This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

On our network, we noticed a spike in network utilization on a specific date at a specific time. Ever since then the network utilization is extemely high. I want to sniff the network and determine what IP addresses are generating all of the activity. How do I do that?

asked 11 Oct '11, 13:11

Netguru's gravatar image

Netguru
1111
accept rate: 0%


For me, a good start is always a look at the network topology. You do have a recent topology, don't you?

If you notice a peak in the utilization you either want to record traffic at a choke point, like a router or a firewall; or you capture traffic for a whole network segment.

If you capture traffic at a choke point you need to mirror the traffic from the choke point to an analysis port. Unless you have a low-end switch the switch manual/website should explain how to do this. Look for SPAN ports, analysis ports or monitor ports. If you have an unmanaged switch check out the Dualcomm portable tap.

Capturing traffic for "the whole segment" can be very difficult, if it spans over several switches. If you can focus on one switch you might get away with mirroring a whole VLAN.

Once the mirror port is defined install and fire up Wireshark. I prefer using a dedicated device for Wireshark and try not to install Wireshark on a server. To avoid any interference from my analysis device I disable all bindings, esp. IP.

The rest is easy: Capture away until you have your spike recorded. Statistics -> Endpoints -> IP reveals your top talkers and listener.

More ideas on can be found in the Wireshark User's Guide and the Wireshark Wiki.

Be sure to try Statistics -> IO-Graphs to visualize the spike.

Good hunting!

permanent link

answered 11 Oct '11, 14:29

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×146
×100
×21

question asked: 11 Oct '11, 13:11

question was seen: 23,467 times

last updated: 11 Oct '11, 14:29

p​o​w​e​r​e​d by O​S​Q​A