Viewing throughput for individual IP's on the LAN
I am trying to obtain information about which station on our LAN is taking up all the bandwidth. Status graph is great, but it doesn't tell me who is spiking the volume.
Unfortunately we need this in near real time for it to be useful. We know about traffic shaping and we're using that, but we still need to know which IP address internally is moving the most data.
I think we want the raw ASCII data about the traffic, but we want to do all the presentation and sorting on our own.
I read about syslog, but I can't seem to find out if the volume information we're after is being logged.
I can't seem to find a simple way to extract this from PFSense. It's probably something simple.
Does anyone have any ideas? Thanks in advance.
Either of these packages may work for what you need
We use the interface on our HP Procurves to do that…..There you have the graph realtime on each port connected....
Thanks for the fast replies, guys.
We have Dell stuff and a Cisco2621 and none of it is too new. And nothing new is coming in this economy. So the HP stuff sounds cool, but it's a no go.
I found bandwidthd, but "rate" is tough because when I search, all I get is rating systems for everyone's site on the net.
Any idea where to find that one?
You could accomplish something similar with pretty much any managed switch (with SNMP) and some spare cycles on a server somewhere. Are you using managed switches? If you are just set up Cacti or MRTG.
'rate' is in the packages list in the webui, but it basically only shows you a realtime view. I've also had success with manually installing iftop (pkg_add -r iftop) and using it on the console. I don't really like running the daemon style ones like darkstat or bandwidthd.
Wow you guys are a great help. Thanks a lot.
Checked my webui - no reference to "rate" and we're using 1.2-RELEASE. I can't believe I didn't even see that page when I looked.
We are using two Dell 3024's and two 3324's and it looks like they are both managed, so maybe we'll go that route. And actually, real time is all we're looking for. We are a large internet cafe and gaming center and so with public access computers, invariably someone or something goes wild and everyone suffers. We have traffic shaping in place, but many times this stuff can come from anywhere (12 WoW players in the same very large battle seems to suck up lots of bandwidth).
The floor staff generally hear the complaints and then try to walk around figuring out who the culprit is. Eventually it gets corrected, but it's just sloppy. Anyway, no way will we even let them near the console, so we're trying to get a read only real time icon on the register's desktop that they can use to quickly tell who's got the bandwidth.
I'm going to look into Cacti and MRTG.
Awesome, guys. Thanks.
Just checked out their stuff (ok took two minutes to check it out since I have ADHD).
Looks really great.
I don't like to slobber in public, but I've been searching for a while and never even came close to this stuff and it may solve a huge problem for us.
'rate' is probably exactly what you're looking for. It adds a list of active IPs next to the traffic graph with their current bandwidth usage, refreshed every couple seconds. Set it to the LAN interface and you can see exactly who is using all the bandwidth in real time. However, I think you're right, this package is only for 1.2.3-RC1/2 I believe, so you'd need to upgrade. FWIW, they are very stable and I'm using it in production myself.
Cacti and other similar tools aren't going to give you real-time stats; by default it's usually set up to update every 5 minutes, so you get a 5-minute average on a graph. It tends to be useful if you're in a business setting and one user has, say, a message stuck in their Outbox that keeps sending constantly wasting tons of bandwidth, but probably not as useful in your situation. Your switches may have something similar to the HP's utilization graph, this is a pretty common feature for managed switches. That said, all the Dell switches I've used have a web interface that is basically useless it's so poorly coded.
I remember trying to use the Dell software and thinking it sucked.
I'll get on my guy to upgrade and try out 'rate'. Probably needs to be renamed if they anyone to find it. Try searching for that… :)
Once again, thanks. You've saved us a bunch of time.
Not sure if you're using squidGuard and LightSquid but I also use Proxy Report which is sorted by IPs by day, hour and month. Nice way to track usage. However, this will only track traffic going through PfSense.