PIX monitoring

Discussion in 'Cisco' started by Peter Lecki, Feb 16, 2006.

  1. Peter Lecki

    Peter Lecki Guest

    I recently had a user upload massive files from the office here to an
    FTP server on the net and since there was no limitation of bandwidth
    at either endpoint, he inadvertently consumed all of our T1 bandwidth
    with this transfer. While this was happening, I was trying to figure
    out where all this traffic was coming from, I could see it going out
    but did not know how to find which particular node was the culprit. I
    do have a syslog in place, but the raw reports from it were of not
    much help, I typically use this with filters for troubleshooting
    purposes, but how can you filter for something if you don't know what
    it is that you're looking for. After a couple of hours, I finally
    found who it was just by walking around the building, but I'm
    obviously needing a better mechanism to figure this out a lot quicker.
    I have just purchased a tool that parses and analyzes syslog files and
    generates reports based on info found there, but what do people do
    without a tool like this, and what if you want to see it in real time?
    Is there any type of monitoring on the PIX itself or other tools that
    would assist in this? I did take a look at the various graphs and
    such in the PDM, but nothing there identifies the addresses of
    connection endpoints, only number of connections, bandwidth
    consumption, etc.

    Thanks,
    -Peter
    Peter Lecki, Feb 16, 2006
    #1
    1. Advertising

  2. Peter Lecki

    Merv Guest

    What does the PIX connect to on its inside interface ?
    Merv, Feb 16, 2006
    #2
    1. Advertising

  3. Peter Lecki

    Peter Lecki Guest

    A LAN switch.


    On 16 Feb 2006 15:57:22 -0800, "Merv" <> wrote:

    >What does the PIX connect to on its inside interface ?
    Peter Lecki, Feb 17, 2006
    #3
  4. Peter Lecki

    BSD Johnson Guest

    "Peter Lecki" <> wrote in message
    news:...
    >I recently had a user upload massive files from the office here to an
    > FTP server on the net and since there was no limitation of bandwidth
    > at either endpoint, he inadvertently consumed all of our T1 bandwidth
    > with this transfer. While this was happening, I was trying to figure
    > out where all this traffic was coming from, I could see it going out
    > but did not know how to find which particular node was the culprit. I
    > do have a syslog in place, but the raw reports from it were of not
    > much help, I typically use this with filters for troubleshooting
    > purposes, but how can you filter for something if you don't know what
    > it is that you're looking for. After a couple of hours, I finally
    > found who it was just by walking around the building, but I'm
    > obviously needing a better mechanism to figure this out a lot quicker.
    > I have just purchased a tool that parses and analyzes syslog files and
    > generates reports based on info found there, but what do people do
    > without a tool like this, and what if you want to see it in real time?
    > Is there any type of monitoring on the PIX itself or other tools that
    > would assist in this? I did take a look at the various graphs and
    > such in the PDM, but nothing there identifies the addresses of
    > connection endpoints, only number of connections, bandwidth
    > consumption, etc.
    >
    > Thanks,
    > -Peter


    You can configure SPAN on one of the switch-ports to send a copy of all PIX
    traffic to the port. Hook up a machine and run either Ethereal (look for
    the top talkers) or run nTop. Both should work nicely.

    http://www.ethereal.com/
    http://www.ntop.org/
    BSD Johnson, Feb 17, 2006
    #4
  5. In article <>,
    Peter Lecki <> wrote:
    :I recently had a user upload massive files from the office here to an
    :FTP server on the net and since there was no limitation of bandwidth
    :at either endpoint, he inadvertently consumed all of our T1 bandwidth
    :with this transfer. While this was happening, I was trying to figure
    :eek:ut where all this traffic was coming from, I could see it going out
    :but did not know how to find which particular node was the culprit.

    :Is there any type of monitoring on the PIX itself or other tools that
    :would assist in this? I did take a look at the various graphs and
    :such in the PDM, but nothing there identifies the addresses of
    :connection endpoints, only number of connections, bandwidth
    :consumption, etc.

    PDM implies PIX 6.x. There are no statistics or messages available
    in PIX 6.x that allow one to see connection traffic for -current-
    connections (unless perhaps something in "show local-host detail";
    I haven't looked at that in a while.)

    If you knew ahead of time that this might happen, then the "log"
    keyword on an ACL entry would trigger periodic IOS-style traffic
    syslog messages. Unfortunately, changes to an ACL only apply
    to new flows, so you can't retroactively edit in a "log" modifier
    to an ACL and hope to gain anything from it.


    What you can do in PIX 6.2 or later is use "capture" to grab some
    of the data packets; then "show capture" to find out which system
    the traffic is with. capture against the inside interface to
    see the interior IPs -- if you capture against the outside
    interface, it would be the translated IPs that you would see.
    Walter Roberson, Feb 17, 2006
    #5
  6. Peter Lecki

    kmet Guest

    Peter Lecki napisał(a):
    > I recently had a user upload massive files from the office here to an
    > FTP server on the net and since there was no limitation of bandwidth
    > at either endpoint, he inadvertently consumed all of our T1 bandwidth
    > with this transfer. While this was happening, I was trying to figure
    > out where all this traffic was coming from, I could see it going out
    > but did not know how to find which particular node was the culprit.


    I had the same problem,
    Walter Robertson wrote a script for this:
    http://groups.google.pl/group/comp....8c4e38063ef?tvc=1&q=consumes#2d9638c4e38063ef

    at this time I use FireGen for Pix log analyzer - but this is not
    "on-line", "on-demand" only.

    regards

    Kmet
    kmet, Feb 17, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Hulme
    Replies:
    1
    Views:
    585
    Walter Roberson
    Jan 21, 2004
  2. Mark

    PIX IDS Monitoring

    Mark, May 18, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,806
    Martin Bilgrav
    May 18, 2004
  3. tejlor

    monitoring VPN clients on PIX

    tejlor, May 27, 2004, in forum: Cisco
    Replies:
    3
    Views:
    538
    Walter Roberson
    May 31, 2004
  4. Gavin

    Remote PIX monitoring

    Gavin, Nov 7, 2004, in forum: Cisco
    Replies:
    4
    Views:
    1,142
    Gavin
    Nov 8, 2004
  5. Daniel Bourque

    PIX Failover monitoring

    Daniel Bourque, Jan 26, 2005, in forum: Cisco
    Replies:
    2
    Views:
    466
    mcaissie
    Jan 26, 2005
Loading...

Share This Page