Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to trace unknown traffic bandwidth use on an 1841

Status
Not open for further replies.
KatzEye1

KatzEye1

IS-IT--Management
Mar 18, 2004
108
GB
hi guys we have an 1841 set up in the office and i have snmp set up with which i use a 3rd party remote viewer to log the results on basic info like cpu usage % and traffic in and out.

i'm seeing the cpu averaged at 14% and a constant minimum traffic of 100kbit out and 50kbit in, even on days when no one is in the office. something is obviously using up the bandwidth, and its not an snmp fault (i have similar monitor set up on a branch office, no probs).

i also have full ssh admin access to the router.

How can i interrogate and trace the sources of this traffic using the cisco 1841's abilities?

many thx!
 
Sort by date Sort by votes
Set up ip accounting and NetFlow on the router, as well as capturing packets. On all interfaces,

ip accounting access-viol
ip route-cache flow
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip virtual-reassembly

and enable CEF globally...

router(config)#ip cef

Then

sh ip accoun
sh ip route cache

Additionally, set up an acl that logs all hits, and log to a syslog server

logging x.x.x.x (ip of syslog server)
loggint trap debugging
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime

and you really should do tcp keepalives...

service tcp-keepalives-in
service tcp-keepalives-out

and

service sequence-numbers

I would also set up KRON (if your IOS supports it) to cleat NAT xlate's and interface counters (NAT daily and counters weekly).

Also, run Wireshark for 24 hours, and in the options, I would set the options to
A)Chop up the packets into 250MB files, no more
B)Specify an output file (.cap/.pcap file extension)
C)Choose to NOT process packets on-the-fly (update list of packets in real time)
D)set the buffer higher, depending on the memory in the syslog server (i.e. 1GB RAM=100MB max buffer).

Review all outputs, and if you have any questions after that, post back here.

HTH

/
 
Upvote 0 Downvote
Forgot to mention/specify...

NetFlow="ip route-cache flow"
IP Accounting=ip accounting access-violations

CEF=Cisco Express Forwarding (process switching for packets=faster, but can be CPU intensive).

These commands

logging x.x.x.x (ip of syslog server)
loggint trap debugging
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime

sets logging up and allows the logged events to be timestamped to whatever the router gets from NTP (hopefully it is set up and synched to all nodes on the network).

All the rest of the commands are for security/attack thwarts.

uh huh huh huh...I said "wart"...huh huh huh huh

lol

/
 
Upvote 0 Downvote
Not sure if the 1861 supports ip-flow, but if it does, this will give you an idea:

Interface:
ip route-cache flow


Global:
ip flow-top-talkers
top 10
sort-by bytes
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
236
madwok
madwok
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
162
jarod_paris
jarod_paris
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
131
testman1
testman1
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
171
Luzbel
Luzbel
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
74
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top