From owner-freebsd-isp  Wed Jan 16  9: 6:25 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1])
	by hub.freebsd.org (Postfix) with ESMTP id 0D95B37B416
	for <freebsd-isp@freebsd.org>; Wed, 16 Jan 2002 09:06:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by ns1.cksoft.de (Postfix) with ESMTP
	id 88D6B14FAA; Wed, 16 Jan 2002 18:06:15 +0100 (CET)
Received: by ns1.cksoft.de (Postfix, from userid 66)
	id 53F7B14FA5; Wed, 16 Jan 2002 18:06:14 +0100 (CET)
Received: by hirvi.cksoft.de (Postfix, from userid 1000)
	id D72261B65E; Wed, 16 Jan 2002 18:02:36 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by hirvi.cksoft.de (Postfix) with ESMTP
	id D404E18E88; Wed, 16 Jan 2002 18:02:36 +0100 (CET)
Date: Wed, 16 Jan 2002 18:02:36 +0100 (CET)
From: Christian Kratzer <ck@cksoft.de>
To: Chris Shenton <chris@shenton.org>
Cc: <freebsd-isp@freebsd.org>
Subject: Re: Who's saturating outbound link (Cisco 2620, IOS 12.1(1))
In-Reply-To: <87g05a2ao2.fsf_-_@thanatos.shenton.org>
Message-ID: <Pine.LNX.4.33.0201161800220.1448-100000@hirvi.cksoft.de>
X-Spammer-Kill-Ratio: 75%
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by AMaViS perl-11
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Hi,

On 13 Jan 2002, Chris Shenton wrote:

> An ISP I support has FreeBSD servers and a bunch of LAN- and
> ISDN-connected clients.  Its remote so I can't get to it physically.
> 
> In the past couple days, the 256Kbps link has been totally saturated,
> MRTG tells me it's outbound traffic.   How can I determine which
> system is causing the traffic?
> 
> I'm not a Cisco expert, but hoped "show ip accounting" would help, but
> it only appears to show me *inbound* traffic from all outside
> addresses to my internal addresses.  I need the opposite.  Is there
> some IOS command I'm just not clued into? 

check that there is "ip accounting output-packets" on every interface
of the router. Especially the one towards your network and the one towards
the isp.  

Then let the accounting accumulate for a while and dump it to a file. 

If a single ip is causing you the traffic you will propably find it just
by sorting for the last column 

	sort -n +4 < accountingdata | tail

or something of the sort should do the job.

Greetings
Christian

-- 
CK Software GmbH
Christian Kratzer,		Schwarzwaldstr. 31, 71131 Jettingen
Email:	ck@cksoft.de
Phone: 	+49 7452 889-135	Open Software Solutions, Network Security
Fax: 	+49 7452 889-136	FreeBSD spoken here!



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message