RE: Someone is using too much bandwidth???

RE: Someone is using too much bandwidth???

[lubasi]

Hello,

Indeed its true, and i dont know what machine it is. I have MRTG
installed and my bandwidth looks green all the the time as much as
138Kbps, and my ISP gives me 128Kbps.

How can i interprate the #tail -f /var/logs/messages to determin
which machine is doing kazaa or any other P2P???consuming the
bandwidth.

And how do i block these popular P2P???

Kind regards

Teddy L.
------------------------------------------------------
Teddy L. Nyambe
Open Source Zambia
www.opensource.org.zm

+260 97 760473

* Know that today is yesterday's future Be the change you want to see
in the world
* To Err is Human, but to really mess things up, you need a PC

RE: Someone is using too much bandwidth???

[Pablo Sanchez]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of lubasi
> Sent: Tuesday, November 21, 2006 12:22 PM
> To: netfilter@lists.netfilter.org
> Subject: RE: Someone is using too much bandwidth???
> 
> Hello,
> 
> Indeed its true, and i dont know what machine it is. 

You could setup an iptables rule to log all traffic or do what I believe may
be simpler:  use tcpdump

Let's say you have two NIC's on your machine:


	// Internet // - [eth0] - [gateway] - [eth1] - // Internal Network
//

You can run tcpdump on your Internet Network:

	tcpdump -i eth1

If you've ssh'd to your gateway machine from your Internal Network, your
host and ssh information will also be spewed.  Probably not what you want.

A simple tweak will handle it:

	tcpdump -i eth1 not host your.IP.address.here

The above should give you some quick answers.

Cheers,
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)

Re: Someone is using too much bandwidth???

[Taylor, Grant]

lubasi wrote:
> How can i interprate the #tail -f /var/logs/messages to determin
> which machine is doing kazaa or any other P2P???consuming the
> bandwidth.

By default /var/log/messages will not record any thing about traffic that is
passing through the system.  You can add IPTables rules that will cause
matched packets to be logged via Syslog which you can then see in
/var/log/messages.

However to get a better idea of what traffic is running on your network,
consider TCPDump or a GUI front end like Etherial.  This will give you a
real time report of what traffic is flowing in to / out of / through your
system (presuming you sniff the correct interface).  You can tell from this,
which computer is consuming more bandwidth than it should based on the
frequency of the source / destination IP showing up in TCPDump's output.

You could add rules to IPTables that match specific IPs in question and
watch the hit counters to see which system(s) are incrementing their
counters at an exceptional rate.  One (or more) system(s) should jump out at
you as being the culprit(s).

> And how do i block these popular P2P???

First you need to find out more about the type of P2P traffic that you are
experiencing so that you can more accurately filter it out / rate limit it.
  I will say that you may have better luck with rate limiting.  If you
completely block a users access to something they will find a different
method to get to what they want to get to.  If your users switch to
something else you then have to learn about that too.  Where as if you let
your users use one system but control the amount of bandwidth consumed and /
or the priority you may not play the above game nearly as often.

My family has a saying, "Give 20% to get 80% of what you want.".



Grant. . . .

Re: Someone is using too much bandwidth???

[tom]

Taylor, Grant wrote:
> lubasi wrote:
>> How can i interprate the #tail -f /var/logs/messages to determin
>> which machine is doing kazaa or any other P2P???consuming the
>> bandwidth.
>
> By default /var/log/messages will not record any thing about traffic 
> that is
> passing through the system.  You can add IPTables rules that will cause
> matched packets to be logged via Syslog which you can then see in
> /var/log/messages.
>
> However to get a better idea of what traffic is running on your network,
> consider TCPDump or a GUI front end like Etherial.  This will give you a
> real time report of what traffic is flowing in to / out of / through your
> system (presuming you sniff the correct interface).  You can tell from 
> this,
> which computer is consuming more bandwidth than it should based on the
> frequency of the source / destination IP showing up in TCPDump's output.
>
> You could add rules to IPTables that match specific IPs in question and
> watch the hit counters to see which system(s) are incrementing their
> counters at an exceptional rate.  One (or more) system(s) should jump 
> out at
> you as being the culprit(s).
>
>> And how do i block these popular P2P???
>
> First you need to find out more about the type of P2P traffic that you 
> are
> experiencing so that you can more accurately filter it out / rate 
> limit it.
>  I will say that you may have better luck with rate limiting.  If you
> completely block a users access to something they will find a different
> method to get to what they want to get to.  If your users switch to
> something else you then have to learn about that too.  Where as if you 
> let
> your users use one system but control the amount of bandwidth consumed 
> and /
> or the priority you may not play the above game nearly as often.
>
> My family has a saying, "Give 20% to get 80% of what you want.".
>
>
>
> Grant. . . .
>
>
iftop will suit your needs for monitoring like that. 
http://freshmeat.net/*iftop*

Re: Someone is using too much bandwidth???

[Danny]

Hi,

ntop is a good solution too.  It gives you current thoroughput and total 
bandwidth consumption.
It gives you info about the transmission type as well - TCP/UDP.


http://www.ntop.org/overview.html


All the best !!

- Danny


tom wrote:
> Taylor, Grant wrote:
>> lubasi wrote:
>>> How can i interprate the #tail -f /var/logs/messages to determin
>>> which machine is doing kazaa or any other P2P???consuming the
>>> bandwidth.
>>
>> By default /var/log/messages will not record any thing about traffic 
>> that is
>> passing through the system.  You can add IPTables rules that will cause
>> matched packets to be logged via Syslog which you can then see in
>> /var/log/messages.
>>
>> However to get a better idea of what traffic is running on your network,
>> consider TCPDump or a GUI front end like Etherial.  This will give you a
>> real time report of what traffic is flowing in to / out of / through 
>> your
>> system (presuming you sniff the correct interface).  You can tell 
>> from this,
>> which computer is consuming more bandwidth than it should based on the
>> frequency of the source / destination IP showing up in TCPDump's output.
>>
>> You could add rules to IPTables that match specific IPs in question and
>> watch the hit counters to see which system(s) are incrementing their
>> counters at an exceptional rate.  One (or more) system(s) should jump 
>> out at
>> you as being the culprit(s).
>>
>>> And how do i block these popular P2P???
>>
>> First you need to find out more about the type of P2P traffic that 
>> you are
>> experiencing so that you can more accurately filter it out / rate 
>> limit it.
>>  I will say that you may have better luck with rate limiting.  If you
>> completely block a users access to something they will find a different
>> method to get to what they want to get to.  If your users switch to
>> something else you then have to learn about that too.  Where as if 
>> you let
>> your users use one system but control the amount of bandwidth 
>> consumed and /
>> or the priority you may not play the above game nearly as often.
>>
>> My family has a saying, "Give 20% to get 80% of what you want.".
>>
>>
>>
>> Grant. . . .
>>
>>
> iftop will suit your needs for monitoring like that. 
> http://freshmeat.net/*iftop*
>
>

Re: Someone is using too much bandwidth???

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Nov 2006, tom wrote:

 	[SNIP]

>> 
>> 
> iftop will suit your needs for monitoring like that. 
> http://freshmeat.net/*iftop*
>


How well maintained is that code at this point?  I note the changelog 
shows nothing changed since near the end of 2003...


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFaJF6st+vzJSwZikRAnS+AKDNgZK3UKCkLNrLC9nAYtb4Leg0VwCfZhlp
2Tm7Jrp24ezRIrVUMyv5yOE=
=iQwL
-----END PGP SIGNATURE-----

RE: Someone is using too much bandwidth???

[lubasi]

Okey thanks for tcpdump.

But got a problem. I cant seem to realy figure out what those lines
mean? say these four (4) lines:

08:01:42.131982 IP 192.168.0.71.1054 > mail.parliament.gov.zm.squid:
. ack 6755 win 65535
08:01:42.225114 IP 213.155.151.150.http > 192.168.0.183.3011: P
1:334(333) ack 170 win 5840
08:01:42.229863 IP 192.168.0.183.3011 > 213.155.151.150.http: F
170:170(0) ack 334 win 63907
08:01:42.229968 IP 213.155.151.150.http > 192.168.0.183.3011: F
334:334(0) ack 171 win 5840


Okey seen the date part, the IP address then looks like the port on
which the connection is listening on is appended to the requesting IP
address then the greater than???? confused from that point.

Anything i can use to graph this information????

Teddy L.
>
>
>
>---- Original Message ----
>From: pablo@blueoakdb.com
>To: netfilter@lists.netfilter.org
>Subject: RE: Someone is using too much bandwidth???
>Date: Tue, 21 Nov 2006 13:13:12 -0500
>
>> 
>>
>>> -----Original Message-----
>>> From: netfilter-bounces@lists.netfilter.org 
>>> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of lubasi
>>> Sent: Tuesday, November 21, 2006 12:22 PM
>>> To: netfilter@lists.netfilter.org
>>> Subject: RE: Someone is using too much bandwidth???
>>> 
>>> Hello,
>>> 
>>> Indeed its true, and i dont know what machine it is. 
>>
>>You could setup an iptables rule to log all traffic or do what I
>believe may
>>be simpler:  use tcpdump
>>
>>Let's say you have two NIC's on your machine:
>>
>>
>>	// Internet // - [eth0] - [gateway] - [eth1] - // Internal Network
>>//
>>
>>You can run tcpdump on your Internet Network:
>>
>>	tcpdump -i eth1
>>
>>If you've ssh'd to your gateway machine from your Internal Network,
>your
>>host and ssh information will also be spewed.  Probably not what you
>want.
>>
>>A simple tweak will handle it:
>>
>>	tcpdump -i eth1 not host your.IP.address.here
>>
>>The above should give you some quick answers.
>>
>>Cheers,
>>---
>>Pablo Sanchez - Blueoak Database Engineering, Inc
>>Ph:    819.459.1926          Toll free:  888.459.1926
>>Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
>>Fax:   603.720.7723 (US)

------------------------------------------------------
Teddy L. Nyambe
Open Source Zambia
www.opensource.org.zm

+260 97 760473

* Know that today is yesterday's future Be the change you want to see
in the world
* To Err is Human, but to really mess things up, you need a PC

Re: Someone is using too much bandwidth???

[Taylor, Grant]

lubasi wrote:
> Okey thanks for tcpdump.

No problem.

> But got a problem. I cant seem to really figure out what those lines
> mean? say these four (4) lines:
> 
> 08:01:42.131982 IP 192.168.0.71.1054 > mail.parliament.gov.zm.squid:
> . ack 6755 win 65535

Host 192.168.0.71 is talking from port 1054 to host mail.parliament.gov.zm's 
Squid port (3128) (acknowledging packet 6755 with a window size of 65535)

> 08:01:42.225114 IP 213.155.151.150.http > 192.168.0.183.3011: P
> 1:334(333) ack 170 win 5840

213.155.151.150 was sending traffic from the http port (80) back to 
192.168.0.183

> 08:01:42.229863 IP 192.168.0.183.3011 > 213.155.151.150.http: F
> 170:170(0) ack 334 win 63907
> 08:01:42.229968 IP 213.155.151.150.http > 192.168.0.183.3011: F
> 334:334(0) ack 171 win 5840

> Okey seen the date part, the IP address then looks like the port on
> which the connection is listening on is appended to the requesting IP
> address then the greater than???? confused from that point.

The greater than is an arrow pointing the direction of the traffic flow. 
There is also some packet information that is not really important for the 
basic traffic flow that you are after.  Consider perusing the TCPDump man 
page.  ;)  You will find out all sorts of things about how you can customize 
the default output of TCPDump.

> Anything i can use to graph this information????

Now you are just being picky.  ;)

I'm sure there are some ways that you could capture this output and run it 
through a graph generation program.  However these are just pieces in a 
total solution.  You may want to look at some of the other things mentioned 
in this thread as I bet they will come closer to doing what you want to do 
out of the box.  If not, look for something that will take the output of 
TCPDump and munge it and then create a file that holds your stats (csv?) and 
then look to have something graph that (GNUPlot?) for you.




Grant. . . .

Re: Someone is using too much bandwidth???

[lubasi]

Hello,

Ntop! wow looks interestig but for the past few 5 hours or so i have
been struggling compiling it. I can seem to resolve the configure
error...

checking sctp... no
checking for xmldump... configure: WARNING: error

*******************************************************************
*
* WARNING:  One or more items required for the xmldump plugin are
*           missing:
*
*                  libxml2.so or libxml2.a...yes
*                  gdome.h...no
*                  libgdome.so or libgdome.a...no
*                  glib.h...no
*                  libglib.so or libglib.a...no
*                  glibconfig.h...no
*
*           (yes means it was found, no means it was not found)
*
*       ntop will run just fine without this plugin.
*
*>>>    If you want to use the xmldump plugin,
*
*???     1. Install the necessary headers and libraries.
*???    and rerun ./configure

>>ntop is a good solution too.  It gives you current thoroughput and
>total 
>>bandwidth consumption.
>>It gives you info about the transmission type as well - TCP/UDP.


Am terribly stack!

Teddy L.

------------------------------------------------------
Teddy L. Nyambe
Open Source Zambia
www.opensource.org.zm

+260 97 760473

* Know that today is yesterday's future Be the change you want to see
in the world
* To Err is Human, but to really mess things up, you need a PC

Re: Someone is using too much bandwidth???

[Gavin White]

What distribution are you using? Fedora, debian, redhat?

On 11/22/06, lubasi <lubasi@zamnet.zm> wrote:
> Hello,
>
> Ntop! wow looks interestig but for the past few 5 hours or so i have
> been struggling compiling it. I can seem to resolve the configure
> error...
>
> checking sctp... no
> checking for xmldump... configure: WARNING: error
>
> *******************************************************************
> *
> * WARNING:  One or more items required for the xmldump plugin are
> *           missing:
> *
> *                  libxml2.so or libxml2.a...yes
> *                  gdome.h...no
> *                  libgdome.so or libgdome.a...no
> *                  glib.h...no
> *                  libglib.so or libglib.a...no
> *                  glibconfig.h...no
> *
> *           (yes means it was found, no means it was not found)
> *
> *       ntop will run just fine without this plugin.
> *
> *>>>    If you want to use the xmldump plugin,
> *
> *???     1. Install the necessary headers and libraries.
> *???    and rerun ./configure
>
> >>ntop is a good solution too.  It gives you current thoroughput and
> >total
> >>bandwidth consumption.
> >>It gives you info about the transmission type as well - TCP/UDP.
>
>
> Am terribly stack!
>
> Teddy L.
>
> ------------------------------------------------------
> Teddy L. Nyambe
> Open Source Zambia
> www.opensource.org.zm
>
> +260 97 760473
>
> * Know that today is yesterday's future Be the change you want to see
> in the world
> * To Err is Human, but to really mess things up, you need a PC
>
>
>