«

I have a pix firewall(515 I believe) and every day at lunch and again
at the end of the day the Inet slows to a crawl. It is obviously a
user or group of users downloading a chunk of something. We have a
full T1 and during work hours, it functions fine. I would like to get
some software to possibly monitor the firewall and then point out the
heaviest user's IP. I have been playing around with syslogd, but have
not found a good way to cull through the log once it is written out.
I also have tried sawmill, and while it is a step in the right
direction, it is hard to believe there isn't a more direct way to
figure it out. Any thoughts? I have the powers above ready to buy if
I can find the right piece of software. thanks for your help.

In article < .com>,
<> wrote:
>I have a pix firewall(515 I believe) and every day at lunch and again
>at the end of the day the Inet slows to a crawl. It is obviously a
>user or group of users downloading a chunk of something. We have a
>full T1 and during work hours, it functions fine. I would like to get
>some software to possibly monitor the firewall and then point out the
>heaviest user's IP. I have been playing around with syslogd, but have
>not found a good way to cull through the log once it is written out.
>I also have tried sawmill, and while it is a step in the right
>direction, it is hard to believe there isn't a more direct way to
>figure it out.

There isn't a more direct way, at least not with PIX 6. (I'm not
familiar enough with PIX 7.)

> Any thoughts? I have the powers above ready to buy if
>I can find the right piece of software. thanks for your help.

There isn't really a lot of variety to choose from for PIX event
analysis. I had to write my own analysis software. There used
to be a commercial product, but it wasn't fast enough or flexible
enough for my needs... and now that product is no longer available
anyhow.

I supplied a simple perl program that might be good -enough- for
your purposes; see
http://groups.google.ca/group/comp.d...ddb0b6234c1e48

When we find out network is crawling I hook up the Ethernet cable from the
Router that connects to the internet to a old style HUB (not a switch) and
then a PC and the rest of the network on the Same HUB, then on the PC run a
IP Packet grabber on it. We use EtherPeek from WildPackets. It will show you
traffic and show you who is the biggest bandwidth or packet hog. EtherPeek
is great with all its charts and graphs, though you can run MS's Network
Monitor to look at the Traffic. You have to click the enable conversations
on the start page. I have not found a way to give Conversation stats. Just
shows you the Packets. If there is just one person generating the Traffic,
(in our case there was someone streaming video) it would be pretty obvious.

Scott<-


<> wrote in message
news: oups.com...
>I have a pix firewall(515 I believe) and every day at lunch and again
> at the end of the day the Inet slows to a crawl. It is obviously a
> user or group of users downloading a chunk of something. We have a
> full T1 and during work hours, it functions fine. I would like to get
> some software to possibly monitor the firewall and then point out the
> heaviest user's IP. I have been playing around with syslogd, but have
> not found a good way to cull through the log once it is written out.
> I also have tried sawmill, and while it is a step in the right
> direction, it is hard to believe there isn't a more direct way to
> figure it out. Any thoughts? I have the powers above ready to buy if
> I can find the right piece of software. thanks for your help.
>

Just downloaded a copy of Ethereal (GNU) and it has great Conversation
Statistics.
http://www.ethereal.com/

"Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
news:mZyOh.2915$ t...
> When we find out network is crawling I hook up the Ethernet cable from the
> Router that connects to the internet to a old style HUB (not a switch) and
> then a PC and the rest of the network on the Same HUB, then on the PC run
> a IP Packet grabber on it. We use EtherPeek from WildPackets. It will show
> you traffic and show you who is the biggest bandwidth or packet hog.
> EtherPeek is great with all its charts and graphs, though you can run MS's
> Network Monitor to look at the Traffic. You have to click the enable
> conversations on the start page. I have not found a way to give
> Conversation stats. Just shows you the Packets. If there is just one
> person generating the Traffic, (in our case there was someone streaming
> video) it would be pretty obvious.
>
> Scott<-
>
>
> <> wrote in message
> news: oups.com...
>>I have a pix firewall(515 I believe) and every day at lunch and again
>> at the end of the day the Inet slows to a crawl. It is obviously a
>> user or group of users downloading a chunk of something. We have a
>> full T1 and during work hours, it functions fine. I would like to get
>> some software to possibly monitor the firewall and then point out the
>> heaviest user's IP. I have been playing around with syslogd, but have
>> not found a good way to cull through the log once it is written out.
>> I also have tried sawmill, and while it is a step in the right
>> direction, it is hard to believe there isn't a more direct way to
>> figure it out. Any thoughts? I have the powers above ready to buy if
>> I can find the right piece of software. thanks for your help.
>>
>
>