Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
5
Helpful
3
Replies

How to detect computers sending unnecessary traffic

dmalamba
Level 1
Level 1

‎12-11-2003 04:13 AM - edited ‎03-02-2019 12:17 PM

My organisation is connected to the internet via a 64 k dataline. I use network address translation(NAT) and access list on my router to map internal ip addresses to the outside and give staff access to the internet. The problem is that internet traffic seems to be at pick all the time despite the number of computers accessing the internet. I suspect that some computers are sending traffic continuously to the internet. So, is there a way of detecting which ip addresses or which computers are sending this traffic? Can spam increase the amount of traffic in such magnitude? If so is there a way of blocking spam on the router or which ever? Is there anything I need to take into consideration to control traffic flow on my router interface before it goes out to the internet

Labels:
0 Helpful
3 Replies 3

r.wilcox
Level 1
Level 1

‎12-11-2003 08:39 PM

Hi,

Depending on the number of computers on your LAN, the 64K line could easily become saturated.

One command that I have found helful to determine which systems are send or receiving the most traffic is the "ip accounting" interface command.

For example:

interface ser0/0

ip accounting

Then wait about a minute and do a "show ip accounting". Depending on how you have NAT setup (i.e.one to one, or one to many) you may get different results.

This command has been helpful to me in detecting the Nachi virus. If I do a "show ip accounting" and see a system sending 1 packet that is 92 bytes to various systems, then I can deduce it probably has the Nachi virus.

I hope this helps,

Thanks

0 Helpful

david-schroeder_2
Level 1
Level 1

‎12-17-2003 11:54 AM

If you happen to have a Cisco router with the proper IOS you can show the IP flows.

To do this do the following:

In interface mod(the interface that your computers are on) issue the IP ROUTE-CACHE FLOW command.

Exit from interface and config mode and issue the following command: SHOW IP CACHE FLOW

This will show you any active flows and may help determine what devices are using your bandwidth.

Hope this helps.

Regards,

Dave

0 Helpful

konigl
Level 7
Level 7
In response to david-schroeder_2

‎12-17-2003 03:58 PM

You could also create an IP extended access-list that permits and logs all kinds of IP traffic. Then, you could either do a "show log" command periodically, to see what kind of traffic it is and who's sending it; or, if you're logging to a Syslog server, you can just review the accumulated logs there.

I use it as a crude intrusion detection system. Some of the things I look for: machines trying to connect to Microsoft networking ports 135, 137, 138, 139, 445, on subnets where no such computers exist. Or machines doing ping sweeps. Or machines attempting to connect to Microsoft SQL Server ports 1433 or 1434, where no SQL Server system exists. All of which are symptoms of some of the more recent worms (Nachi, Blaster, SQL) that have gone around the Internet.

If the source IP address of this traffic is on one of my networks, that machine gets cut off from Internet and intranet access until it can be cleaned.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents