Results 1 to 12 of 12
  1. #1
    Registered
    Join Date
    Jul 2003
    Location
    vancouver
    Posts
    23

    how to diagnose abnormal network usage? (long post)

    I'm helping a small office with a server and 4 computer, they have been over their network usage for the 3rd month now, however, we can't find why the usage suddenly gets to high last 3 month. here are some data:

    month of dec: daily usage was between 30mb to 90mb
    08 jan: same as dec, 30mb to 90mb
    08 feb: starting feb 6th, daily usage went up to about 300-500mb per day, all the way up to now.

    Even on days with only 1 employer (the manager himself) the usage was about 400mb and he only checks email. I've checked all 4 pcs are clean from spyware and virus, no download program , no games installed.....I even installed Netlimiter to track the usage on all pcs but the number is very low, anyone has ever came across this kinda of problem? Also the ISP says 90% of the usage were download and very little upload. I don't see any unusual services running on server as well but the usage is still very high. Any one has any suggestions on what to do?

  2. #2
    Just Another Retired Moderator Jon's Avatar
    Join Date
    Dec 2000
    Location
    Lawrenceville, GA
    Posts
    6,884
    You could use something like Network Probe to monitor all your traffic. They have a trial available, although I'm not quite sure what the limitations are. I've used the full version and it works very well.

    There are also free utilities like WireShark/Ethereal, which can be used to capture everything on any interface you have.

  3. #3
    Member ratbuddy's Avatar
    Join Date
    Aug 2007
    Location
    Hartford, CT
    Posts
    8,751
    Is there a wireless router somewhere in the mix?
    HTPC - 2500k - 212+ - GA-Z68MX-UD2H-B3 - 2x4GB G.Skill DDR3-1600 - Crucial MX100 512GB, Spinpoint F3 1TB w/M4 64GB ISRT Cache
    MSI GTX 970 4GB - Silverstone LC10B-E - Corsair RM550

    -----
    Main - X3 450 - ASRock A790GMH/128M 790GX - 2x2GB G.Skill 4-4-4-12 - Crucial MX100 256GB, 2xWD Green 1TB
    Gigabyte GTX 460 1GB - Silverstone TJ08 - Corsair CX400W

    Nothin' up my sleeve..

  4. #4
    Registered
    Join Date
    Jul 2003
    Location
    vancouver
    Posts
    23
    to ratbuddy: no there is no wireless router. just the main switch, very simple network.

    to Jon: I will give that a try, do u know if that just need to be installed on server? or on server + all pcs? and also if i log off server administrator, will it still run in background? the problem i had with netlimiter is if i log in remotely to check and logoff after, it won't be running anymore ..so have to leave the administrator logged on@@.

    PS: thankx for quick reply guys

  5. #5
    Just Another Retired Moderator Jon's Avatar
    Join Date
    Dec 2000
    Location
    Lawrenceville, GA
    Posts
    6,884
    Wireshark is for traffic capturing and can be on any system that has access to a port on your network. You set it to target the port and it will capture promiscuously. Downside is that the more traffic there is, the more you have to sift through and the capture files can get quite large. It's not something you want to run more than a few hours (during which times your bandwidth is at peak usage). You will also need to know how to analyze this captured data, although if it's something obvious, it shouldn't be hard to sift out.

    Net Probe is easier and can run all the time, but as I said before, I don't know what their trial is like. I'm sure there are many other free ones available, just try a few and see what works. If you want something to run in the background, then you're going to have to limit your search to network monitoring services. Those might be a little more difficult to find for free.

  6. #6
    Member CGR's Avatar
    Join Date
    Jan 2001
    Location
    Lower NY
    Posts
    5,641
    If the switch is managed you should be able to see what ports have the most traffic to help identify what device is doing the downloading.
    Main System:.................................................. ......................Second System:
    DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
    G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
    HIS 4850 680/1108.................................................. .............Nvidia 7600GT
    WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
    OCZ GameXtreme 600SLI


  7. #7
    Registered
    Join Date
    Jul 2003
    Location
    vancouver
    Posts
    23
    well i checked the WRT54G router that acts as the firewall just before going to the ISP modem, i checked the log file in the wrt54g, don't see any special or unsual ips.....at first the ISP suggest maybe someoen was constantly watching youtube while at work but, i only see youtube address poping out once in whole week...so that's not it either...strangely, the usage went down to 148 just the day before yesterday and 98 yesterday..again...i have no idea why it just suddenly went down...

  8. #8
    Member TempliNocturnus's Avatar
    Join Date
    May 2006
    Location
    Where angels carry savage weapons
    Posts
    1,178
    Quote Originally Posted by Jon View Post
    Wireshark is for traffic capturing and can be on any system that has access to a port on your network. You set it to target the port and it will capture promiscuously. Downside is that the more traffic there is, the more you have to sift through and the capture files can get quite large. It's not something you want to run more than a few hours (during which times your bandwidth is at peak usage). You will also need to know how to analyze this captured data, although if it's something obvious, it shouldn't be hard to sift out.

    Net Probe is easier and can run all the time, but as I said before, I don't know what their trial is like. I'm sure there are many other free ones available, just try a few and see what works. If you want something to run in the background, then you're going to have to limit your search to network monitoring services. Those might be a little more difficult to find for free.
    If I'm not mistaken, if you use a program like wireshark or ethereal on a computer on a switch, you're only going to capture broadcasts, and inbound traffic on that port. You'll need a hub on the switches uplink to the router, if you want to capture all traffic.

  9. #9
    Blank Senior Member El<(')>Maxi's Avatar
    Join Date
    May 2003
    Location
    Seattle
    Posts
    7,035
    Windows Update is a possibility. Many offices use WSUS for this very reason.
    rdrash - 'I'm gonna intentionally try to kill this CPU with more volts'

  10. #10
    Registered
    Join Date
    Jul 2003
    Location
    vancouver
    Posts
    23
    Maxi! i'm gonna try disable the window update on all client machien and server and monitor for few days!! thankx!!

  11. #11
    gangaskan's Avatar
    Join Date
    Dec 2003
    Location
    Lorain, ohio
    Posts
    3,135
    but to do it every day for how long? kinda iffy that its updates to me, i'm not leaving it out, but most people do them at 3AM i usually do at work because noone is there.
    Main Rig: [Silverstone TJ06 painted hammer black] [Intel E6550 3.2 ghz 1.35v ] [4 gigs Gskil] [Asus P5k Premium Wifi/ap] [Soundblaster Audiguy ZS platinum] [ATI 3560 pro] [enhiem 1250 pump, Swiftech Storm, primoflex tubing, mcres micro, maze 4 gpu block][ Windows Vista x64 Ultimate sp1]
    HTPC: [LianLI V300B] [Opty 165 1.88 ghz] [Thermalright XP90] [2 gb OCZ Platinum DDR400] [Soundblaster X-FI Xtreme Music] [8600GT Stock] [Windows Vista Home Premium sp1]
    Server: [Rocketfish Tower] [c2d E6600][Scythe Ninja Jr] [4 gigs Gskil ddr2 800][ATI X850XT ] [Windows Vista B]
    Network: Cisco 851W uptime: forever
    Heatware

  12. #12
    Member CGR's Avatar
    Join Date
    Jan 2001
    Location
    Lower NY
    Posts
    5,641
    Quote Originally Posted by TempliNocturnus View Post
    If I'm not mistaken, if you use a program like wireshark or ethereal on a computer on a switch, you're only going to capture broadcasts, and inbound traffic on that port. You'll need a hub on the switches uplink to the router, if you want to capture all traffic.
    Managed switches usually allow you to setup a monitoring port, which has all traffic sent to for just this purpose. Only get it on higher level switches though.
    Main System:.................................................. ......................Second System:
    DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
    G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
    HIS 4850 680/1108.................................................. .............Nvidia 7600GT
    WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
    OCZ GameXtreme 600SLI


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •