https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273426#M590662 <P>What's the best way for me to monitor the traffic going through a pix? I'd like to know who's going where, what size downloads are, etc..</P><P>Thanks for the help.</P> Fri, 21 Feb 2020 07:35:12 GMT mbjohnson 2020-02-21T07:35:12Z https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273426#M590662 <P>What's the best way for me to monitor the traffic going through a pix? I'd like to know who's going where, what size downloads are, etc..</P><P>Thanks for the help.</P> Fri, 21 Feb 2020 07:35:12 GMT https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273426#M590662 mbjohnson 2020-02-21T07:35:12Z https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273427#M590663 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can monitor who is going where by using the logging command on the PIX. </P><P></P><P>I am not sure what software you are running but the logging command reference for 6.3 is here</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1028090" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1028090</A></P><P></P><P>By default logging on the PIX can be a bit noisy so you can disable certain events that are being logged by finding out their message id and using "no logging message message_id" such as system messages etc....</P><P></P><P>Have a look here for PIX message</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00801582af.html" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00801582af.html</A></P><P></P><P>If you want to keep records for evaluation then you need to set the PIX up to log to a syslog server </P><P></P><P>Also, if you want to log which URLs are being accessed then make sure your fixup protocol for http is running "fixup protocol http 80"</P><P></P><P>If you want to monitor specific traffic then you can use the capture command on an access-list, however this is more aimed at packet sniffing/troubleshooting</P><P></P><P>Rgds</P><P>Paddy</P><P></P><P></P></BODY></HTML> Fri, 20 Aug 2004 22:22:08 GMT https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273427#M590663 paddyxdoyle 2004-08-20T22:22:08Z https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273428#M590664 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. I already have logging turned on, I'm just wondering how I can tell which user is taking most of the bandwidth, doing big downloads etc..ia there such a feature on the Pix?</P><P></P><P>Best regards.</P></BODY></HTML> Fri, 20 Aug 2004 22:41:32 GMT https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273428#M590664 mbjohnson 2004-08-20T22:41:32Z https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273429#M590665 <HTML><HEAD></HEAD><BODY><P>Not to my knowlegde i'm afraid.</P><P></P><P>If you had a router in front of your firewall you could use "ip accounting"?</P><P></P><P>Rgds</P></BODY></HTML> Fri, 20 Aug 2004 22:56:38 GMT https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273429#M590665 paddyxdoyle 2004-08-20T22:56:38Z https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273430#M590666 <HTML><HEAD></HEAD><BODY><P>You can use the syslog feature of the PIX.</P><P>Try this:</P><P></P><P>commands:</P><P>logging on</P><P>logging trap informational</P><P>logging host YOUR-SYSLOG-SERVER-IP</P><P></P><P>But be aware that this gives a lot of output to your syslog server. A lof of information is transfered as bytes transfered, users names if authenticated, web sites, files ...</P><P></P><P>Then to analyze it you can use a syslog file analzer as: <A class="jive-link-custom" href="http://www.sawmill.net/" target="_blank">http://www.sawmill.net/</A> to get your syslog data into a nice user statistic chart.</P><P></P><P>There are alot of tools out there in the internet.</P><P></P><P>Another way without using syslog could be to use of </P><P>NTOP a open source linux tool. The windows version you</P><P>have to pay. But this is more a Realtime network statistic tool but still does a good job.</P><P></P><P>Take a look at it. <A class="jive-link-custom" href="http://www.ntop.org/ntop.html" target="_blank">http://www.ntop.org/ntop.html</A></P><P></P><P>sincerly</P><P>Patrick </P></BODY></HTML> Fri, 20 Aug 2004 23:47:09 GMT https://community.cisco.com/t5/network-security/monitoring-traffic-detail-through-pix-firewall/m-p/273430#M590666 piseli 2004-08-20T23:47:09Z