Locate bandwidth hog

ssutton503 · ‎08-07-2013

I have a PIX 501 Firewall running Device Manager 3.0. I keep seeing the traffic on the outside interface max out and I would like to find the source. Is there a way to do it? I have a Windows 2003 Server if that helps with logging. I looked for a manual that would explain all the monitoring options available in the Device Manager but couldn't find anything. I can't even tell if the traffic is being requested from the inside or if some outside source is bombarding us.

As you can probably guess, I am not very experienced with Cisco devices so any help at all is appreciated.

Steven

Christopher Bell · ‎08-07-2013

I can't think of an elegant way off the top of my head unless you have something you can export flow data from. A couple things you might try:

1. Put an ACL on the inside interface against outpount traffic. Make sure the ACL is set to allow IP any any with the "log" switch. At least then you can watch your syslogs to see if any one device on the inside is hitting the ACL more than others and you will have source/destination IP addresses to look into.

2. You have a managed switch between your LAN and PIX, try creating a port span and connecting a laptop to the receiving switchport. Use wireshark to capture the traffic when you see it spike.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.