Bandwidth out high - how to track IP?
Not sure if this is the right area to post, sorry if not.
We have got an issue on the network, theres about 20 IP addresses with extremely high usage going outbound showing up in the Traffic Graph (ISP account notified us) and the RRD Graphs show its been going on for a while.
Now i can manually block the IP's to stop the outbound traffic, but my question is how do i track which IP in the LAN is creating this traffic? Ive used Darkstat, NTOP, iftop, BandwidthD and done packet sniffing etc but can't seem to trace whats generating it.
Any suggestions please? The IP address range is an odd one around the
8.27.x.x range and the higher ranges.
go to diagnostics pfTop
there should be a list of top users in the list. you will find the IP thats generates most traffic at the top.
Tried that also, it shows all the live traffic and can see the bandwidth but its showing as the gateways IP address not the LAN IP address for some reason. So not sure why its doing this.
LAN is 192.168.1.x
GW Int. 10.0.0.x
and its showing as being all generated from the GW, but not showing what the source IP is on the LAN. Its an odd one…
pfTop gives me the following which is one of the top culprits for the public IP. Which points to Level 3 Communications in US.
pfTop: Up State 1-318/318, View: default, Order: bytes
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp O 10.0.0.254:21920 22.214.171.124:80 10:10 433 77 201K 142M
This has been resolved. Squid cache was corrupting the downloads and it was coming from Windows Updates. Setup WSUS server to correct this, little annoying how it can't tell you what the source IP address is. :(