Bandwidth Abuse

[noelboy]

Hi,
We've got a 2MB leased line being managed by a Cisco Router which in turn feeds our network via a PIX 515e. This is our gateway. I've been monitoring total bandwidth use of the inside and outside interface on this firewall using Solarwinds snmp software.
The problem we're getting now is that over the last few days someone has been downloading constantly and maxing out our line (solarwinds shows 2.2MB).
Is there a way I can find exactly which pc (or IP) is using the bandwidth at all?
I've had a look at loads of networking tools but they all monitor overall network usage instead.

 

[LarryTheCucumber]

Quick and dirty method,
Open a telnet/ssh session to the PIX
use the
show connections command
find the addresses with the highest through put.

Not alway accurate but, I found a few things this way.

 

[noelboy]

Thanks very much for the reply.
Ive read a lot about using NTOP Open Xtra.
Im a bit sketchy on the way to do this though.
From what I understand the port on the switch that the inside interface of the firewall is on, i need to span (mirror) to another port. Then plug a laptop with NTOP in to thar mirrored port to monitor traffic.
If that right how to I set the port to span?
We've got a Catalyst 4006 switch.
Thanks

 

[voltron1011]

If you have an old hub laying around, you can forgo the spanport... All you need to do is plug the suspected port(s) into the hub and plug your laptop into another port of the hub.