Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 506e Is Pegged!!!

Status
Not open for further replies.
E1Designs

E1Designs

IS-IT--Management
Oct 20, 2005
201
US
Looking at PDM, the bandwidth has been pegged for some time. How in the world can I find out what is using all the bandwidth? Something simple and easy to use and fire up? ip Monitor, Distinct Network Moniitor were all mroe then I wanted. Just want to locate the machine using all the bandwidth.

Thanks!!!
 
Sort by date Sort by votes
Do you have a syslog server setup? You can look at the logs. Or you can do a "sh conn" and see who your top talkers are.
 
Upvote 0 Downvote
No syslog set up, so what am I looking for, just ran the command...
 
Upvote 0 Downvote
You are looking for excessive translations coming from either an internal or external IP. What was the count?

You can turn on loggin to the buffer but beware, If your pix is pegged you could crash it.
 
Upvote 0 Downvote
159 in use, 1399 most used

Then it gave me the various IP's and connections.
 
Upvote 0 Downvote
My main concern is that it is a virus, so I want to locate the machine, then verify that machine is not infected.
 
Upvote 0 Downvote
Well on the connection output you should be able to see which ip had the most connections. Doesnt appear by the count thought that connections were the issue. If you had a virus, alot of the time the infected pc will create multiple connections to random external IPs flodding the firewall or gateway. Could be a download or several downloads slowing you down. Try a

"show traffic" and see what the bytes a second are. Compare that with your actual pipe and see if your getting pegged.

Also do a "sh int" and look for interface errors. To get more involved and find a top talker you will need a syslog server setup and a programs to comb through and tell you whats doin on your fw. There are some free ones.
 
Upvote 0 Downvote
It just stopped, the bandwidth usage. No errors from a "sh int". So any free software you can reccomend to have in place if this happens again? So I can view a graphic and say, there it is, machine X?
 
Upvote 0 Downvote
--
A few things... A stack probe on the target interface can give you a view of which protocol is being hit.. TCPDUMP on a Linux/Unix machine can help determine what is being transferred.

For example: tcpdump -i eth1 port 20
will document all packets being sent/received on port 20.

This works well in single CDMA network... If you are switched, you will need to look into port mirroring or port spanning, depending on what brand of switch you use.. (It only works on the managed switches, not dumb ones). The port span/mirror will allow you to choose what traffic and direction you want and then direct it to a monitoring port.. You then put your TCPDUMP/SNIFFER/Stack Probe/Whatever else on that port and hope you get to see what you are looking for.

Reply-to: netwraith@pcrd.net
thenetwraith (There is a picture here, but, you just can't see it!)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
230
nnaarrnn
nnaarrnn
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
230
MottoK
MottoK
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
69
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
137
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top