5

We use a SonicWall NSA 3500 as our main router. We have a SonicWall Analyzer virtual appliance too that takes information from the NSA 3500 and determines all kinds of stuff, such as bandwidth usage.

We have 2 internet connections from the same ISP. One is cable, and the other is fiber. The fiber connection is the one that we have a 100 GB/mo limit on and have to pay overage charges. From here on out this is only about the fiber connection.

Our ISP and the Analyzer appliance seem to give me different monthly readings, however.

In November, Analyzer reported 118.1 GB of bandwidth usage on our fiber connection. our ISP's invoice shows we used 505.1 GB.

How can these numbers vary so widely? How can I troubleshoot the cause of this bandwidth usage? In SonicWall analyzer I'm looking at the whole month of November for the SonicWall interface that has our fiber connection connected to it, and that's when I get 118 GB.

We've already contacted our ISP and they claim that there's nothing wrong with their reading system.

We first started noticing spikes in our usage after I implemented a new backup system that replicates backups over the internet off-site, however the past 2 months that's been completely removed from the network while we figure this out. When I say completely removed, I mean I went into the SonicWall and disabled the VPN connection. I also went into the backup software and turned off replication.

Steve
  • 51
  • 1

2 Answers2

8

Enable Tap mode on your NSA 3500 for the port that your ISP's drop connects into. Pump traffic into a node running tcpdump (or whatever your TCP sniffing tool of choice is on your platform of choice). Now you can analyze that dump. You're not dealing in massive amounts of bandwidth (500GB over a month is nothing) so it should be easy to manage from a technical perspective. From there you've got proof that either your SonicWALL Analyzer is misconfigured and not seeing all traffic, the NSA 3500 itself is somehow not reporting right, or your ISP is shady.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • with tcpdump, how am I to determine the bandwidth usage? I assume the size of the file will match the usage? – Steve Dec 11 '13 at 17:10
  • 3
    @Steve Ehhh, yes, but no. The tcpdump file will need to be handled by an analyzer tool that can inspect the file, give you pretty charts and graphs, and generally enable you to see exactly where your bandwidth is being used. Wiretap, tcpdump's own CLI interface, and OmniPeek are examples of tcpdump analyzers. – Wesley Dec 11 '13 at 17:18
  • Thanks Wesley, however I still cannot find a simple way to interpret the dump data. I can't find Wiretap anywhere, and OnmiPeek wants me to sign up or pay for it (am I able to see the bandwidth usage without paying for it?). – Steve Dec 11 '13 at 23:20
  • I also can't find any tap mode settings... – Steve Dec 11 '13 at 23:26
  • 1
    I don't know what you want me to say. #1 There's no "simple" way of interpreting the data, but there are *right* ways that aren't hard in and of themselves. This is srsbiz. #2 I Googled 'wiretap tcpdump' and found it as the first result. #3 I Googled "nsa 3500 tap mode" and found the SonicOS manual on the first page that has plenty of gritty details about it. I believe you need SonicOS enhanced 5.8+. Also, **you might rather use Wire Mode depending on your network topology.** Take a look at the differences before doing anything. Bein' in IT ain't simple, yo. – Wesley Dec 11 '13 at 23:55
0

This issue can be troubleshooted with integrated port traffic monitoring. E.g. with MRTG tool reading SNMP variables for interface packets and bytes counters. You can also ask the provider for similar statistic and compare the charts.

Veniamin
  • 853
  • 6
  • 11