7

A quick overview of the problem

We've been experiencing some issues with our bandwidth usage lately which I fear may be due to misuse (whether intentional or not) of our internet in the office. I want to be able to monitor the network traffic to see if a certain internal IP address is at fault. Our bandwidth should be more than sufficient.

Our setup

We have a 3Com Superstack 3 Switch connected to a Cisco PIX 501 firewall, which then connects into our ISP-provided router.

What I've tried

It seems that neither the switch or firewall have a Port Mirroring feature available, so I am not able to keep up a permanent trace. The PIX does offer a temporary trace into it's own memory buffer, however I am not too confident using this.

I've also tried installing Wireshark on our (Windows 2000) DNS server, but the packet data here didn't help.

Next steps

Any suggestions from you guys as to how monitor the traffic would be great. We're not in a position to replace the existing hardware just yet, though. I have looked into the cost of a Network Tap, which I could place between the switch and firewall (or firewall and router) and set up a machine to monitor the packets there. I've never taken this approach before, so wondered if it's really viable.

Improve this question
6
  • Not familiar with that switch, can you disable MAC learning on it?
    – ytti
    Commented Nov 25, 2013 at 15:30
  • if you have (your_lan)---[your_switch]--[internet_router] then change that into (your_lan)---[your_switch]--[a_hub]--[internet_router] and plug the monitoring PC (or a secondary link of a monitoring server) on [a_hub] ! Then you can see every traffic to/from the router. Of course it's important that this is a hub, and not a switch or a router ^^ Otherwise you'll have many traffic hidden as you're not the direct source/destination.
    – Olivier Dulac
    Commented Nov 25, 2013 at 17:38
  • Hubs haven't been built in decades, so where's he supposed to find one? ("the box on a shelf in my office"?) Also, hubs have collisions, which could make his issues even worse.
    – Ricky
    Commented Nov 25, 2013 at 22:06
  • Have you considered maybe the PIX 501 is too slow? (I have to admit I've never benchmarked one.)
    – Ricky
    Commented Nov 25, 2013 at 22:19
  • The PIX is generally fine. I have my suspicions now over which user is causing the issues, but I need proof, which I may be able to obtain without any packet capture after all.
    – aaroncatlin
    Commented Nov 26, 2013 at 9:30

2 Answers 2

Reset to default
9

Two possible choices... a packet capture tap (which is quite viable) or packet capture on the ASA.

If you're not interested in buying a tap and inserting it inline, you shouldn't be afraid of capturing on your Cisco PIX. To capture traffic on the PIX, first define an ACL... assume you're trying to capture traffic from a host inside the firewall at 10.10.10.1.

access-list CAPACL permit ip host 10.10.10.1 any
access-list CAPACL permit ip any host 10.10.10.1

Now start capturing the traffic that matches the ACL using a buffer large enough to find whether this host is legitimately a problem...

capture inside_capture interface INSIDE buffer <some buffer size> access-list CAPACL packet-length 1500

You can optionally download the capture using tftp...

copy /pcap capture:inside_capture tftp:

This Cisco doc has a lot of good information about capturing traffic on a PIX / Cisco ASA... DOC 17345 Capturing PIX Traffic

Improve this answer
1
  • 1
    I would say "netflow", but a pix501 cannot do that. (upgrade to an ASA running 8.2.1+ and netflow will be available)
    – Ricky
    Commented Nov 25, 2013 at 22:13
1

You can pretty easily make your own ethernet tap. It probably won't work on a gigabit interface, but will work on 10 or 100mbit. I've made one before when I didn't want to wait for a premade one to ship.

http://hackaday.com/2008/09/14/passive-networking-tap/ has a little write up about them. Basically all you need is a 4 cat5 jacks and a bit of cable.

Two of the jacks sit in between the existing connection between the switch and firewall, or the firewall and ISP router.

The two tap jacks each have one signal direction connected. You plug one into your laptop (or both, if you have a system with 2 NICs). The transmit pins of your network card aren't connected at all, so the laptop can't accidentally transmit any data.

Capturing just one direction is probably enough to tell where the excessive usage is coming from.

I would test the tap on some less important connection before unplugging the office's internet connection. Once you know it works you can hook it up and leave wireshark running on a laptop for as long as you need to figure out the problem.

Improve this answer
2
  • 1
    I want to vote this down as those kinds of spec-violating wiring hacks are an accident waiting to happen. In a pinch, it will work, but it's a last resort when there's a gun pointed at your head. [also, I have hubs, managed switches, and access to $$$$ gig-e taps]
    – Ricky
    Commented Nov 25, 2013 at 22:17
  • @rickybeam I agree if you have (or have the $ for) a proper managed switch or taps get them. But this has saved me before and even if its not the best option its still an option when the better ones are unavailable.
    – Grant
    Commented Nov 25, 2013 at 22:22

Not the answer you're looking for? Browse other questions tagged or ask your own question.