Who's using our bandwidth?

Question

I can see from our ISP stats that a large amount of bandwidth is being used throughout the day, I suspect it's someone using our wireless router although I'm not definite. Our PC's all run various types of windows, are there utilities/sniffers that I can use to detect where the bandwidth is going?

you're telling me I should wait for networkloadfault.com? Jeez give me a break already. — MrTelly, May 12 '09 at 13:11
BTW our wireless is secure, it's someone we know who's using the bandwidth, we just don't know who it is, for all we know it's legit anyway we just need to know who to ask, and know I don't think spamming the whole company is the answer. — MrTelly, May 12 '09 at 13:13
It doesn't have to be a server question, it has to be a sysadmin question - which this clearly is. — , May 12 '09 at 13:14
Could you please supply your wireless make and model? It is easier to recommend what you ask if those details are known. — , May 12 '09 at 13:22
Your network setup would be highly useful information for this. I'm not sure if this is a home or office setting but if its a business and your router/firewall/wireless controller supports IPFIX/Netflow data you can see every conversation going through it. — sclarson, May 12 '09 at 20:57

score 15 · Accepted Answer · answered May 12 '09 at 13:15

15

You can install a PC on a hub (or managed switch emulating a hub) with the router, and use Wireshark to capture all the traffic. From here you can get some useful metrics to point you to your bandwidth hogs.

answered May 12 '09 at 13:15

That could be a decently dramatic performance hit on a corporate network. – sclarson Jun 07 '09 at 05:24

score 13 · Answer 2 · answered May 12 '09 at 13:21

13

Adding to Jon B's answer, I have also used ntop to get a good idea of where traffic is going. I downloaded a Virtual Appliance to make it easier to set up.

answered May 12 '09 at 13:21

Joseph

3,787
26
33

Just a warning ntop's logs pile up fast. – reconbot May 12 '09 at 15:56
You could also use ntop to export netflows for logging usage. http://www.ntop.org/netflow.html You can get netflow data Tomato or m0n0wall as well. – sclarson May 13 '09 at 13:44

score 5 · Answer 3 · answered May 12 '09 at 13:25

5

Wireshark (used to be called Ethereal) will tell you everything you want to know.

answered May 12 '09 at 13:25

Gareth

8,413
13
43
44

score 2 · Answer 4 · answered May 12 '09 at 13:20

Can you give us more details about your network setup? I can propose two different approaches:

Depending on the type of wireless device you have, you may be able to use a network management application that uses SNMP to pull down stats from the AP. Most enterprise APs will have a MIB table that tracks the list of associated client, their signal quality, and the number of bytes used. Similarly, your router may have a MIB that tracks traffic by IP address.
You can use a wired traffic sniffer (wireshark, etherpeek) to watch the traffic. Those tools can usually give you a breakdown of traffic by user. You'd have to sniff the traffic before it hits your router (if your router does NAT). You can use a hub (though those are really hard to find these days) or turn on port mirroring on a managed switch. You can also use a wireless sniffer, but if the network is encrypted, you'll just get an idea of the volume of traffic from each user, not where the traffic is destined.

score 2 · Answer 5 · answered May 12 '09 at 13:27

2

Depending on the make and model of the wireless access point/switch you are using, Tomato might be just what you are after. It provides a nice bandwidth monitor, among other things.

Also, a bit costly, but it seems it would do what you want as well.

answered May 12 '09 at 13:27

I love Tomato & have used it for several years but I don't think it does per client bandwidth monitoring. Am I wrong? – Gareth May 13 '09 at 02:33
No quite yet, at that level, indeed. It is coming though. Yet, the current bandwidth monitoring will provide measures and the time associated with it. Pinpointing a specific subset of users should be easier having bandw./time. That's why I originally asked make and model of the wireless AP or switch. Cisco has very nice management and monitoring packages, but those work only with their hardware. – May 13 '09 at 03:57

score 1 · Answer 6 · answered May 12 '09 at 13:09

1

Your router likely has a way to show what clients are connected through it, possibly as DHCP clients. That would identify who is connecting to your wireless router, although it wouldn't necessarily tell you who was using your bandwidth.

answered May 12 '09 at 13:09

Gene Gotimer

2,442
20
16

1

You're right it tells me who, but not how much – MrTelly May 12 '09 at 13:12
And rogue users may not use DHCP at all but simply pick an unused IP address. Better to query the router for its ARP table, this would be more difficult to forge. – bortzmeyer Jun 07 '09 at 21:35

score 1 · Answer 7 · answered May 12 '09 at 15:53

If you aren't already I'd highly recommend a program such as Cacti (which can be used in conjunction with ntop) to grab the traffic stats from your switches (and hopefully your WAPs as well). This can help you pin down when and where the traffic is originating.

Additionally it will also give you a good feel for the flow of traffic - and anomalies in traffic tend to stand out in the graphs a bit more than just browsing logs.

score 1 · Answer 8 · answered May 13 '09 at 02:15

1

If your router supports it, you could turn on netflow monitoring. Flows would show you exactly what you are looking for.

answered May 13 '09 at 02:15

jj33

11,038
1
36
50

vartec · Answer 9 · 2009-05-13T07:43:33.747

0

Most wireless routers log MACs of the connecting WiFi cards, many also allow monitoring who is actually connected. As for sniffing WiFi, the standard tool is Kismet.

"Someone" refers to someone not actually authorized to use it, who's hijacking your signal?

To protect your WiFi you should take following steps:

deter script-kiddies (won't work against experienced work-drivers):
- Turn off your SSID broadcasting
- Limit connection only to given list of MACs
- Limit DHCP only to static MAC -> IP assigments
use WPA2 (with EAP-PSK, use random passphrase).
for real hardcore security, use WPA2 with 802.1X authentication server.

edited May 13 '09 at 07:43

answered May 12 '09 at 15:21

vartec

6,137
2
32
49

MAC spoofing (#2.2 and kinda' #2.3) should NEVER be relied on, and in reality is not worth the time, I've hacked many WIFI networks with it enabled (purely educational I assure you) that had it enabled. Even most script-kiddies know about this cause it's posted all over every WIFI hacking website/forum. Definatly go WPA2 + Radius Server ("802.1X authentication server") this is, from my experience, the only real form of security, WEP & WPA have been beat – Unkwntech May 13 '09 at 02:33
I've "hacked" many WiFi networks by choosing "automatically connect to any available network". True, the WPA2 is the only safe way, but that might be unavailable, because of legacy hardware. A script-kiddie, looking for a free ride will choose unprotected network, rather then even weakly protected one. – vartec May 13 '09 at 07:49

Who's using our bandwidth?

9 Answers9