Best way to track down a user who is using a lot of bandwidth

  • 1
  • Question
  • Updated 4 years ago
  • Answered
New to Aerohive. Have a user in Japan who yesterday transmitted about 1.5GB over UDP. No idea what program or to/from where. Ran a number of reports. Nothing to see what he was actually doing. What's the best way to track this information down?
Photo of James Keeling

James Keeling

  • 5 Posts
  • 0 Reply Likes
  • patient. Sort of.

Posted 4 years ago

  • 1
Photo of Nicolas Maton

Nicolas Maton

  • 38 Posts
  • 9 Reply Likes
Capture traffic and then analyse with wireshark to see the details.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
The aerohive AVC tools didn't provide any information?
Photo of James Keeling

James Keeling

  • 5 Posts
  • 0 Reply Likes
Okay, I'll look up remote capturing with the Aerohive APs. In this case, the AP is half way around the globe and I don't have span port access to the stream.  
Photo of James Keeling

James Keeling

  • 5 Posts
  • 0 Reply Likes
Nifty capability... but in this case, the AP is on an internet only vlan at the distant end with no PCs connected to it.  No way to specify the remote sniffer because there's no layer 3 connectivity...  
Photo of James Keeling

James Keeling

  • 5 Posts
  • 0 Reply Likes
AVC doesn't appear to show destination IP...  In this case, it's just labeled "UDP" traffic.  TFTP?  But over a gig of it? 
Photo of Nicolas Maton

Nicolas Maton

  • 38 Posts
  • 9 Reply Likes
can't you span a port to see what the source and destination are? 
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
There are a number of "modified" Torrent clients out there that are not picked up by a number of vendor's signatures.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
James,

When you see the user using high bandwidth, can you login to the AP where the user is connected to and issue the following command?

_kdebug fe basic
_ff src-ip <<ip address of the client>> bidirectional
or
 _ff dst-ip <<ip address of the client>> bidirectional

then check the log,
show log buff | include debug

The log should show you the source or destination of the traffic and the size of packet being transferred. 

Please disable the debug after that (no _kdebug fe basic)

I hope this answers your question.