Hi

Though martin has already commented about the exponential calculation i would suggest to check the bandwidth parameter set under the interface which also used for arriving the tx/rx load fraction.

By default the serial interfaces comes with 1544Kbps though u connect a E1 onto that.

Do check the same and define the bandwidth to 2048Kbps and check for the loading capacity.

If its already done do follow the suggestions made by martin.

regds

Hello Martin,

Thanks for your valuable input.

As i have a 2mb link, i have configured the bandwidth 2048 on the serial interface.

When i issue the command show interface Fa0/0 it show a utilization of less then 5/255 at almost all the times.but on Serial it shows a very high utilization.

So is it worth sniffing the Fa0/0 but it seems that the LAN traffic is very minimal.

Is there any access-list config to avoid any such attack/worm.Also what do you mean by applications running without any user action involved. we have just one mapping of a global IP to our internal mail server

Hello,

if you do a 'show proc cpu', can you see any process utilizing a high percentage of the CPU ? Since your LAN interface is not highly utilized, you could very well be under attack from an outside source. Depending on the IOS version you are running, you could configure NBAR, in order to find out which protocols are using the bandwidth on your serial interface:

interface Serial 1/1

ip nbar protocol-discovery

After you have configured this on your interface, use the 'show ip nbar protocol-discovery' to display the statistics of the protocol information gathered.

If you are seeing high CPU utilization, the following strategies might be worth examining as well:

Dealing with mallocfail and High CPU Utilization Resulting From the "Code Red" Worm

http://www.cisco.com/en/US/products/hw/iad/ps397/products_tech_note09186a00800a73e9.shtml

How to Protect Your Network Against the Nimda Virus

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080110d17.shtml

HTH,

GNT

If we assume that the fastethernet interface is running at 100Mb, my math indicates that 5/255 busy of a 100 Mb interface is pretty close to 2 Mb. Until we know more about the environment and whether the traffic from the fastethernet is going out the serial or whether there are other interfaces that may take some of that traffic, I think that the amount of traffic on the serial can reasonably be explained without assuming some worm attack.

HTH

Rick

This is a 2620 Chasi with 32MD DRAM & 8mb flash. the IOS is 12.0(3)T3. It has only 1 Fa0/0 & S0/0. Ethernet is connected to FW & Serial to ISP. So all the Internet traffic is going from the FW to this Router fa0/0 & through S0/0 to the ISP.

Pl. comment further.

Thanks

Jevin

A quick and dirty way to see what is going on is to turn on ip accounting on the interface, clear the ip accounting and quickly issue the show command to see where the excess traffic is sourcing from. This is RAW output so you will have to analyze closely. Do the following;

On the fa0/0, enable "ip accounting output-packets". Issue "clear ip accounting" and quickly issue "sh ip accounting". You will get the following output;

Source IP, Destination IP, Packets, Bytes.

I normally look for a popular destination IP such as an email server, web server, etc. Keep clearing ip accounting and issuing show ip accounting and look for patterns. Like I said this is a down and dirty way to do things, but I have found it works well to help pin point in the beggining of my analysis if no better tools are available on customer site.