1. Home
  2. Cisco Systems
  3. PIX monitoring

PIX monitoring

I recently had a user upload massive files from the office here to an FTP server on the net and since there was no limitation of bandwidth at either endpoint, he inadvertently consumed all of our T1 bandwidth with this transfer. While this was happening, I was trying to figure out where all this traffic was coming from, I could see it going out but did not know how to find which particular node was the culprit. I do have a syslog in place, but the raw reports from it were of not much help, I typically use this with filters for troubleshooting purposes, but how can you filter for something if you don't know what it is that you're looking for. After a couple of hours, I finally found who it was just by walking around the building, but I'm obviously needing a better mechanism to figure this out a lot quicker. I have just purchased a tool that parses and analyzes syslog files and generates reports based on info found there, but what do people do without a tool like this, and what if you want to see it in real time? Is there any type of monitoring on the PIX itself or other tools that would assist in this? I did take a look at the various graphs and such in the PDM, but nothing there identifies the addresses of connection endpoints, only number of connections, bandwidth consumption, etc.

Thanks,

-Peter

Reply to
Peter Lecki
Loading thread data ...

What does the PIX connect to on its inside interface ?

Reply to
Merv

A LAN switch.

Reply to
Peter Lecki

You can configure SPAN on one of the switch-ports to send a copy of all PIX traffic to the port. Hook up a machine and run either Ethereal (look for the top talkers) or run nTop. Both should work nicely.

formatting link

Reply to
BSD Johnson

In article , Peter Lecki wrote: :I recently had a user upload massive files from the office here to an :FTP server on the net and since there was no limitation of bandwidth :at either endpoint, he inadvertently consumed all of our T1 bandwidth :with this transfer. While this was happening, I was trying to figure :out where all this traffic was coming from, I could see it going out :but did not know how to find which particular node was the culprit.

:Is there any type of monitoring on the PIX itself or other tools that :would assist in this? I did take a look at the various graphs and :such in the PDM, but nothing there identifies the addresses of :connection endpoints, only number of connections, bandwidth :consumption, etc.

PDM implies PIX 6.x. There are no statistics or messages available in PIX 6.x that allow one to see connection traffic for -current- connections (unless perhaps something in "show local-host detail"; I haven't looked at that in a while.)

If you knew ahead of time that this might happen, then the "log" keyword on an ACL entry would trigger periodic IOS-style traffic syslog messages. Unfortunately, changes to an ACL only apply to new flows, so you can't retroactively edit in a "log" modifier to an ACL and hope to gain anything from it.

What you can do in PIX 6.2 or later is use "capture" to grab some of the data packets; then "show capture" to find out which system the traffic is with. capture against the inside interface to see the interior IPs -- if you capture against the outside interface, it would be the translated IPs that you would see.

Reply to
Walter Roberson

Peter Lecki napisa?(a):

I had the same problem, Walter Robertson wrote a script for this:

formatting link
at this time I use FireGen for Pix log analyzer - but this is not "on-line", "on-demand" only.

regards

Kmet

Reply to
kmet

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.