[afnog] Help on Access list Evaluation

Brian Candler B.Candler at pobox.com
Mon Jul 17 11:06:17 EAT 2006


On Mon, Jul 17, 2006 at 10:55:34AM +0300, Patrick Okui wrote:
> Step 0.
> 	Find out what "type" of traffic you are seeing by running a 
> 	sniffer like tcpdump/ntop or ethereal.

... and this can also identify which particular hosts are generating the
most traffic.

Also useful tool is netflow, which can extract traffic patterns passing
through a router or switch and let you view them on a monitoring station.

If your hosts are connected downstream of a managed switch, you have other
options too. You can monitor the bandwidth use by each switch port
separately, and graph it using something like rrdtool or cricket (there was
another monitoring program mentioned on this list recently which is supposed
to be much easier to set up, but I can't remember what it was called)

Then you can see which port is generating the most traffic, and trace it
back. More importantly, you can start building up a history of utilisation
on your network. In other words, a single port generating a lot of traffic
may be perfectly correct, because that's what you want it to do. But if you
have a single port which has been generating very little traffic over the
last week or month and is suddenly generating large amounts of traffic -
that's something which needs to be investigated.

Regards,

Brian.



More information about the afnog mailing list