2

I'm dealing with a high bandwidth situation and need to determine what host is sending / receiving the most data.

How can I get the logs necessary that will contain this information? I'm OK with parsing or writing code to do so, but I'm unsure of how to extract the information.

makerofthings7
  • 8,911
  • 34
  • 121
  • 197

3 Answers3

4

If you have the ASA firewall's ASDM interface enabled, you can view basic stats in the "Firewall Dashboard". Protocol, sources and destinations are easily viewed.

enter image description here

ewwhite
  • 197,159
  • 92
  • 443
  • 809
2

These devices support Netflow data collection as well as SNMP.

You can use a tool like Paesslers to view the data.

jscott
  • 24,484
  • 8
  • 79
  • 100
Willy
  • 31
  • 1
  • Does netflow use a method other than SNMP to gather data? – makerofthings7 May 03 '12 at 14:09
  • @makerofthings7 netflow is it's own protocol, generally you need both netflow port 9996 and NBAR which is collected via SNMP to get the most accurate information. – Zypher May 03 '12 at 20:10
  • Yes it is a separate protocol configured in your switch or router, and exports flow data to a collector. –  May 03 '12 at 19:59
  • Adding to Zypher's comments, NetFlow on ASA is not used in the same way as it is on IOS. Most devices that use NetFlow (such as IOS) will "sample" network traffic and periodically send data about that sample to an external collector or aggregator, which in turn can report on the data. ASA uses NSEL (NetFlow Secure Event Logging), which in some sense means it shoehorns syslog messages into NetFlow packets. For collectors that can deal with it, it does provide some useful information, but it isn't really useful for point-in-time utilization stats. – James Sneeringer May 03 '12 at 20:16
0

Like Willy says the ASA's do not support Netflow, however if you need a longer term data collection solution, they do support a subset of Netflow data called sFlow. It doesn't have all the bells and whistles of Netflow, but you definitely can see over time who is using what bandwidth on what port.

Zypher
  • 37,405
  • 5
  • 53
  • 95