How can i measure traffic for different services???

[joeka77]

Hello,
big problem (i might cost my job :-(
We have a huge amount of traffic on the cisco-wan!! I have to tell my chef the reason for it. Of course i ve never was allowed to visit a cisco course. Can anybody tell me, how can i measure which protocolls or services are the reason for the traffic on the external card???I would be no help to get the total packets, i need more detailed infos.
Thanks for help!!!

 

[InfrArch]

Hello,

Unfortunately, the idea of traffic analysis directly shows that you must to capture all wan traffic in some time period (peak wan activity is the best time) then analyse it. Based on port numbers you can already tell a lot of your network applications. Then, definitely you must to implement a QoS.



Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA

 

[rburke]

If the WAN is just getting flooded and you don't need to get protocol/service statistics then you migth look into MRTG. It allows you to see if the bandwidth usage per port of your network devices. It might be useful if you think it is just one or two comprimised machine. Otherwise there are packet sniffers that will capture/analyze the activity of hte link they are monitoring. EtherPeek is one that sticks out in my mind right now. What kind of WAN link do you have?

Burke

 

[jwi71]

If your WAN port leads to the internet, I would use your favorite protocol analyzer. This will be able to breakup the traffic into services (http, smtp, pop, etc) for you. It should also allow you to finger the culprit(s) of the offending services (by reporting source IP)

 

[fynx]

Hi,

Take a look at Netflow. A very useful part of IOS for this type of problem.

This URL should get you started...

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a008014a2a0.shtml

but simply, go to configure your serial interface and enable netflow...

router(config-ser1/1)# ip route-cache flow
<ctrl-Z>
Then let the router operate for a while, from the command line on the router type
router# show ip cache flow


And you will see a list of what protocols and which source/destination pairs are chewing up your bandwidth.

Good luck,
Phil.

If everything is coming your way then you're in the wrong lane.

 

[Inferno5]

check out ntop

http://www.ntop.org/

 

[joeka77]

Thank you all for your help!!

Greetings
Joey

 

[richdthomas]

Hi,

I need to do something like this.

There are frame relay routers connected directly to the switch.

I have been advised that a considerable amount of traffic is going down the frame relay routers.

I would like to see where this traffic is coming from (Cisco port number or MAC address would be fine). More details would be helpful.

I can set up a sniffer, but as the frame relay routers are connected directly to the switch, I would not see the traffic on a different Switch port.

The &quot;ip route-cache flow&quot; command does not work on the switch (Catalyst 2950 SX):

NHDMZSwitch1(config)#ip r?
radius rcmd reflexive-list

Please could someone advise me how best to do this.

Thank you.

 

[InfrArch]

Hi,

You can accomplish this task by using PORT MONITOR command.
1.set up a sniffer PC.
2. Connect the NIC of the sniffer to the free switch port.
3. in switch conf mode switch to this port.(port conf mode)
4. use &quot;port monitor fa0/24&quot; (where fa0/24 is the interface connected to the router.)
In this conf. ALL the traffic from fa0/24 will be copied(forwarded) to the sniffer NIC interface.

Good luck!



Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA

 

[fynx]

Hi,

The ip route-cache flow command is only available on layer3 devices. Enable it on routers interfaces that you are interested in.

Cheers,

If everything is coming your way then you're in the wrong lane.

 

[richdthomas]

Hi Victor,

Thanks for the advice on using the PORT MONITOR command.

Please could you let me know if the switch needs a reboot to have theis setting come into effect.

Thank you.

Richard Thomas.

 

[InfrArch]

Hello,Richard,

No, the switch does not need the reboot. This settings comes into effect when you'll press enter at the end of the command. At the and of your experement do not forged to issue a NO PORT MONITOR in switch global conf mode. This will disable traffic forwarding.

Good luck!



Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA

 

[richdthomas]

Hi Victor,

Thanks for that.

How do I get into (port conf mode), I tried the following:

NHDMZSwitch1(config)#interface FastEthernet 0/24
NHDMZSwitch1(config-if)#port ?
% Unrecognized command
NHDMZSwitch1(config-if)#port

But as you can see, I cannot issue the port command.

Thank you.

 

[InfrArch]

Hi,Richard,

Hmmm...strange.
I just copied a conf from my switch:

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/24
Switch(config-if)#p?
port priority-group

Switch(config-if)#port ?
block Forwarding of unknown uni/multi cast addresses
group Place this interface in a port group
monitor Monitor another interface
network Configure an interface to be a network port
protected Configure an interface to be a protected port
security Configure an interface to be a secure port
storm-control Configure storm control parameters

Switch(config-if)#^Z
Switch#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC3, RELEASE SOFTWAR
E (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 04-Feb-02 06:13 by devgoyal
Image text-base: 0x00003000, data-base: 0x0033744C

ROM: Bootstrap program is C2900XL boot loader

Switch uptime is 17 weeks, 3 days, 20 hours, 46 minutes
System returned to ROM by power-on
System image file is &quot;flash:c2900XL-c3h2s-mz_120-5_WC3.bin&quot;


cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byte
s of memory.
Processor board ID FAA0334M169, with hardware revision 0x01
Last reset from power-on

Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:30:80:37:1F:00
Motherboard assembly number: 73-3382-07
Power supply part number: 34-0834-01
Motherboard serial number: FAA03329V4T
Power supply serial number: NONE
Model revision number: A0
Model number: WS-C2924-XL-EN
System serial number: FAA0334M169
Configuration register is 0xF

Switch#

I'm not sure, but maybe it's necessary to load new image into the switch, that support this feature...
Otherwise you can try to use some FR diagnostic commands on the routers to discover the problem. See Show Frame PVC command. Especially look for an amount of FECN/BECN bytes. What kind of CIR do you have?
Also issue: sh proc cpu hist command to make sure your router is good enough for the current load.
As well as: sh buf command. Do the router buffers overwhelmed?

Good luck!





















Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA

 

[fynx]

Try setting up a monitor session - different switches use different syntax to set up the monitor session. To set up a SPAN (Switch Port ANalyser) session use:-

switch# conf t
switch(config)# monitor session 1 source interface fastEthernet X/X both
switch(config)# monitor session 1 destination interface fastEthernet X/X

the first monitor command sets up monitor session 1, monitoring all data (in and out, i.e. &quot;both&quot of interface fastEthernet X/X. -> you may just want to monitor data going out of this interface, in which case use the suffix &quot;out&quot; instead of &quot;both&quot;.
the second monitor command configures which port you have your sniffer connected to.

Good luck,
Phil.

If everything is coming your way then you're in the wrong lane.

 

[richdthomas]

Hi Victor,

This is what I get when entering the exact commands that you entered:

User Access Verification

Password:
NHDMZSwitch1>ena
NHDMZSwitch1>enable
Password:
NHDMZSwitch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
NHDMZSwitch1(config)#int fa0/24
NHDMZSwitch1(config-if)#p?
pagp

NHDMZSwitch1(config-if)#p
NHDMZSwitch1(config-if)#sh ver
^
% Invalid input detected at '^' marker.

NHDMZSwitch1(config-if)#



Here is what the switch displays on power up, which shows the firmware version it is running:

C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(0.0.337)EA1, CISCO DEVELOPMENT TEST VERSION
Compiled Mon 10-Jun-02 14:50 by antonino
WS-C2950SX-24 starting...
Base ethernet MAC Address: 00:0a:41:d2:4d:40
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 14 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4159488
flashfs[0]: Bytes available: 3581952
flashfs[0]: flashfs fsck took 6 seconds.
...done initializing flash.
Boot Sector Filesystem (bs installed, fsid: 3
Parameter Block Filesystem (pb installed, fsid: 4
Loading &quot;flash:c2950-i6q4l2-mz.121-9.EA1d.bin&quot;...########################################################################################################################################################################################################################################################################

File &quot;flash:c2950-i6q4l2-mz.121-9.EA1d.bin&quot; uncompressed and installed, entry point: 0x80010000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1d, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 17-Jun-02 18:55 by antonino
Image text-base: 0x80010000, data-base: 0x804E6000


Initializing flashfs...
flashfs[1]: 14 files, 2 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 4159488
flashfs[1]: Bytes available: 3581952
flashfs[1]: flashfs fsck took 6 seconds.
flashfs[1]: Initialization complete.
Done initializing flashfs.
POST: System Board Test : Passed
POST: Ethernet Controller Test : Passed
ASIC Initialization Passed

POST: FRONT-END LOOPBACK TEST : Passed
cisco WS-C2950SX-24 (RC32300) processor (revision A0) with 20821K bytes of memory.
Processor board ID FOC0631W09T
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0A:412:4D:40
Motherboard assembly number: 73-8135-04
Power supply part number: 34-0965-01
Motherboard serial number: FOC06300UUU
Power supply serial number: PHI0622090F
Model revision number: A0
Motherboard revision number: A0
Model number: WS-C2950SX-24
System serial number: FOC0631W09T


--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:
00:00:13: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:18: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1d, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 17-Jun-02 18:55 by antonino


show frame does not seem to be supported:
NHDMZSwitch1#show ?
access-lists List access lists
accounting Accounting data for active sessions
aliases Display alias commands
arp ARP table
boot show boot attributes
buffers Buffer pool statistics
cdp CDP information
clock Display the system clock
cluster Cluster information
cns CNS subsystem
configuration Contents of Non-Volatile memory
controllers Interface controller status
debugging State of each debugging option
dhcp Dynamic Host Configuration Protocol status
dot1x IEEE 802.1X information
dtp DTP information
env Environamental facilities
errdisable Error disable
etherchannel EtherChannel information
exception exception informations
file Show filesystem information
flash: display information about flash: file system
history Display the session command history
hosts IP domain-name, lookup style, nameservers, and host tabl
html HTML helper commands
interfaces Interface status and configuration
ip IP information
line TTY line information
location Display the system location
logging Show the contents of logging buffers
mac MAC configuration
mac-address-table MAC forwarding table
memory Memory statistics
mls Show MultiLayer Switching information
monitor Show a SPAN session
mvr Show mvr global parameters
ntp Network time protocol
pagp Port channel information
pm Show Port Manager commands
port-security Show secure port information
post Power On Self Test results
privilege Show current privilege level
processes Active process statistics
queue Show queue contents
queueing Show queueing configuration
radius Shows radius information
registry Function registry information
reload Scheduled reload information
rhosts Remote-host+user equivalences
rmon rmon statistics
rps Show color of RPS led
rtr Response Time Reporter (RTR)
running-config Current operating configuration
sessions Information about Telnet connections
snmp snmp statistics
spanning-tree Spanning tree topology
stacks Process stack utilization
standby Hot standby protocol information
startup-config Contents of startup configuration
storm-control Show packet storm control configuration
subsys Show subsystem information
system Show the system configuration
tacacs Shows tacacs+ server statistics
tcp Status of TCP connections
tech-support Show system information for Tech-Support
template Template information
terminal Display terminal configuration parameters
time-range Time range
udld UDLD information
users Display information about terminal lines
version System hardware and software status
vlan VTP VLAN status
vmps VMPS version information
vtp VTP information
wrr-queue WRR queue


CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 0%

NHDMZSwitch1#show buffers
Buffer elements:
499 in free list (500 max allowed)
9564593 hits, 0 misses, 0 created

Public buffer pools:
Small buffers, 104 bytes (total 25, permanent 25):
25 in free list (20 min, 60 max allowed)
4172149 hits, 0 misses, 0 trims, 0 created
0 failures (0 no memory)
Middle buffers, 600 bytes (total 15, permanent 15):
13 in free list (10 min, 30 max allowed)
24088 hits, 0 misses, 0 trims, 0 created
0 failures (0 no memory)
Big buffers, 1524 bytes (total 5, permanent 5, peak 8 @ 2w2d):
5 in free list (5 min, 10 max allowed)
187299 hits, 1 misses, 3 trims, 3 created
0 failures (0 no memory)
VeryBig buffers, 4520 bytes (total 0, permanent 0):
0 in free list (0 min, 10 max allowed)
0 hits, 0 misses, 0 trims, 0 created
0 failures (0 no memory)
Large buffers, 5024 bytes (total 0, permanent 0):
0 in free list (0 min, 5 max allowed)
0 hits, 0 misses, 0 trims, 0 created
0 failures (0 no memory)
Huge buffers, 18024 bytes (total 0, permanent 0):
0 in free list (0 min, 2 max allowed)
0 hits, 0 misses, 0 trims, 0 created
0 failures (0 no memory)

Interface buffer pools:
Calhoun Packet Receive Pool buffers, 1560 bytes (total 512, permanent 512):
383 in free list (0 min, 512 max allowed)
1836128 hits, 0 misses


The actual problem is not overload in the switch, it is a comms link that two of the ports are connected to.
I would like to see that traffic is going out on the two ports that the comms link is connected to.


Hi Fynx,

I have been able to get the following lines up by using the tab autocomplete facility:
monitor session 1 source interface fastEthernet
monitor session 1 destination interface fastEthernet

So it looks like they will work, I will now raise our change control paperwork and implement on Monday hopefully and let you know how this goes.

Thanks Victor and Fynx for your help.

 

[richdthomas]

Hi Victor,

I have tried to set this up today.

The commands I used are as follows:
monitor session 1 source interface fastEthernet 0/1 both
monitor session 1 source interface fastEthernet 0/2 both
monitor session 1 destination interface fastEthernet 0/23

This is to send a copy of all the traffic that goes out and in of ports 1 and 2 and send it down port 23.

The resulting switch-config file is as follows:

monitor session 1 source interface Fa0/1 - 2
monitor session 1 destination interface Fa0/23


For some reson, I am still only seeing broadcast packets in port 23. What has heppened is that I cannot make a normal TCP/IP connection to the machine connected to port 23, which is fair enough.

When I moved the sniffer machine off of port 23, onto port 22, I can see the same broadcast packets but I can also make TCP/IP connections to it.

So the monitor settings have had some effect.

I know that there is definately traffic on ports 1 and 2.

Please could you let me know what might be going wrong.

Thank you.

Richard Thomas.

 

[InfrArch]

Hi,Richard!

The problem is, as I know, that the source and the destination interfaces (in monitor session..) must be in the same VLAN. But in your case , they are in different...?



Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA

 

[richdthomas]

Hi Victor,

All of the ports are on the same VLAN, as I have not set up any yet.

I have also checked and I do not have a vlan.dat file.

Do you have any other ideas?

Thank you.

Richard Thomas

 

[richdthomas]

Hi Victor,

It turned out to be a problem with the sniffing machine, so I rebooted it and I get all the data I want now.

Thanks for your help.

Richard Thomas