[Durham] What is eating up my bandwidth?

Dougie Nisbet dougie at highmoor.co.uk
Mon Jul 15 20:43:49 UTC 2013


Thanks for all the replies I had to this.

The storm has passed and I have a few suspects to investigate, but I'm 
in no hurry to re-enable things. I'll investigate the suggestions below 
so that hopefully I can get some evidence to can confirm my suspicions.

On 08/07/13 11:29, Richard Mortimer wrote:
> Hi Dougie
>
> On 07/07/2013 15:42, Dougie Nisbet wrote:
>> The next step was to look at ways of seeing where it's being used. I've
>> looked at lots of utilities for showing where bandwidth is being used.
>> Currently I've got iftop running:
>>
>>      iftop  -F 192.168.1.0/255.255.255.0
>>
>> which seems to be doing what I want - showing stuff going into and out
>> of the homelan, but not internal traffic.
>>
>> Of course, I soon hit upon the problem of not seeing all traffic. After
>> googling for tools and advice I realised that switches are too good at
>> being switches, so I bought one of these (a Netgear GS510E 5-port 
>> switch):
>>
>> http://www.amazon.co.uk/gp/product/B002U08F2S/ref=oh_details_o09_s00_i00?ie=UTF8&psc=1 
>>
>>
>>
>> that allows port mirroring on port 5. I've got my Linux desktop in port
>> 5 and all other ports mirrored to it.
>>
> Try using nfcapd to capture the flows of traffic that are being 
> mirrored and then using nfdump to analyse them.
>
> http://nfdump.sourceforge.net/
>
> That basically tracks the data that it sees on an interface and 
> summarises each flow of data with source, destination and amount of 
> data captured.
>
> If you want to get a bit fancier you could use nfsen 
> http://nfsen.sourceforge.net/ to graph and manage the data for you.
>
> Bonus points if you have a linux based router (running OpenWrt or 
> similar) because you can run a capture daemon on the traffic on that 
> and collect the netflows using nfsen on a server which has a bit more 
> grunt for analysis.
>
>> I really thought that would do the trick and I'd see some smoking gun -
>> but alas no. The bandwidth still gets eaten up and even though I've been
>> running iftop for days it's not really showing anything of concern. I
>> wonder sometimes if things are blipping, briefly using lots of bandwidth
>> then terminating - I've a feeling iftop wouldn't show that unless I was
>> staring at it at the time.
>>
>> I suppose there's wifi. My router is wireless and we have two iphones
>> and two ipads, although we connect to the other (5) WAPs too. Perhaps I
>> could disable the wifi on the router, forcing it to go through the WAPs,
>> which would then, in theory, show up as it'd have to go via the Netgear
>> switch.
> you probably wanna capture everything going down your ADSL wires. I 
> wouldn't rule out ipads/iphones cos they can eat bandwidth if given 
> half a chance.
>
>>
>> Dunno. Anyone any ideas on how to problem solve this? I know I can just
>> turn things off but this would be a) inconvenient and b) an admission of
>> defeat. I'd rather track the culprit down.
> Indeed.
>
> Regards
>
> Richard
>
>>
>> Dougie
>>
>> _______________________________________________
>> Durham mailing list   -   Durham at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/durham
>> http://www.nelug.org.uk/
>




More information about the Durham mailing list