Can I use my mrtg setup to somehow identify which IPs are eating all my bandwidth? Or is there another tool that I can use to do this against my Cisco PIX?
Thanks!
Asked
Active
Viewed 1,424 times
4 Answers
1
MRTG is great for pulling counters from network interfaces (and temperatures, and CPU usage, and other things, too). If a device doesn't provide an SNMP-accessible counter for what you want to measure, though, MRTG won't be a lot of help.
In the case of a Cisco PIX, no SNMP counters are provided in its MIB for "sessions". The PIX is capable of reporting the setup and take-down of NAT table entries (including the number of bytes moved in the "conversation") via SYSLOG.
A tool that I have no personal experience with, but that looks interesting, is FirePlotter.
I do have some experience with the PIX Logging Architecture open source project, which gets its data from SYSLOG output from PIX / ASA firewalls. Its database schema doesn't capture the bytes transferred from the log entries, though, so you can't do any reporting on bandwidth usage. (It would probably be fairly easy to add, but their database choice, MySQL, turned me off to the idea of helping out with their project...)
Evan Anderson
- 141,071
- 19
- 191
- 328
1
If you want to look at IP bandwidth usage, you might use ntop for smaller installations. I have had problems with ntop scaling, and so I am using a nfsen/nfdump combination to figure out who is doing what. This might be the way to go if your Cisco device can generate netflows.
If you are going to go the snmp route, I encourage you to look into cacti, as it's out-of-the-box abilities are superior to mrtg's, and can be extended more easily.
David Mackintosh
- 14,223
- 6
- 46
- 77
1
If you're running Windows on your NMS or workstation, you can install PRTG and create a packet sniffer sensor. Then create a port monitor on the switch port that the PIX is connected to and mirror the traffic to the port that your NMS or workstation is connected to. The packet sniffer sensor will see all traffic flowing into or out of the PIX and categorize it based on source, destination, traffic type (http, ftp, etc).
joeqwerty
- 108,377
- 6
- 80
- 171
0
Theoretically it could be done with MRTG, but I would use ntop(http://www.ntop.org/). Ntop uses libpcap to inspect packets and not only it graphs per IP usage, but it also shows which protocols use the most bandwidth.
You can use netflow to send data from PIX to ntop(I don't know if PIX supports netflow though) or you can use SPAN on the switch to monitor the port that PIX is connected to.
Vitaliy
- 512
- 3
- 9
-
PIX's don't support Netflow. – Evan Anderson Dec 09 '09 at 15:02
-
It may be worth noting that Cisco recently added NetFlow to the ASA boxes. In my experience, there is a lot of use of the term "PIX", even when referring to newer ASA devices. – ThatGraemeGuy Dec 09 '09 at 15:28