g. Wireshark) on a SPAN destination port (configurable) and monitor source ports of interest (e.g.: port to which the router connects to the switch). You should have this kind of visibility moving forward, using SPAN or a network tap.
Use IP accounting. It is built into your router and you do not have to go download third party software and install it on any PC.
interface FastEthernet0/0 ip accounting end
show ip accounting
clear ip accounting
This will show you which hosts are communicating through the interface and their byte counts. After a long day, collect the information using a copy-and-paste into a spreadsheet. A program like Excel has a "Text to Columns" option under the "Tools" pull-down menu to help seperate the data into columns. After that, sort and then you will end up with your heaviest conversations at the top of the list.