How to discover what is slowing down the network?

  • Hi,
    I'm experiencing a few problems on my network, especially with the traffic that is going out thru a pfsense 1.2.3 with multi-homed load balancer. What happens is that on a few days the network traffic goes very slow, and I cannot figure out what machine(s) and/or what protocols are doing this. Or better, I can see who, which and what is passing thru the pfsense, since I've got extensions like bandwithd, but what I'm seeing is a generic http traffic while I suspect it must be a p2p or something else that is collapsing the network. The LAN is working fine, the pfsense box does not report memory and or state limitations, and both are always under the half threshold. IPSEC traffic is done by another device (asymmetric routing), and my WANs are 3x4Mb/s (symmetric). The strange thing is that on some days the network is going slow, while on other days, with the same amount of traffic as reported by bandwithd, the network works well. This could lead to a problem of the ADSL providers, but I'm not sure, because other factories with the same providers and in the same local facilities are not experiencing problems (ok, this is not a proof that the lines are ok). I've enabled traffic shaping, using the wizard and giving max priority to http and low priority to p2p, but the problem still exists (and the queues never report a borrowed packet, if this means).
    I say that I suspect this is due to p2p because I know some clients use it and when they are turned off the network works well, but this is not a proof since I've got more than 150 clients and I don't know exactly of how many p2p programs are running.
    Is there any tool/tecnhique I can use to discover what is blocking the network and how to fix it?

    Any suggestion will be appreciated.

    Well you could capture the traffic at your pfsense box (under diag) and load that up into say wireshark to see what is going on exactly.

    Or you could turn on netflows, be it pfflowd or install softflowd, and send that to flow collector - prtg or ntop can do this for example.  You could then see who your top talkers are and what specifically the traffic is and where its going vs the generic stuff you get with bandwidthd

    You could also just run for example pftop or iftop to see who your talk talkers are in real time, or install the darkstat package - not sure if runs on 2.0, have not used it since my 1.2.3 days.

    You can even install ntop right on your pfsense box, but sending the flows to a different machine would work just as well.