How do you trace problem traffic?

Seth Cooper

Of course the traffic falls off once I ask for input, but still curious!

scottalanmiller

Best option is a proxy server. You get control, monitoring and caching all in one. Find the problem, fix the problem and improve the offering all at once.

Seth Cooper

How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

Dashrender

I used Bandwidthd on a mirrored port on the switch to see what was hogging all my internet traffic. It uses easy to read charts and graphs. You'll want to mirror the port going to the firewall.

PSX_Defector

@Seth-Cooper said:

How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

Don't need much.

Seth Cooper

@PSX_Defector said:

@Seth-Cooper said:

How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

Don't need much.

Good deal, because that is about the exact specs of the spare hardware I have to use!

PSX_Defector

@Seth-Cooper said:

@PSX_Defector said:

@Seth-Cooper said:

How powerful of a box would a proxy need to be? Could I create such a thing efficiently from old server or workstation? I imagine that depends on the traffic.

I used to run a proxy and sniffer for ~100 users over a P4 512MB machine.

Don't need much.

Good deal, because that is about the exact specs of the spare hardware I have to use!

Need a better machine? I have that box sitting on my shelf, a Compaq with three NICs, 2GB of RAM, and decent sized hard drive. Get it for ya cheap, even load ntop for ya.

Seth Cooper

@PSX_Defector I appreciate the generous offer and I will let you know if I do. But this is a backseat project for me at best. Might try the port mirroring first but all this has to be done in my non-existent free time. I am sure you know how that goes.

Thanks.

scottalanmiller

A Proxy needs more power than a router but not much. It does very little work. I bet a PIII 600 would do the trick.

alexntg

Is this crossing a firewall? If so, it should be able to tell you which devices are the nosiest.

Seth Cooper

@alexntg Yep, my branches use Juniper SSG-5's but I haven't seen any logging to do what you speak of.

Nara

This post is deleted!

alexntg

@Seth-Cooper said:

@alexntg Yep, my branches use Juniper SSG-5's but I haven't seen any logging to do what you speak of.

What logging options does it have?

Seth Cooper

Very limited, only logs on the policy level for short increments (up to an hour) and looking across the Juniper boards it looks like everyone states to get good traffic logs you need to do port mirroring.

alexntg

@Seth-Cooper said:

Very limited, only logs on the policy level for short increments (up to an hour) and looking across the Juniper boards it looks like everyone states to get good traffic logs you need to do port mirroring.

That's unfortunate.