3

I sometimes help a small office with a few issues. About two months ago, they were complaining of poor internet performance. Long story short, I found one person running Carbonite on a Mac that was pushing 2mb uploads all day. Shut down Carbonite and the problem -- which I saw as a 2mb consumption in a traffic graphic -- disappeared. I adjusted that user's Carbonite so that it would consume as much bandwidth as it could. (I forget the name of the setting.)

In that case, I went on-site and turned off everything until I found the problem workstation.

I think the problem is occurring again, indeed there is now a 2mb consumption hum in the traffic graph. I'd like to be a lot smarter about figuring out what's happening.

How would you approach identifying the workstation responsible?

(FWIW: Unless something has changed, Carbonite will not release enough information that would allow me to throttling those connections. Search Google and you'll see a whole lotta complainin' about this.)

Cheers,

Mike

tcv
  • 651
  • 8
  • 21
  • I'd check the switch. – HopelessN00b Jan 02 '13 at 20:47
  • @HopelessN00b a switch would rarely know - that only gets a problmem on the uplink router. The switch is likely perfectly happy with hundreds of megabits traffic. The 2mbit transfer does not show up with the heavy internal traffics. Heck, I most of the time do more with remote desktops to servers and incoming and outgoing copy streams. – TomTom Jan 02 '13 at 20:49
  • @TomTom Lovely and all, but by checking the switch, you'd be able to determine which port is utilizing all the bandwidth and correlate that with the device plugged into it. Certainly cleaner and more likely to be effective than relying on `ping -a`. :/ – HopelessN00b Jan 02 '13 at 21:05
  • What is the make and model of the router that connects this network to the Internet? – David Schwartz Jan 02 '13 at 21:34
  • @HopelessN00b Yes, you get a to of useless information. The switch shows all traffic of the machine, but no serious analysis. So, you correlate "2 mbit to the internet from somewhere" with "hundreds of megabit runnning across the network"? You can rather take the future from a crystal ball. – TomTom Jan 02 '13 at 21:45
  • @TomTom You're seriously inflating the problem and the size of the network here. If he solved this the last time by turning off machines until he found the problem, this isn't a huge environment. This is an environment where the 2MB of traffic choking off the internet pipe is going to stand out. – HopelessN00b Jan 02 '13 at 21:51
  • @DavidSchwartz It's a Fortigate 30B. – tcv Jan 02 '13 at 21:52
  • @TomTom - It's a TINY environment. Perhaps eight total workstations, most of them laptops, all of them BYO(f'ing)D. – tcv Jan 02 '13 at 21:53
  • 1
    From the main dashboard, there's 'top connections by source address' on the bottom right. – David Schwartz Jan 02 '13 at 21:57
  • @DavidSchwartz Are you referring to "Top SESSIONS By Source Address?" Yes, I looked at that earlier. I put one of the IPs in jail (so to speak) for a bit to see if the 2mb hum decreased, but that didn't happen. The hum disappeared sometime later. I have PRTG (Free) monitoring the FGT's wan bandwidth. Right now, outbound is 2.4mb. – tcv Jan 02 '13 at 22:08
  • 1
    Blocking one IP won't change the bandwidth usage because the software will just give that bandwidth to another connection. You should have looked at the session information to figure out which machine was responsible for the bandwidth usage. – David Schwartz Jan 02 '13 at 22:11
  • "You should have looked at the session information to figure out which machine was responsible for the bandwidth." I'm afraid I don't understand what you mean. Look at the session how? – tcv Jan 02 '13 at 22:13
  • 1
    The point of that portion of the web interface, and the "Usage" panel is to allow you to figure out how your bandwidth is being used. – David Schwartz Jan 02 '13 at 22:18
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/6944/discussion-between-tcv-and-david-schwartz) – tcv Jan 02 '13 at 22:18
  • 1
    @TomTom nice. THat is larger than my 4 workstations in my company at the moment. Well, plus our HPC cluster, but that is isolated. So, do not tell me what is small ;) I beat most of you in this regard. I dnont believe in hiring people - i rather have computers work. – TomTom Jan 02 '13 at 22:22

2 Answers2

1

Best way to find the device causing the problem would be to use package inspection (-> sources!) at your router.

Also have in mind that there are many other technical reasons which can cause a enormous slowdown of your network performance e.g. electrical issues!

And after that: Get somebody who setups traffic shapping at your location!

Simon Strasser
  • 227
  • 1
  • 8
0

How would you approach identifying the workstation responsible?

After firing the administrator who has not put in policies in place to distribute bandwidth equal (a switch on the router / firewall)...

...I just log onto the firewall, look at the current traffic by source IP address (i.e. the internal one) and then make a ping -a to find the corresponding machine name.

Not that this is ever possible, because your backbone has 7 traffic priorities and does - within one priority - distribute bandwidth equal if needed (I.e. one can not block all bandwidth). You can do that transfer of your colleage all day and noone would notice. Not even ping, voip or our financial data streams would realize that.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • I suppose you'd have to fire me. :-( I hear you and think your point is valid. I will open up a support ticket with Fortinet to figure out how to do what you suggest. At the very least it would stanch the flow. – tcv Jan 02 '13 at 21:55
  • No traffic shaping available on this firewall. Wanna come take the job? I'm kidding. There's a lot of history regarding this site that I can't share here. Some of this is my fault. Some of this is not. Of course, everyone says that. ;-) – tcv Jan 02 '13 at 22:18