«

I've got a router at another location of my company that been having
some unexplained activity that I've been asked to investigate. The
router in question is their border router to their ISP. Throughout the
night, traffic is pretty much nil except for a period every single
night from about 4am to 5am, when the inbound traffic suddenly goes to
about 80% of their bandwidth. This is according to the ISP provided
stats page which is run on the serial port on the ISP's side.

I don't really have many formal tools to handle situations like this.
Usually, I use gathered statistics, ip accounting, and debugging when
things like this occur in the middle of the day when I'm at my desk.

What can I use to find out what's going on?

Thanks!

On 26.08.2005 17:33 wrote

> I've got a router at another location of my company that been having
> some unexplained activity that I've been asked to investigate. The
> router in question is their border router to their ISP. Throughout the
> night, traffic is pretty much nil except for a period every single
> night from about 4am to 5am, when the inbound traffic suddenly goes to
> about 80% of their bandwidth. This is according to the ISP provided
> stats page which is run on the serial port on the ISP's side.
>
> I don't really have many formal tools to handle situations like this.
> Usually, I use gathered statistics, ip accounting, and debugging when
> things like this occur in the middle of the day when I'm at my desk.
>
> What can I use to find out what's going on?
>

Connect a Linux box to the switch where the ethernet interface of the
router is connected to, SPAN [0] it to the Linux interface and run ntopd
[2] on this interface.



Arnold
[0]
http://www.cisco.com/en/US/products/...8015c612.shtml
[1] http://www.ntop.org/
--
Arnold Nipper, AN45

<> wrote in message
news: ups.com...
> I've got a router at another location of my company that been having
> some unexplained activity that I've been asked to investigate. The
> router in question is their border router to their ISP. Throughout the
> night, traffic is pretty much nil except for a period every single
> night from about 4am to 5am, when the inbound traffic suddenly goes to
> about 80% of their bandwidth. This is according to the ISP provided
> stats page which is run on the serial port on the ISP's side.
>
> I don't really have many formal tools to handle situations like this.
> Usually, I use gathered statistics, ip accounting, and debugging when
> things like this occur in the middle of the day when I'm at my desk.
>
> What can I use to find out what's going on?
>
> Thanks!
>

NetFlow either with or without a tool like nTop.