topic Re: trafic monitoring on pix in Network Security

trafic monitoring on pix

milan.zmarzlak — Fri, 21 Feb 2020 08:04:12 GMT

hi,

our internet line to internet is all day at 100% trafic on outside interface /somebody is downloading some big files/. can I find out who is it? I tried set up log, syslog /kiwi/, etc., but there are too many messages.

I need find out WHO is downloader. Is in possible on Pix or I'll need third-party solution?

thanx

Re: trafic monitoring on pix

mostiguy — Mon, 11 Apr 2005 18:10:15 GMT

A quick way is to do a show conn on the pix, and look for large connection sizes. This will help if it is one file. If someone is making tons of small connetions (i.e, downloading mp3s), you might want to look for who has the most open connections

Re: trafic monitoring on pix

spasternacki — Mon, 11 Apr 2005 20:19:41 GMT

You can setup Websense as url-server, additionally you can setup Proxy for http/https/ftp traffic inside you LAN and redirect all traffic thru this proxy.

It depends on your PIx config also. For example - If you allow all inside users to go outside (to Internet) Proxy solutions can be not enough.

Fast solution:

- all http/https/ftp traffic should go thru Proxy (default gw for LAN users),

- only Proxy can go directly to Internet

If you have Proxy (eg. Squid + Squiduard or Cisco ContentEngine) you can control traffic on high layers, eg. filter some url.

Additionally you can try update your PIX soft to 7.x and apply some QoS rules, but first you still need identify problematic traffic.

Re: trafic monitoring on pix

Patrick Iseli — Mon, 11 Apr 2005 22:26:47 GMT

Another good tool to analyse real time traffic is NTOP.

This helps to figure out who is downloading and with what protocol, port ... top 20 host ... and much more.

Opensource for Linux, but unfortunently not for Windows. See:http://www.ntop.org/ntop.html

You need to place that host on a Monitoring port on the switch so that it can see all traffic that is going to the PIX Firewall.

There is always the "Capture" command available but to figure out who is usinf the bandwith you need another tool as NTOP.

Example for capture:

access-list ftp permit tcp 192.168.1.0 255.255.255.0 any eq ftp

capture ftpcap access-list ftp interface inside

show capture ftpcap detail

to remove:

no capture ftpcap access-list 120 interface inside

no capture ftpcap

no access-list ftp

sincerely

Patrick

Re: trafic monitoring on pix

dwalsh — Thu, 16 Jun 2005 12:51:46 GMT

Hi Milan,

In the past, I've used RnR Report generator for PIX. It is a good utility that can give you quick top tens. All you need to do is take a copy of your syslog. I know these can get huge, but take a sampling of an hour or so when you're pretty sure the spike is happening. Save the syslog sample out and feed it into RnR. This will tell you who's using what. It only reports in IP, not DNS, but you should be able to work your way back using your DHCP records (if it's inside) or identify the IP and ask your ISP to locate the external offender to find out who the culprit is.

Good luck!

Dave

Re: trafic monitoring on pix

craigb — Thu, 16 Jun 2005 13:25:11 GMT

Check out Etherape to. It gives you a good graphical display that you can walk up to at any given time and visually identify who is using a lot of bandwidth. It's also a Linux app. The graph is interesting to watch.