NetScope Blog

How do you track down and stop Internet traffic hogs?

It's easy enough to see your Internet link is saturated, but what is the cause?

What level of detail does your current router/switch provide?

SNMP from switches or routers will give you some information. You will be able to see how much traffic is flowing in and out of any router that supports SNMP. Another option is using early Netflow for versions Internet monitoring (layer 3/4). The best option at the moment is deep packet inspection (layer 7), which Netflow version 9 (IPFIX) and NetScope support.

What will SNMP Internet monitoring show you?

For example, if you were to look at an edge router you might find information like this from SNMP monitoring software:

Example chart from an SNMP charting application displaying Internet traffic on an edge router

How much information can we get from this simple chart?

All we can really tell is the throughput of the router as a whole. In the chart above we're seeing peaks of inbound traffic reaching 10Mbps and more on three occasions. But we don't know what is causing those traffic bursts.

We could examine other routers and switches

In order to track down where the bulk of the traffic is coming from you'll need to examine other routers and switches to piece together more of the picture.

Backtracking router information is required

To get a better picture we'll need to back-track to find which site/router is generating the traffic. Then piece together the information to create a better picure

NOTE: We still won't know what application is using the bandwidth. SNMP's strength lies in it's detailed device specific information. Internet traffic offloaded by routers is only a small aspect of the information you can get from SNMP.

Older Netflow versions

What level of detail will older versions of Netflow give you? Older versions of Netflow will show you layer 3 and 4 of the OSI model. That is, IP and port source and destination information.

As an example, lets look at an edge router that provides Internet connectivity for a medium sized business. What information will it show us?

A similar view to the SNMP chart

However, with layer 3 and 4 we can find out more detail about the traffic that's present. That is, we can see port and IP information. Let's take a look at the IPs and ports which make up this traffic type.

We see a lot more information than our SNMP chart

Now we're digging down into the data a bit more, we see IP addresses and port numbers. Layer 4 will also let you know if it's TCP, UDP, ICMP or some other layer 4 protocol. However, if we look at the top ports the information is only sort-of useful. We can see we've got some HTTP, HTTPS, SMTP (email), SSH and secure email traffic. But what about the higher level ephemeral ports? The higher level ports are often randomly negotiated on connection and don't tell us a lot about the type of traffic they contain.

We see lots of traffic from one IP address, but we still don't know what application is using that data.

Internet monitoring with deep packet inspection (layer 7)

To see the makeup of Internet traffic deep packet inspection is the gold standard

Netflow V9 and IPFIX allow offloading of more information from a TCP/UDP packets on switches that support it. NetScope also performs deep packet inspection by either sitting in-line or listening to data traveling through a switch using a mirror port. Click here for more details on how NetScope sits on your network.

Using NetScope's deep packet inspection on similar Internet traffic would reveal a lot more information to the user. See the chart below:

Hint: click on any application type in the legend to deselect it from the view

Greater detail

With NetScope deep packet inspection we can see what makes up the Internet traffic. In the example above we can see the application types. Worthy of note is Microsoft OneDrive, which is peaking near to 50 Mb/s while the next closest is 20Mb/s.

NetScope can also show Internet traffic live with a per second granularity

Deep packet inspection gives the ultimate visibility

See how much more useful the data is now that we can see what applications are creating the traffic? We can clearly see in the first pie chart that it is Microsoft OneDrive hogging the bandwidth.

With Active Directory integration we also see users

With NetScope's Active Directory integration we can also get user information about the Internet traffic. In this example we can see that the user 'Chris Horan' is generating the most amount of traffic, and if we drill down into Chris Horan's traffic we'll see that the majority of his traffic is coming from Microsoft OneDrive.

What NetScope will do for you