On Thu, 30 Apr 2009, Barb Dijker wrote: > Proxies break lots of things. Getting a handle on what's really > sucking the bandwidth is important before throwing technical and > political hurdles up to monitor/manage/mitigate it. It could be > torrents. It could be just a couple of abusers. It could be > streaming vid. It could be a growing number of virus-laden or zombie > hosts spewing spam or other garbage. > > A real cheap way to passively take a quick look is to put a 100M hub > (not a switch) between the primary router and the first internal > hop. Into that hub, plug a laptop that has Wireshark installed. A > hub is $20-40 and Wireshark is free. That will allow analysis of > everything going in/out of the net. That will provide information > about what protocols and users are sucking the bandwidth. It can > also identify what the top web sites are. Then if the situation > warrants, a proxy might provide more detailed analysis and mitigation > through policies.
finding a 100M hub nowdays isn't easy, but you can take a linux box and setup two NICs as a bridge, plug it in inline and run your sniffing on it. I think you would be hard pressed nowdays to find a box slow enough that it couldn't do this job (if you have an old PII system laying around it may be slow enough to have trouble at these bandwith levels) David Lang > The above quick look might help decide if you need to spend lots of > money for a commercial monitoring/management solution. _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
