From owner-freebsd-isp Tue Jan 15 10: 0:41 2002 Delivered-To: freebsd-isp@freebsd.org Received: from nlaredo.globalpc.net (nld2.globalpc.net [207.193.206.189]) by hub.freebsd.org (Postfix) with ESMTP id 03D2637B402 for ; Tue, 15 Jan 2002 10:00:35 -0800 (PST) Received: from ds9 (ds9.globalpc.net [207.193.204.57]) by nlaredo.globalpc.net (8.9.3/8.9.3) with SMTP id MAA32031; Tue, 15 Jan 2002 12:08:32 -0600 (CST) (envelope-from adrianbsd@globalpc.net) Message-Id: <3.0.6.32.20020115120220.00fc9ae8@globalpc.net> X-Sender: adrianbsd@globalpc.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Tue, 15 Jan 2002 12:02:20 -0600 To: Chris Shenton , freebsd-isp@FreeBSD.ORG From: Adrian Gonzalez Subject: Re: Who's saturating outbound link (Cisco 2620, IOS 12.1(1)) In-Reply-To: <87g05a2ao2.fsf_-_@thanatos.shenton.org> References: <1241681557.20010725114735@buz.ch> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try this on your cisco: Set up an access list entry that matches the traffic you want to monitor. Enter config mode, then something like: access-list 10 permit 192.168.0.0 0.0.0.255 This example would match outgoing traffic from any host on the 192.168.0.x network. Make sure you pick an access list number you're not using for something else, of course. Note that the last set of numbers is not a netmask, it's wildcard bits. So, 0.0.255.255 matches a whole class B net, 0.0.0.15 matches a /28, etc. Then you can exit config mode and debug: debug ip packet 10 Since it's a 256k link, be prepared to be flooded with output. There's probably a way to limit this but I haven't bothered to look it up. You should get a good idea what's causing the traffic by looking at the output. You should get something like: 20w1d: IP: s=192.168.0.2 (Ethernet0/0), d=10.0.0.1 (BRI1/3), g=10.0.0.1, len 136, forward 20w1d: IP: s=192.168.0.2 (Ethernet0/0), d=10.0.0.1 (BRI1/3), g=10.0.0.1, len 122, forward Not quite tcpdump, but should be enough. If you don't get any output, type term monitor So that debugging messages get sent to your terminal. Once you find what you're looking for, you can stop debugging: no debug ip packet term no mon remove the access-list too or save it for later :) I'm almost willing to bet you have a guy or two sharing their entire mp3 and avi collection with a Kazaa/Morpheus/etc client :) Hope this helps -Adrian At 04:39 PM 1/13/2002 -0500, Chris Shenton wrote: >An ISP I support has FreeBSD servers and a bunch of LAN- and >ISDN-connected clients. Its remote so I can't get to it physically. > >In the past couple days, the 256Kbps link has been totally saturated, >MRTG tells me it's outbound traffic. How can I determine which >system is causing the traffic? > >I'm not a Cisco expert, but hoped "show ip accounting" would help, but >it only appears to show me *inbound* traffic from all outside >addresses to my internal addresses. I need the opposite. Is there >some IOS command I'm just not clued into? > >I'm working with the remote admin to see if I can get a hub put >between the router and other ISP gear, then put a FreeBSD box on that >so I can use tcpdump or others to sniff the traffic. Until then, I'm >blind unless there's some cisco voodoo I can use. > >Any ideas? Thanks. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message