On Tue, 22 Aug 2000, Chris Archer wrote:
> Group,
> Is there a way to determine the MAC or IP address of a machine that is
> hogging a link?
if its on a directly connected segment, then you stand a chance at getting
the MAC using sniffer software. If its beyond a directly connected
segment, then you won't have that info (without going further downstream).
Typically, you would use flow-switching to get this type of info. Its
quite simple. You enable flow-switching on your interfaces and you send
the flow information to a server which runs software for groking the info,
such as CAIDA's cflowd (which we use here on linux and works quite well).
> I had a T1 link that got flooded today and I was trying to find who the
> culprit was. I did not have a sniffer available so I was looking for a
> solution within IOS.
Flow would work well for this. For example. Here we have links to
Sprint, Cable and Wireless, UUnet, Frontier, and Quest. If I wanted to
know who is sinking the most bandwidth from UUnet, I would do like so:
[root@compaq bin]# ./grok.pl uunet
(NOTE: grok.pl is just a perl script I wrote that makes things look all
nice and pretty. The below data could be gotten from cflowd by doing the
following:
artsasagg -i 11-12 -I 11-12 /tmp/report
/usr/local/arts/data/cflowd/208.206.76.1/arts.20000822
artsases -l 10 /tmp/report
)
Rank srcAS dstAS Bytes bits/sec Netname
---- ----- ----- ---------- ----------- --------
1 10593 11881 1011518624 109650 AOL-DTC2
2 701 11881 848220591 91948 ALTERNET-AS
3 11486 11881 459922866 49856.1 WAN
4 12076 11881 402379207 43618.3 HOTMAIL-AS
5 2914 11881 339126476 36761.7 VERIO
6 6201 11881 325087196 35239.8 ATEXT
7 11305 11881 269238131 29185.7 INTERLAND-NET1
8 11855 11881 203917289 22104.9 ASN-INTERNAP-BLK
9 5662 11881 161969291 17557.6 ASN-TBS-1
10 2048 11881 146838350 15917.4 LANET-1
Ok, this breaks it apart by Autonomous System. You may want more
granularity than that, which is totally possible. Above you can see that
AS 10593, which is an AOL AS, is the biggest "offender" (I am AS
11881). Ok, so to get more detail you do like so:
[root@compaq bin]# artsnetagg -i 11-12 -I 11-12 /tmp/report
/usr/local/arts/data/cflowd/208.206.76.1/arts.20000822
[root@compaq bin]# artsnets -l 50 /tmp/report
router: 208.206.76.1 ifIndex: 0
period: 08/21/2000 18:58:50 - 08/22/2000 15:38:50 CDT
Src Network Dst Network Pkts Bytes
------------------ ------------------ ------------- -------------
205.188.128.0/17 208.217.106.0/25 289686 144167922
63.104.232.0/21 206.137.60.86/32 200866 139448248
207.204.214.0/24 206.137.60.71/32 111533 112187813
205.188.128.0/17 207.16.245.0/25 225001 109431161
205.188.128.0/17 208.214.44.128/25 149394 88231330
209.167.40.0/23 208.214.45.250/32 56674 79245682
63.99.192.0/19 208.249.213.128/25 90825 75093818
216.155.0.0/18 207.16.246.192/26 103320 71446667
205.188.128.0/17 208.206.76.0/24 142908 69237861
192.12.12.0/24 208.214.44.128/25 170178 65067122
So you can see that the #1 user is 208.217.106.0/25 and they are getting
it from 205.188.128.0/17. Quick check reveals that 205.188.128.0/17 is
indeed part of the 10593 AS:
stargate#sh ip bgp 205.188.128.0/17
BGP routing table entry for 205.188.128.0/17, version 140064
Paths: (5 available, best #3, table Default-IP-Routing-Table)
Not advertised to any peer
3549 1668 10593
206.57.5.13 from 206.57.5.13 (206.132.119.97)
Origin IGP, localpref 100, valid, external
Community: 3549:2826 3549:9840
.
.
.
> I could see where the traffic was coming from but that was only good to
> localize it to a router and not an individual machine.
well the above would only help you as far as subnets as well. But once
you have it working, its great because you can look at things like how
much of your traffic is http, ftp, nntp etc. Is everything on your
network ethernet? If so, most switches (if its switched) allow you to
poll usage data via SNMP, and graph it using say MRTG. If its dialup,
then most dialup RAS's store usage data in RADIUS records.
Brian
> Any input would be appreciated.
>
> Thanks
>
> Chris
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
-----------------------------------------------
Brian Feeny, CCNA, CCDA [EMAIL PROTECTED]
Network Administrator
ShreveNet Inc. (ASN 11881)
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
