[Durham] What is eating up my bandwidth?

Richard Mortimer richm at oldelvet.org.uk
Mon Jul 8 10:29:45 UTC 2013 

Hi Dougie

On 07/07/2013 15:42, Dougie Nisbet wrote:
> The next step was to look at ways of seeing where it's being used. I've
> looked at lots of utilities for showing where bandwidth is being used.
> Currently I've got iftop running:
>
>      iftop  -F 192.168.1.0/255.255.255.0
>
> which seems to be doing what I want - showing stuff going into and out
> of the homelan, but not internal traffic.
>
> Of course, I soon hit upon the problem of not seeing all traffic. After
> googling for tools and advice I realised that switches are too good at
> being switches, so I bought one of these (a Netgear GS510E 5-port switch):
>
> http://www.amazon.co.uk/gp/product/B002U08F2S/ref=oh_details_o09_s00_i00?ie=UTF8&psc=1
>
>
> that allows port mirroring on port 5. I've got my Linux desktop in port
> 5 and all other ports mirrored to it.
>
Try using nfcapd to capture the flows of traffic that are being mirrored 
and then using nfdump to analyse them.

http://nfdump.sourceforge.net/

That basically tracks the data that it sees on an interface and 
summarises each flow of data with source, destination and amount of data 
captured.

If you want to get a bit fancier you could use nfsen 
http://nfsen.sourceforge.net/ to graph and manage the data for you.

Bonus points if you have a linux based router (running OpenWrt or 
similar) because you can run a capture daemon on the traffic on that and 
collect the netflows using nfsen on a server which has a bit more grunt 
for analysis.

> I really thought that would do the trick and I'd see some smoking gun -
> but alas no. The bandwidth still gets eaten up and even though I've been
> running iftop for days it's not really showing anything of concern. I
> wonder sometimes if things are blipping, briefly using lots of bandwidth
> then terminating - I've a feeling iftop wouldn't show that unless I was
> staring at it at the time.
>
> I suppose there's wifi. My router is wireless and we have two iphones
> and two ipads, although we connect to the other (5) WAPs too. Perhaps I
> could disable the wifi on the router, forcing it to go through the WAPs,
> which would then, in theory, show up as it'd have to go via the Netgear
> switch.
you probably wanna capture everything going down your ADSL wires. I 
wouldn't rule out ipads/iphones cos they can eat bandwidth if given half 
a chance.

>
> Dunno. Anyone any ideas on how to problem solve this? I know I can just
> turn things off but this would be a) inconvenient and b) an admission of
> defeat. I'd rather track the culprit down.
Indeed.

Regards

Richard

>
> Dougie
>
> _______________________________________________
> Durham mailing list   -   Durham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/durham
> http://www.nelug.org.uk/

More information about the Durham mailing list