Network spikes

[Dahak]

This is something not sure how to tackle

Got and odd problem. have a client that has an odd network issue, something is using up a lot of bandwidth at random times with no rime or reason. Which started out of the blue a few weeks ago. Had checked with the ISP and something is using a lot of outbound bandwidth causing internet troubles and slowdowns

We did try to isolate to with computer is causing the issue but so far have been unable to locate which machine.

He did tell me that its supposedly coming from a machine with mac address of 20-20-20-20-20-20,not sure how he found that out, but could not find the machine that has that mac

Is there something that I can run on one of there machines to see which machine is causing this? I know there is a programs like wireshark but do not know what to look for when using it. or is there something else that I could use

Thanks

 

[Fardringle]

Is the client using a business router, or a small personal/home router? Most business class routers have monitoring tools that let you track bandwidth usage and other information by port number, computer, etc. Some home routers will as well. If the router has the ability, take a look at the router logs to see which device is using the bandwidth.

 

[Dahak]

Unfortunately it does not. it is a netopia R910 if it helps.

I had looked in its limited logs, but could not see anything at the time.

 

[talion83]

How many computers are there? Wireshark is certainly a tool that could be used to figure out what the traffic is doing - but really you should be able to just open Task Manager and look at the 'Networking' tab.

If the computer isn't doing anything on the network, the activity will be 0% - if you open Task manager and see that the network is constantly going - well that is a good indication that something is going on with that computer.

There are a number of methods you can use on a per PC basis to see what it may be doing. Simply going to command prompt and doing 'Netstat -ano' will tell you all active connections on that computers, who/where it is going, state it is in, and even the PID (PID can be used to match it up with a PID in Task Manager to see what is doing it) ('Netstat -ano >> c:\file.csv' is also useful to dump the results into Excel and pull up - more useful for servers).

Long term, they should look into a Firewall of some sort.

 

[Dahak]

There is about 18-20 computers running on the network. the only issue with doing something manual like that netstat is that sometimes when the issue happens it may not happen long enough to be able to get to all the machines.

All the machines are in a workgroup environment and there is not windows server, they do have a unix server that they run the point of sale off of.

 

[talion83]

Most software that is going to be intelligent with this requires something like a managed layer 2/3 switch.

You can try to use Wireshark or Microsoft Network Monitor to help narrow down the source. But unless they are using a HUB and not a switch - you will only pickup broadcast or local traffic - I suppose you could put it on every PC and have it run, but it would probably slow down their computers. Install it, start it, then when the 'slow down' happens mark down the time. Stop it on all of the computers, arrange by time at first - remove all of the time before/after the incident. Then arrange by Destination and see which computer is doing something odd.

Really I think your best bet here is going to be finding a Layer 2/3 device that isn't overly expansive and either internally has good logging - or can connect to another program for logging (for example you can dump all of the logs to another computer that is running a trial of one of Manage Engines software and it could parse it out).

I was looking into Manage Engine's products a bit back and recall it being able to pull some really good information from my layer 2 Netgear switches - GS724TP's. If I recall correctly I was able to get usage information by port, IP, destination, etc... They don't necessarily need a 1GB switch, but you could look into the 10/100 version of the Netgear or a similar device and a use the trial software from Manage Engine. I believe it gathered most of the information via SMTP.

It was over a year ago that I was testing it though so my memory could be a bit fuzzy.

Look around though - you might be able to find a refurbished switch/firewall at a good price.

Even if it is for a "client" you could always look into the Layer 2/3 device for yourself for future events of this nature.
-----------

Another thought is a Fluke device - but this might be as expansive as a switch + software. They have some network monitoring tools you can put between the Switch and the Router, have it monitor all of the traffic - then dump it onto a computer later and examine.

 

[kschaffner]

I suppose a temp solution could be to add a mac address filter to the router/switch if possible and block that mac address that the client is reporting to you. Not exactly a fix but it could work until you found the culprit.