Friday, February 11, 2005

NTOP

I found a really really fun toy yesterday. I noticed early in the day that internet connections to many of the servers we frequently use were very slow. Further research showed ping times to the servers to be averaging around 600 ms. The usual ping times to these servers was around 100 ms previously. In addition ping times across the VPN to our other office were around 400 ms up from around 90 ms.

Clearly something was up. Traceroute information showed me that the congestion began at the first internet hop on the other side of our T1. Prior to that all hops were very responsive, however, since each of those devices is on a 100 MB switched network I concluded that someone internal to our network was overloading the 1.5 MB T1 connection.

I use a Netscreen firewall at the border and brief research showed me that the software running on it was woefully unable to show me who was using our bandwidth. I configured the switch to deliver a copy of all packets to the firewall to our old firewall, a system running LINUX. I found a program called NTop. After compiling and installing the program I ran it. Within ten minutes I was able to identify the workstation hogging all our bandwidth. The firewall was by far the largest user of all our bandwidth, that makes since since all traffic goes through it. The next highest workstation had nearly 75% of all traffic originating from it. NTop indicated that the workstation in question was running file sharing software.

I contacted the user who sheepishly admitted to running a file sharing program. He was politely informed that he was hosing everyone else and it was in violation of company policy to use company resources as he was. He turned the software off and promised to never do it again at work.

Since then I’ve run NTop all night and through out the day. I keep checking on it from time to time to see how it’s working. It has managed to resolve almost all the workstation names by sniffing the traffic to and from the internet. I’m very impressed by the program. I don’t think I’ll run it all the time but it was definitely useful yesterday and I can imagine it continuing to be so in the future.

No comments:

Site Meter