R
R
Raul Duke2016-11-29 09:54:53
Wireshark
Raul Duke, 2016-11-29 09:54:53

How to analyze the local network load and identify the source of high traffic?

Good day, dear colleagues.
The D-link DFL860e firewall is used as an external gateway in the local network of the enterprise. After analyzing its load, I found that recently it has increased dramatically and significantly (traffic and the number of connections have increased), although there seemed to be no prerequisites for this. There are several VLANs in the network, a dozen managed L2 switches and about two hundred devices with various types of traffic, so it's not so easy to identify the source. You can, of course, turn off the nodes in order, monitoring the load and narrowing the search circle; it is also theoretically possible to install a proxy, but I would like a simpler and more technologically advanced solution, besides, I have been looking towards Wireshark for a long time.
What would you advise in this situation? If a shark, then what to run it on in order to be able to capture all the packets of at least one VLAN, and how exactly to identify the source through Wireshark?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
athacker, 2016-11-29
@athacker

1) Set up monitoring of your switches, and look at the graphs on which ports have the maximum traffic. Start with uplink ports -- how much traffic goes in the north-south direction (i.e. from the switch "up" to the router). Then look for which port this traffic entered.
2) Your router does not support netflow. Change it to some Mikrotik, it can netflow. Analyzing netflow, you can understand which traffic prevails, from which local addresses and where.

A
antonkovich, 2016-11-29
@antonkovich

A quick look at the D-Link manual did not reveal the ability to mirror ports (port mirroring) :(
Alas and ah. It would be nice for wireshark to have a switch with this ability, put it in gap, occupying two ports and mirror traffic to a third port. Most of the latest managed D-Links are capable of this, perhaps you have one.To the port that acts as a mirror, and connect a laptop or PC for monitoring.In wireshark, after capturing packets, the easiest way to analyze is through Conversations.This is in the Statistics menu.There in In the table, you can filter traffic by packets or bytes.It will immediately become clear who loads the most.
Alternatively, if there is no hardware with mirroring, a hub may come up. But this is now a rarity. And when using it, the throughput will drop during the collection of packets.

S
Sergey Livitin, 2016-12-08
@Livitin

Raise the software router / firewall on MikroTik x86 (you still have to spend money on face). There you will see everything. At Torch. Or highlighting rules on the firewall for traffic.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question