0

I am the Net Admin for my company and we currently have a T1 connection to the internet but are only getting speeds of around 150kbps down and close to 1.5 Up. I am not sure how to go about figuring out what machine on my network could be doing something they shouldn't or possibly has a virus. We have close to 100 PC's on our network so to load software on each would be a bare. Is there any network tool I can use that will tell me what machine is using all the bandwidth so that I can see if it possibly has a virus. I am here at work tonight being the only one here and the internet connection is terrible so that is why I am thinking I possibly have an infected computer and just don't realize it.

Thanks!

  • That's definitely 150 kilobits not kilobytes that you are getting down? T1 is only supposed to provide 150 kilobytes down (or 1.5 megabits): http://en.wikipedia.org/wiki/Digital_Signal_1 –  Feb 25 '10 at 03:13
  • Have you verified the issue exists no matter which switch and switch port you're using? I would connect your computer directly to one of the asa units available ports and verify the slow speeds still exist. Only then do you know where to begin looking. – CarpeNoctem Feb 25 '10 at 08:48

6 Answers6

1

It sounds like a smaller network so to keep it simple I would do a rough check whether there actually is an internal problem, say by disconnecting it for a while and connecting a single pc to the ASA - to see if the assumptions are correct. If so, dig out the tools suggested - if not, the problem is outside your network ^^

(this requires some downtime but I'm guessing there're maintenance windows around for this)

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
0

You'll need a copy of your outgoing network trafic ... and can then use a tools such as ntop ( http://www.ntop.org/) to monitor the bandwith usage.

Dominik
  • 2,218
  • 14
  • 9
  • How do I get this info? I am a newbie and doing something like this so I am going to need some guidance. –  Feb 25 '10 at 03:12
  • Could you provide some more info on how your network is build (switches, hubs etc) ? – Dominik Feb 25 '10 at 03:15
  • We have a Cisco Router ASA 5500 that connects us to the internet. We have one network 192.168.1.x with about 100 PC's. 4 Servers, one being a mail server and the other three being Domain Controllers that handle file/print sharing. We have scattered switches all over the building ( which could be part of the problem). Any other info you would like? –  Feb 25 '10 at 03:21
0

darkstat should do a fine job of letting you in on that quickly and assuming you have a BSD/Linux firewall you should be able to build it no problem.

SleighBoy
  • 938
  • 6
  • 7
  • I have neither. I have a Cisco 5500ASA which I do not know much about. –  Feb 25 '10 at 03:14
0

Since you're only concerned with the traffic transiting the T1, here's what I would suggest:

There are a number of different ways to accomplish this but maybe the easiest thing to do is to install PRTG (assuming you're running some version of Windows) on your workstation. In PRTG set up a packet sniffing sensor. On the switch that your ASA connects to set up a port monitor to mirror traffic on the ASA switch port to the port that the PRTG computer is running on. This will show you not only the total volume of traffic transiting the ASA switch port (to and from the internet via the T1), but will also show you the volume of traffic based on protocol, source, and destination. If you don't know how to set up a port monitor or if your switch doesn't support port monitoring, you can plug a hub in between the ASA and the switch and plug your PRTG machine in to the same hub in order to see all of the traffic transiting the ASA.

EDIT

Some additional info based on your comment to my answer:

If you don't have a managed switch then you'll have to use a hub (or you can purchase a cheap managed switch that supports port monitoring and use it instead of a hub).

I'll try not to over complicate this. If you have a hub then do this: Unplug the network cable going from the switch to the ASA and plug it in between the switch and the hub. Then using another network cable, plug it in between the hub and the ASA. Basically you're inserting the hub between the switch and the ASA. Then plug your PRTG computer into the hub. Because a hub floods traffic to every port, all the traffic going between the switch and the ASA will be seen by PRTG running on the workstation. So here's a little diagram of what you need to set up:

SWITCH<--------->HUB<--------->ASA

WORKSTATION<---^

The <---> and <---^ lines are network connections (cables).

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Ok I think I may have to do it how you mentioned in the last part about using a hub. Not sure I really understand how to go about doing that but I can give it a shot hopefully on Friday. Do you know of any good documentation that I could get that would give good instructions on how to set this up? –  Feb 25 '10 at 03:56
  • I do not have any managed switches so doing the port monitoring may not work for me correct? –  Feb 25 '10 at 03:58
0

The ASA can send netflow data(though you might have to upgrade it first). You can use that with any software that can receive netflow(like ntop).

In a pinch you could try just running show conn and looking for something out of the ordinary.

Justin
  • 3,856
  • 18
  • 21
0

I bet this problem was solved a long time ago, but just in case someone needs something similiar, I'd suggest you to use a laptop running Wireshark.

Just let it run for a while to check who's consuming your bandwidth. The only problem is to find where you connect it. If you have a hub then you can connect it between you router and your LAN switch. Otherwise it might be a little tricky. In a Cisco switch you'd have to configure a SPAN port:

! Port connected to your router
monitor session 1 source interface Gi0/1

! Port connected on you laptor running Wireshark
monitor session 1 destination interface Gi0/20

TIP: To avoid getting a huge ammount of data, limit each captured packet to 96 bytes (you should adjust it to the smallest number that would show the entire protocol header you are analyzing though) as you don't need to know the contents of your payload (at least on the first analysis):

Wireshark Capture Options

Then after capturing a fair ammount of data, go to Statistics > Conversations, sort by the Bytes column and voilà, you catch the bad guy.

Adriano P
  • 243
  • 3
  • 8