PIX 515 6.3.4
Is there an easy way to determine who consumes my throughput ?
I have 1Mb DSL line and I can see (mrtg) that it is used in 80% since morning. I have 200-1000 connections all the time (show conn). How can I determine which host (ip) consumes the most (live and daily)?
regards
jarek
You could enable cisco netflow and use a 3rd party app like adventnet...
In article , thatoneguy wrote: :You could enable cisco netflow and use a 3rd party app like :adventnet...
Not on a PIX you can't!
In article , jarcar wrote: :PIX 515 6.3.4
:Is there an easy way to determine who consumes my throughput ?
I don't mean to be blunt -- but NO, there is no such way.
:I have 1Mb DSL line and I can see (mrtg) that it is used in 80% since :morning. :I have 200-1000 connections all the time (show conn). :How can I determine which host (ip) consumes the most (live and daily)?
Network Intelligence used to have nearly the only PIX analysis tool I know of, but apparently they are getting out of the software market and moving to security "appliances".
There is a simple plug in for SawMill that can be used, but [no offence intended to the authors] it is not at all sophisticated.
If it is okay for your purposes to just track -which- system is involved with the traffic, without caring about which protocols are involved or which direction the traffic was initiated from, and if it is okay to just account for TCP and UDP (e.g., skipping ESP traffic from internal VPN clients talking to an outside machine), then here is a simple perl script you can use.
Set your "logging trap" level to 6 or higher on the PIX and "logging host" to a server configured to accept syslog messages. grep out the records of interest and pipe them to the script. You will need to adjust the first line to reflect the path to your perl.
This script sorts traffic in reverse order by megabytes, doing rounding on the count and dropping off everything < 1/2 MB.
This script only reports by the internal IP for the traffic, not making any attempt to do accounting by destination.
#!/usr/freeware/bin/perl
# pixtraff -- Very simple PIX accounting script for TCP and UDP traffic, # PIX 6.2 and later. # # written 20050315 by Walter Roberson, snipped-for-privacy@ibd.nrc-cnrc.gc.ca # To use, grep out the syslog records for the time you are interested in # and pipe them to the script. For example, # egrep '^Mar 15' /var/adm/routerLOG | ./pixtraff
while () { next unless /%PIX-6-302014|%PIX-6-302016/; my ($inip, $bytes) = m! to .*:([^/]*?)/\d+ duration.* bytes (\d+)!; $traff{$inip} += $bytes; }
foreach (sort { $traff{$b} $traff{$a} } keys %traff) { my ($MB) = int 0.5 + $traff{$_} / (1024 * 1024); next if $MB == 0; printf "%6d MB %s\n", $MB, $_; }
Sorry my bad...for some reason I was thinking router...you can always do it the old fashion way...packet capturing...the old hub can do wonder's...hub the ethernet port and get a box on it with the pix and check this software...
Thank You very much ! It's work like a charm. I just have to work a little on my perl scripting.
I owe you a beer... of course in Poland :) (You are always welcome !)
jarcar
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.