Today I was assigned a task to find out and explain a certain network anomaly we are experiencing in our network. The mission started out to be a bandwidth monitoring task against a specific router. This router however was owned by a third party so we didn't have access to it. Simple enough, I started looking at the next hop from that router - the switch port it was connected which belonged to the company I was working for. Using a combination of SNMP and a nice graphing/monitoring tool called "intermapper" I was able to obtain a pretty graph with traffic going in and out of the interface.
Eventually, looking at the graph we pin pointed the time of the day which we saturated the pipe going out the router which was only a fractional T1 at 64K. However, on the graph we spotted some unexplainable traffic spikes occurring every 5 mins. We couldn't explain why such traffic would occur going out the interface to this router. This warranted for some deeper packet inspection.
Here we used something called the SPAN feature on a Cisco switch. SPAN is just another fancy name for port mirroring. Since we didn't want to impact the production network, we simply mirrored the port on the Cisco switch. The command was easy on our IOS C2960G:
In configuration terminal mode:
monitor session 1 source gi /24
monitor session 1 destination gi 0/1
The setting was straight forward, specify the source port to monitor and the destination port to dump the packets onto.
After that, plug the destination port to a workstation with wireshark aka ethereal and capture the packets! With Wireshark we can sniff whatever traffic that is traversing the interface with some useful statistics and summary reporting.
It turned out to be a strange broadcast to that vlan, resulting from a faulty application.
Friday, August 29, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment