Unknown User on LAN is Major Bandwidth Hog -- How Can I Find Out Who?
March 15, 2004 2:01 PM   Subscribe

What's the best way to watch a LAN? Someone on our work network is using a whole mess o' bandwidth and no one will own up to it. Is there a decent free package out there for either linux or windows that'll let me see what's up?
posted by ph00dz to Computers & Internet (16 answers total)
Tons of them.

Are you chiefly concerned with bandwidth of the network itself, or your uplink, for example the internet connection? That will determine where to plug in a sniffer.

One of the popular free sniffers is Ethereal, which shoulda oughtta run on just about anything. Snort can likewise be pressed into service for the purpose.
posted by majick at 2:20 PM on March 15, 2004

To watch traffic on an ethernet, tcpdump (there's a windows port called windump somewhere as well) or etherape may help. It's bad form to snoop for longer than necessary though. tcptrace can do some nifty analysis of data from tcpdump or other packet sniffers.

Traffic usage - who admins your router or firewall? They should be able to pull out a summary report easily.

Also, you say "no one will own up". Don't forget that a lot of people will have no idea how much bandwidth they use. Eg you may find someone listening to streaming audio who says "but i'm not downloading!" Try asking some more lateral questions about what people are doing.
posted by i_am_joe's_spleen at 2:21 PM on March 15, 2004

you might just wander amongst the cubicles until you hear the streaming internet radio station. on preview, joe's spleen is right on. and i'll bet that's it.
posted by quonsar at 2:32 PM on March 15, 2004

etherape is ok for unix - http://etherape.sourceforge.net/

gives you a picture with a big fat line pointing to the IP address in question.
posted by andrew cooke at 2:32 PM on March 15, 2004

Response by poster: I guess that I administer the network. As the sole programmer in a sea full of salespeople, all those responsiblity of the tech-type stuff has fallen on me. We don't have one of them highfallutin' cisco routers -- we're running of one of those linksys wireless units. (Which actually works just fine for what we need it to do... at least 99% of the time)
posted by ph00dz at 3:03 PM on March 15, 2004

Let me suggest one other thing - look on the OTHER SIDE of your router. If some rotter is sending you a lot of packets, depending on your provider, you can still end up with the bill, even if you drop said packets on the floor.

Oooh, and you say it's a wireless router - better start checking whether someone else is getting a free ride off you. WEP is easy to crack.

When you say "someone is using a whole mess of bandwidth", what do you mean? Do you mean your upstream provider is billing you more than you expected? Do you mean that file transfers locally are too slow? What are the symptoms you observe?
posted by i_am_joe's_spleen at 3:15 PM on March 15, 2004

Woahwoahwoah, wait a second. Did I hear you say "one of those linksys wireless units"? Well, then, sonny, I've got only one thing to say to you:

posted by majick at 3:25 PM on March 15, 2004

I like iptraf, myself. Old, but still gold.
posted by shepd at 3:39 PM on March 15, 2004

Kismet is on Knoppix, btw.
posted by holloway at 3:49 PM on March 15, 2004

About this whole sniffer thing ... I run tcpdump to help diagnose web-based applications that I'm building, which comes in real handy when I need to track any of my 4 computers and what their traffic looks like.

But is it possible to sniff outside the hub my 4 computers are on? That would really come in handy for using my diagnostic stuff on environments outside my office.
posted by jragon at 4:51 PM on March 15, 2004


If you're really on a hub? Yes, I think, because you'd be on the same segment. Switch? No. And if your hub goes straight into a switch, also no.

See here for a quick ethernet primer and discussion of hubs and switches. What tcpdump is doing is called putting your ethernet card into promiscuous mode: in promiscuous mode you see packets intended for other cards on your segment as well your own. If a device is not on your segment, you will not see packets for it (unless they originate from a device on your segment). Usually you need to be root on Unix or Linux to put a card into promiscuous mode - dunno about other operating systems.

If you want to use "diagnostic stuff on environments outside my office", you need access to a host on an appropriate network segment, or the ability to put one of your devices on said segment. And you should have permission from owners, of course.
posted by i_am_joe's_spleen at 5:55 PM on March 15, 2004

To clarify: when I say you can see outside your hub, I mean only as far as the next router or switch.
posted by i_am_joe's_spleen at 6:12 PM on March 15, 2004

I can't find it now, but there was a link to a service a few weeks ago that would let you charge folks to access your wireless connection (giving the service a slice).

I'll keep looking for it, unless someone knows what it is... if your leakage is outside the company, it could be a win/win solution.
posted by o2b at 8:22 PM on March 15, 2004

I can't find it. I GOT to remember to blog that kind of stuff.
posted by o2b at 8:31 PM on March 15, 2004

I once had a printer on the network sending out 32K/sec traffic because it was looking for a bootp server which didn't exist. Ethereal allowed me to figure it out. I saw all the traffic coming from one MAC address, looked up the address in the vendor tables, realized we only had one printer from that vendor, reset its settings, and that was it.

So all I'm saying is, it might not be a user.
posted by Mo Nickels at 6:49 AM on March 16, 2004

skallas: that's not the one I was thinking of, but it's worth knowing about, thanks.

The one I can't find provides a service like when you go to starbucks -- you open a browser via wifi and are presented a page that lets you pay for minutes of access.
posted by o2b at 9:34 AM on March 16, 2004

« Older What's the definitive solution to comment spam on...   |   Do you have favorite affordable wines? Newer »
This thread is closed to new comments.