On our network, we noticed a spike in network utilization on a specific date at a specific time. Ever since then the network utilization is extemely high. I want to sniff the network and determine what IP addresses are generating all of the activity. How do I do that?
asked 11 Oct '11, 13:11
For me, a good start is always a look at the network topology. You do have a recent topology, don't you?
If you notice a peak in the utilization you either want to record traffic at a choke point, like a router or a firewall; or you capture traffic for a whole network segment.
If you capture traffic at a choke point you need to mirror the traffic from the choke point to an analysis port. Unless you have a low-end switch the switch manual/website should explain how to do this. Look for SPAN ports, analysis ports or monitor ports. If you have an unmanaged switch check out the Dualcomm portable tap.
Capturing traffic for "the whole segment" can be very difficult, if it spans over several switches. If you can focus on one switch you might get away with mirroring a whole VLAN.
Once the mirror port is defined install and fire up Wireshark. I prefer using a dedicated device for Wireshark and try not to install Wireshark on a server. To avoid any interference from my analysis device I disable all bindings, esp. IP.
The rest is easy: Capture away until you have your spike recorded. Statistics -> Endpoints -> IP reveals your top talkers and listener.
Be sure to try Statistics -> IO-Graphs to visualize the spike.
answered 11 Oct '11, 14:29