A traffic question

[endlesslyonline]

Hey, im not sure if i am in the correct section here, but here goes.

I have been asked to manage computers in a computer lab for a certain company, they have about 30 PC's connected with a LAN to a adsl router and MWEB is the service provider. For the past week or so, the network is so slow its almost non existent, if i ping the router from a PC using the -t switch it times out the whole time and every now and then it will ping but with a time of 9000ms+ . The cap is also going somewhere, "it" is eating about 3gig a day ! Probably malware / virus or maybe someone is downloading a **** load somewhere. The router is not a Wifi enabled one, so theft is out of the question (or is it?)

So my question basically is, what program can be installed (preferably on one PC/Server only) that can monitor the network and tell me what PC/IP is using the bandwith ?

thanking you in advance

 

[Enchanter]

You can try Wireshark (http://www.wireshark.org/) I've used to isolate malware infected pc's on our LAN.

Good luck.

 

[PsyWulf]

Check the switch/switches...Plug a lappy in,ping -t,start unplugging pcs 1 by 1 till the pings become reasonable,then start replugging to verify which are killing the network

Traffic monitoring can be handled by a proxy but you'd preferably want 1pc/server with 2 network cards to cut the risk of somebody bypassing the proxy

 

[endlesslyonline]

Thank you for the speedy relplies

You can try Wireshark (http://www.wireshark.org/) I've used to isolate malware infected pc's on our LAN.

Good luck.

Downloading now, Thanks

Check the switch/switches...Plug a lappy in,ping -t,start unplugging pcs 1 by 1 till the pings become reasonable,then start replugging to verify which are killing the network

Traffic monitoring can be handled by a proxy but you'd preferably want 1pc/server with 2 network cards to cut the risk of somebody bypassing the proxy.

That is what i feared was needed, hoped there was a more automated way, oh well, lemme get started then ....

 

[gregmcc]

Sounds like you have 2 problems - one is a network problems and the other possibly a malware problem.

1) Are you sure its 9000ms? Most pings just give a timeout after 2048ms.
2) If you ping two machines in the same subnet do you get a few ms response. If not you have a cabling or incorrect switch/NIC speed/duplex setting. If you have a managed swich you should be able to see errors on the switch ports.
3) If you local pings are fine and you only get 9000ms to the router, check the connection bet. the switch and the router.
4) Are the PC's all connected to the same switch? Could be a faulty NIC bringing down the network. Switch of all machines - run a ping between 2 and check the results. Then slowly switch on machines until the network falls over.
5) For the malware problem you will need to run a sniffer on the ppp port of the router. What AV/malware are you using? Check that all machines are updated and run full scans. I'd recommend running malwarebytes anyway.
6) If your users go through a proxy you should be able to detect it in the logs.
7) If you don't have a proxy, for 30 machines then I'd recommend getting one. (Squid)

 

[nihilist]

If it's a Windows server and you have some RAM to spare, consider using a virtualualised proxy to save a bit of money on a dedicated PC/hardware firewall.

You'll just need maybe 256MB free physical RAM and a NIC, about 4-10GB space. I have a virtualised IPCop running 24/7 inside Ubuntu Server and it's a pleasure to administer and maintain. You can also use IPcop to limit access to various sites, set intervals where sites like Facebook can be used (like during lunch/after hours)

Can you give us a picture or explanation of your network topology? That would also help.

 

[kilos]

Ideally setup a Linux box with 2 interface cards One internal, external connects to ADSL Router, and then you can analyse the traffic using ntop (web interface preferably) available on most Linux distros ie OpenSuse, Ubuntu, Fedora etc

If it is too difficult to installed Linux, use one of the opensource firewalls (with 2 LAN Cards) ie IPCop , Smoothwall more multi-functional Clark Connect or Ebox
Use an old box and puts some live back into it, the above solutions will format the drive and pre-install LInux for you and ask some questions on IP addresses etc etc
Ask a linux user to assist you it or carryon with MyBB

 

[endlesslyonline]

Thanx for everyone that has replied, its much appreciated. I will go and play around over the weekend there and hopefully find the problem, then do a squid proxy for any future problems.