Bandwidth by user..

10 11 2011

Absolutely crying out for some at-a-glance monitoring of bandwidth usage by IP address, which we don’t currently have. The nearest I do have is a bandwidth graph on my Checkpoint SG82, and PRTG monitoring bandwidth on the switchport that connects to the active node of the Checkpoint cluster.

However, during a period of intense bandwidth usage, I found a way of doing this pretty satisfactorily that wasn’t *too* time consuming, albeit a lot more time consuming than looking at a list of IPs sorted by bandwidth usage.

My method was to take a packet capture of a few minutes from the firewalls, then open in Wireshark, and sort by “Destination IP”. This may not always point out a specific culprit, but in this case, there was one IP address that stood out massively from the others.

I identified the user by IP address from my DHCP server, and gave him a call asking him if he was using software with potentially high bandwidth usage.

This was the case, and stopping the application running resulted in a drop from 57Mbps to just over 30 in a minute, and down to 20 within 10 minutes. Result. No users were harmed during this exercise ;)`



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: