1. Home
  2. Ethernet LAN
  3. Slow down of internet service

Slow down of internet service

We have a network that consists of 300+ workstations, mostly win xp, 10 servers (file, email, antivirus, and sus) and about 20 network printers. Linking these w/s are a combination of switches and hubs (90%

10/100 switches although there are still a few 10/100 hubs present). All of these workstations, switches, and servers are interspersed throughout two 7 story buildings. We are connected to the internet by a full T1 line. Lately, at certain times of the day (never at a fixed time and never on a predetermined day), our internet access slows to a point where everyone on the network is crawling. Our internet access has never behaved like this. The number of machines has not increased significantly on our network in one year. I was advised to use a protocol sniffer which I did and found nothing out of the ordinary other than high ARPage from our servers. I've checked for machines with viruses and found none. Does someone know of something else to look for on the protocol sniffer or for that matter anything else that might help me out?
Reply to
lelo
Loading thread data ...

What was the utilization on the router interface facing your Internet connection? Not sure what protocol analyzer you used, but I'm not sure what you mean by "nothing out of the ordinary" The way you phrased this post (no offense meant) tells me you may not know - fully - what to look for in the traces. But if you use Ethereal (for example) and watch the router interface with the T1 connection, you will see traffic patterns. Perhaps there is someone is clogging it up with P2P programs, for example.

Reply to
Hansang Bae

Look at the T1. A T1 is only 1.5% the bandwith of each of your 300 hosts. So it is absolutely trivial for any single host to clog the available outside bandwidth. So this is what you'll need to look for.

If this is the first time you notice such problems, this is the ideal time to create some semblance of a network management. Apart from sniffing-when-things-are-gone-bad, this involves round-the-clock measurement of at least the bandwidth usage on the T1, and packet drops on the T1's router interface. The most common open source software used for such basic monitoring, can be found at

formatting link
BTW, if you have further questions, this newsgroup is probably not the best one to ask. comp.dcom.net-management may be more appropriate. Or, depending on the importance of the internet connection for your operation, and a possible total lack of inhouse competence in these matters, maybe a good network consultant would be even more appropriate.

best regards Patrick

Reply to
Patrick Schaaf

Reply to
lelo

If in fact, you're T1's are being swamped, you need to find out if it's legitimate traffic or some bogus traffic. So here's what I would do.

1) Track the T1 interface's utilization using MRTG. *VERY* easy to setup as there are step by step instructions on setting it up. 2) span the router's Ethernet port to a PC running Ethereal. Capture using bytes size of 128 bytes. You don't need the full packet for stuff like this.

Capture for a bit (say 15 minutes) and use the following filters in Ethereal:

tcp.analysis.retransmissions

You can also use Statistics, Endpoints, and look at the TCP stats. Are they legitimate?

You can also enable netflow (or cflow if it's not a Cisco router) and export it to many free netflow collectors. This will give you a running total of IP/pairs/port numbers/packet sizes. Basically, a who's who listing of your network.

Reply to
Hansang Bae

I'm not sure a protocol analyser is the best tool for this problem. The first thing you need to do is determine if the problem is on your end or somewhere on the other side of the T1. You don't say what kind of router is on your end of the T1, but it likely can give you usage statistics per interface. You might check the free MRTG tool which would allow you to monitor traffic patterns easily and to see if there are usage spikes on your end:

formatting link
If you can't do this yourself, ask your ISP for help. If they know what they're doing, they should be able to give you data on use of your T1. They may even use MRTG ro its commercial equivalent. (If they don't know what they're doing, you might want to switch ISPs!)

I work in a network situation much like you describe, but on a smaller scale, 20+ machines behind a DSL connection. We also have periodic internet "brown-outs", but when I take the time to track down the problem (that is, when it lasts more than a minute or two), it's almost always at our ISP, often due to configuration changes or equipment upgrades gone awry. Once in a great while someone here is downloading a 700 Mb ISO or something, but I can find out just by asking a half dozen people.

Dave

Reply to
David Tiktin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.