Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
6
Helpful
5
Replies

trafic monitoring on pix

milan.zmarzlak
Level 1
Level 1

‎04-11-2005 08:12 AM - edited ‎02-21-2020 12:04 AM

hi,

our internet line to internet is all day at 100% trafic on outside interface /somebody is downloading some big files/. can I find out who is it? I tried set up log, syslog /kiwi/, etc., but there are too many messages.

I need find out WHO is downloader. Is in possible on Pix or I'll need third-party solution?

thanx

0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎04-11-2005 11:10 AM

A quick way is to do a show conn on the pix, and look for large connection sizes. This will help if it is one file. If someone is making tons of small connetions (i.e, downloading mp3s), you might want to look for who has the most open connections

spasternacki
Level 1
Level 1

‎04-11-2005 01:19 PM

You can setup Websense as url-server, additionally you can setup Proxy for http/https/ftp traffic inside you LAN and redirect all traffic thru this proxy.

It depends on your PIx config also. For example - If you allow all inside users to go outside (to Internet) Proxy solutions can be not enough.

Fast solution:

- all http/https/ftp traffic should go thru Proxy (default gw for LAN users),

- only Proxy can go directly to Internet

If you have Proxy (eg. Squid + Squiduard or Cisco ContentEngine) you can control traffic on high layers, eg. filter some url.

Additionally you can try update your PIX soft to 7.x and apply some QoS rules, but first you still need identify problematic traffic.

Patrick Iseli
Level 7
Level 7
In response to spasternacki

‎04-11-2005 03:26 PM

Another good tool to analyse real time traffic is NTOP.

This helps to figure out who is downloading and with what protocol, port ... top 20 host ... and much more.

Opensource for Linux, but unfortunently not for Windows. See:http://www.ntop.org/ntop.html

You need to place that host on a Monitoring port on the switch so that it can see all traffic that is going to the PIX Firewall.

There is always the "Capture" command available but to figure out who is usinf the bandwith you need another tool as NTOP.

Example for capture:

access-list ftp permit tcp 192.168.1.0 255.255.255.0 any eq ftp

capture ftpcap access-list ftp interface inside

show capture ftpcap detail

to remove:

no capture ftpcap access-list 120 interface inside

no capture ftpcap

no access-list ftp

sincerely

Patrick

0 Helpful

dwalsh
Level 1
Level 1

‎06-16-2005 05:51 AM

Hi Milan,

In the past, I've used RnR Report generator for PIX. It is a good utility that can give you quick top tens. All you need to do is take a copy of your syslog. I know these can get huge, but take a sampling of an hour or so when you're pretty sure the spike is happening. Save the syslog sample out and feed it into RnR. This will tell you who's using what. It only reports in IP, not DNS, but you should be able to work your way back using your DHCP records (if it's inside) or identify the IP and ask your ISP to locate the external offender to find out who the culprit is.

Good luck!

Dave

0 Helpful

craigb
Level 1
Level 1
In response to dwalsh

‎06-16-2005 06:25 AM

Check out Etherape to. It gives you a good graphical display that you can walk up to at any given time and visually identify who is using a lot of bandwidth. It's also a Linux app. The graph is interesting to watch.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card