identifying network hogs on corporate LAN?

[Michael Fortson]

Is there an available utility that can sit on a machine on the network and snitch on _other_ machines' network usage?

We shouldn't be using close to our capacity, but we are. I need to figure out what machine is doing it, preferably without using a special router.

Half of our machines are connected to a Linksys wifi router, and the other half are hooked to an Airport Extreme. Both of those connect to our ADSL2 connection through a cheap gigabit switch. I can put a machine on that physical switch if need be (mac or pc).

[Skipper]

There are many answers to this question, the unfortunate part is that without a network item that supports the information you need, there isn't much you can do.

Some options from low tech to high tech:
Low -
- Monitor the network ports for which PC has the most use.
- Hopefully use the firmware on the wifi points to get the same data.

Medium -
- Implement something on each machine that can monitor bandwidth but report back to a server. There are a number of these, available at multiple prices, search for Lan Network Monitor
- Implement a proxy server, even a free one like squid.

High -
- Implement a content filtering server, there are many.
- Set up netflow or another network monitoring solution. This can sometimes be done on lower cost network hardware, but not usually. Scrutinizer offers a free limited version of a Netflow server.

What router do you have handling your ADSL connection? Is if from your service provider or are you able to monitor traffic from there? And is that a managed or unmanaged switch?

[Michael Fortson]

I was wrong about the switch: it's just the built-in gigabit ports on the Airport Extreme. Connected to one of these is the Linksys WRT-160N v2. The Airport's uplink is plugged into the DSL modem.

[WarrenM]

Unplug one cable at a time in the server room and see when the bandwidth usage drops? :)

[Skipper]

Unplug one cable at a time in the server room and see when the bandwidth usage drops? :)

I approve of this message. Also each time you unplug one, give a diabolical laugh that can be heard throughout the office and exclaim, "I've found the user who's screwing around instead of working!"

The problem will then solve itself.

You could also hint generally that all web traffic is now being monitored, regardless of the truth of the statement. To keep them on their toes you can casually ask questions like, "hey were you shopping online earlier?" If they say no just mention you probably confused them with someone else in the log.

[Michael Fortson]

Oh, I wonder if the fact that everyone is on wireless could provide another angle for traffic-snooping. I should have titled the thread "corporate wifi" I think.

[Coca Cola Zero]

If everyone is on wireless maybe that's why it is so slow, wireless doesn't scale worth shit, especially not if you're in an office building with 25 other companies also using wireless, all probably on channel 6.

FWIW, wifi snooping is generally a lot easier than wired snooping these days now that most wired connections are directly switched. Exactly how you'd snoop this is extremely variable based on your computer/OS/wireless network card/etc, though.

[Tortilla]

You could also hint generally that all web traffic is now being monitored, regardless of the truth of the statement. To keep them on their toes you can casually ask questions like, "hey were you shopping online earlier?" If they say no just mention you probably confused them with someone else in the log.

Ooo, diabolical. I see the network admin force is strong with this one.

[Michael Fortson]

We have half the network connected to the main wifi router using 5 Ghz 802.11n, and the rest on 2.4 Ghz 802.11g. The slowdown is universal though. It looks like we're saturating the outbound (we're on 15/1 ADSL2). We have the building to ourselves.

It's about a dozen people altogether.

[WarrenM]

A dozen people? Can't you just announce that all web traffic is being logged now and call it a day? Watch the bandwidth drop to normal levels within 30 seconds.

[Michael Fortson]

Some of these people are marketing types who think it's their job to surf.

[Lunch of Kong]

You can write IPtable stuff to track usage per ip address. For example:

1. Install Tomato replacement firmware on your linksys router

2. Use iptable commands to report back usage per ip address.

Tomato:
http://www.polarcloud.com/tomato

tomato-compatible iptable commands:
http://www.linksysinfo.org/forums/sh...ad.php?t=52120

[Brandon Clements]

Wireshark (formally Ethereal) will do it; a little complex to read but you'll get the culprit probably.

[Lunch of Kong]

If you have adminsitrator rights to everyone's computer, you can run Netlimiter on every machine in the office, and then audit the internet/LAN usage on each machine individually.

[Brandon Clements]

Also (forgot about this one), if you've got a linux box, you can install Etherape for a nice real-time graphical usage monitor.

[mandarin]

This may or may not qualify as "special", but you can turn an extra PC (very low min hardware requirements) into a high-security router with Smoothwall:

http://www.smoothwall.org/

[Pogo]

We did this in college back in the day. We had a floor sharing a really fast connection and someone was bogging the whole thing down. We simply used a program to see which internal IP was making the most outbound requests. Although we couldn't see exact usage numbers, we eventually tracked down some fatass that wasn't limiting his torrent upload speeds.

edit: I'm sorry my anecdote provides no actual solutions, but you would be able to see if someone is torrenting or getting tons of info from, say, YouTube.

[Supersport]

One word of advice. Don't run a sniffer on your network unless you got your legal and ethical ducks in a row.

[Lunch of Kong]

Or, install SVEAsoft firmware on the linksys router. Sveasoft's firmware is r-flow-enabled, and you can use ntop as a flow-collector to read the flow data.

http://nst.sourceforge.net/nst/docs/user/ch09s02.html