Unknown network traffic / router traffic monitoring
So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
i have found software for Linksys, but nothing for the Actiontec.
Thanks,
Quasimodem
Fios in Florida
Solved!
Go to Solution.
Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
Unicast
Broadcast
Multicast
Unicast is traffic between two devices. You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router. You should not see traffic between another PC and the Internet for example. Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone. This is unicast traffic. Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network. If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
Broadcast traffic is traffic sent to all devices. Its not directed toward a particular PC but rather usually looking for information. In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic. Broadcast traffic will be seen as 192.168.255.255
Multicast traffic is traffic from one device for many devices. Usually used in video feeds. Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge. Anyone is allowed to listen but only those that wish to get the information receive it. Generally how multicast works. Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.
I hope this makes sense. Probably more information than you needed but at least it will help you understand what wireshark is telling you.
Similar Messages
-
How much additional traffic does agentless monitoring add to your network
I know this is not a fully evolved question because you could respond, what MP's (Maintenance Packs) do I have installed, and what all am I monitoring, however I am somewhat new to SCOM 2012, I've set it up and have it going, getting great alerting,
right on so far! I have about a dozen servers that will not install the SCOM agent either from the management server via discovery, nor manually, and I want to be sure as not to overload the network with additional traffic.
Your thoughts on this please.
This is a great product once you wrap your head around it, and after a solid 4 days on it. :)Hi rapper36,
From:
http://blogs.catapultsystems.com/cfuller/archive/2012/06/22/opsmgr-2012-resource-requirements-and-usage-recommendations-for-agent-and-agentless-monitoring-scom.aspx
OpsMgr 2012 Agentless Monitoring resource requirements:
Processor: < 1% average increase in processor utilization
Disk: < 1 average increase in pages per second
Disk: < 1 MB data (as there is no %programfiles%\System Center Operations Manager folder created)
Network: < 1 MB data sent and received to the system during installation
Memory: 14 MB less available memory
Time to Deploy to Monitored state: 2.5 minutes
After the agent was appearing as monitored the performance counters gathered prior to the installation were compared to those gathered after installation. The results indicate additional overhead associated with the Operations Manager 2012 agentless monitoring
after the agent was appearing as monitored.
Processor: < 1% average increase in processor utilization
Disk: < 1 average increase in pages per second
Disk: < 10 MB
Network: < 1 MB/min additional traffic
Memory: < 1 MB less available memory
Natalya
### If my post helped you, please take a moment to Vote as Helpful and\or Mark as an Answer -
Need to route traffic based on destination to 2 different routers
I have a 4451X that has a default route of 10.10.48.1. I have 2 other internet routers at 10.10.48.15, and 172.31.1.3.
The router at 172.31.1.3 is a VPN firewall and has a VPN to 3 specific IP networks. 172.31.252.0/24, 192.168.252.0/24, and 192.168.163.0/24.
I need the traffic headed to the 3 VPN'd networks to route to 172.31.1.3, and the remaining traffic to route to 10.10.48.15.
The source network is 172.31.0.0/23 and the gateway of the machines is 172.31.0.1.
I tried creating a PBR but the internet traffic seems to go outbound through the router's default route of 10.10.48.1 and not 10.10.48.15.
I am sure I am just missing something silly.
Here are the relevant portions of the config:
interface GigabitEthernet0/0/1
ip address 172.31.0.20 255.255.254.0
ip nat inside
ip policy route-map Test
negotiation auto
vrrp 1 ip 172.31.0.1
vrrp 1 priority 105
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 2
ip address 10.10.48.12 255.255.255.224
ip nat inside
ip access-group 199 in
vrrp 1 ip 10.10.48.3
vrrp 1 priority 105
vrrp 2 priority 105
no cdp enable
ip route 0.0.0.0 0.0.0.0 10.10.48.1
ip route 0.0.0.0 0.0.0.0 172.31.1.3 2
access-list 116 permit ip 172.31.0.0 0.0.1.255 172.31.254.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.252.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.163.0 0.0.0.255
route-map Test permit 19
match ip address 116
continue 20
set ip next-hop 172.31.1.3
route-map Test1 permit 20
set ip next-hop 10.10.48.15
Thanks in advance.
Burton HallmanFirstly I'm not sure why you have two default routes if everything is meant go via 10.10.48.1 ?
That aside in terms of your PBR -
1) remove the continue statement. I don't know what it is meant to be doing but as far as i know it has no effect with PBR
2) more importantly your second statement is using a different route map name ie Test1 which makes it a completely different route map so the one applied to the interface only has the first statement in it which is the one for VPN traffic.
Jon -
VRF-Lite on one 6509; How to route traffic from global to VRF.
To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed -
Route Traffic to down a specfic link
I need to route traffic that is sourced from 10.1.50.0 network down link 1. Currently all traffic goes down Link 2. I want all traffic except 10.1.50.0 network to still use Link 2 as primary. What would be the best approach a static route for the 10.1.50.0 network or some type of policy map or something else? Thanks for the help
Thanks for the reply. I created the access list and policy map from above but can not put the policy map on the VLAN interface. The commands are there but when I verify by looking at the interface it is not there. It is a 3750 G with IPSERVICES IOS. Any ideas? Thanks
Standard IP access list 50
10 permit 10.2.50.0, wildcard bits 0.0.0.255 log
sh route-map
route-map **VLAN250**, permit, sequence 10
Match clauses:
ip address (access-lists): 50
Set clauses:
interface GigabitEthernet2/0/1
Policy routing matches: 0 packets, 0 bytes -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed -
Naming Networks in EEM route table monitor
I have the following EEM applet running on one of my core devices to monitor any changes in the routing table.
event manager applet route-table-monitor
event routing network 0.0.0.0/0 ge 1
action 0.5 set msg "Route changed: Type: $_routing_type, Network: $_routing_network, Mask/Prefix: $_routing_mask, Protocol: $_routing_protocol, GW: $_routing_lastgateway, Intf: $_routing_lastinterface"
action 1.0 syslog msg "$msg"
action 2.0 cli command "enable"
action 3.0 info type routername
action 4.0 mail server "*.*.*.*" to "roger@*********" from "Core1" subject "Routing Table Change" body "$msg $_cli_result"
action 8.0 set msg "Route changed: Type: "
This works brilliantly however the email I get lists the networks by IP and I am trying to get it to identify them by name
Email Output
Route changed: Type: modify, Network: 10.8.4.0, Mask/Prefix: 255.255.255.0, Protocol: BGP, GW: 10.1.1.1, Intf: N/A
The script is running on a 3750
I tried putting ip host info on the switch but that did not work.
I am not sure if there is an extra line I can add to the script or if anyone else has done this?
Thanks
RogerI don't understand the request. Where would the network "name" come from? Networks are unnamed on IOS.
-
Possible to Route Traffic Based on AVC?
Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of? Here's my issue: I have two ISP's. One is at about 120% utilization. The other isn't doing anything. I can specify ip routes based on IP addresses. For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic. The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook. Is there a way to route traffic based on application? I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application. I was wondering if the same was possible with AVC. Thanks for any help.
Hello.
Yes, it's possible and, actually, you have 2 ways.
1. use manual load-balanace between links.
2. use PfR to load-balance traffic automatically.
PS: you also will need NAT with route-map. -
Hi,
I've been using Android phones with Google Maps for several years and recently switched to WP8.1 with Here Drive+ for navigation. I'm in the USA, New York City metro area, and find the route selection based on traffic not good. From what I see on the map, the actual traffic (yellow/red lines) does seem to be accurate as far as I can tell, but the routing seems to ignore it. I find I can't rely on it to give me the best route to get to my destination based on current traffic conditions. I also find the ETA to be incorrect by 15-30 minutes where Google Maps was much closer to actual time.
As an example, yesterday, I had two route choices, one was more miles with no traffic and a second was less miles with heavy traffic. There are smart signs on the road showing the drive time to the George Washington Bridge from a point. One route was a 15 minute drive the other was a 54 minute drive. Radio news traffic confirmed what the signs said.
I could see on Drive+ that the green, yellow, red lines seemed to match the conditions on the road sign and where I could see traffic flow. Drive+ selected the heavy traffic route, I seleted the light traffic route. Drive+ kept trying to re-route me on the heavy traffic road via u-turns and connecting roads. It showed my time to my destination as 4:11PM. As I continued on my route, it finally showed me on this route and changed the ETA to 3:50PM. It should have routed me using a shorter drive time from the start.
The app needs to better handle traffic conditions for route selection as this seems to be typical.Thanks. The thread you linked was based on a re-route for a current trip. For me, even the initial route is selected had a longer ETA. It should have based the initial trip on traffic.
I think what might be happening is it selects the trip based on distance, then adds traffic rather than using traffic to compute the route.
Re-routing a current trip is something that Google only recently added as well. -
13017 Received TACACS+ packet from unknown Network Device or AAA Client
I am adding new routers to our Corporate network for a new MPLS network. I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client errors for these new routers. They are added to ACS 5.4.0.30 correctly just like all of our other devices. We have never had real routers on the network before, just switches and access points. Is there something special I need to set in ACS for these to work and authenticate correctly? I can only access the currently with built in login locally.
One of the new router configs
Current configuration : 2370 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname T666
boot-start-marker
boot-end-marker
enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
voice-card 0
crypto pki trustpoint TP-self-signed-2699490457
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2699490457
revocation-check none
rsakeypair TP-self-signed-2699490457
username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
interface FastEthernet0/0
ip address 10.114.2.1 255.255.255.0
ip helper-address 10.30.101.4
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
ip address X.X.X.X 255.255.255.252
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
no cdp enable
router bgp 65065
no synchronization
bgp log-neighbor-changes
network 10.114.2.0 mask 255.255.255.0
neighbor X.X.X.X remote-as 209
neighbor X.X.X.X default-originate
default-information originate
no auto-summary
ip forward-protocol nd
ip bgp-community new-format
ip http server
ip http authentication aaa
ip http secure-server
ip tacacs source-interface FastEthernet0/0
no logging trap
tacacs-server host 10.30.101.221 key 7 1429005B5C502225
tacacs-server host 10.30.101.222 key 7 1429005B5C502225
tacacs-server directed-request
control-plane
banner exec ^CC
C
Login OK
^C
banner motd ^CC
C
** UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED. USE OF
** THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
** RUAN Transport Corporation
** Network Services
** [email protected]
** 515.245.2512
^C
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
transport input all
line vty 5 15
exec-timeout 30 0
scheduler allocate 20000 1000
end
T666#AAA Protocol > TACACS+ Authentication Details
Date :
September 19, 2014
Generated on September 19, 2014 10:21:27 AM CDT
Authentication Details
Status:
Failed
Failure Reason:
13017 Received TACACS+ packet from unknown Network Device or AAA Client
Logged At:
Sep 19, 2014 10:21 AM
ACS Time:
Sep 19, 2014 10:21 AM
ACS Instance:
acs01
Authentication Method:
Authentication Type:
Privilege Level:
User
Username:
Remote Address:
Network Device
Network Device:
Network Device IP Address:
10.114.2.1
Network Device Groups:
Access Policy
Access Service:
Identity Store:
Selected Shell Profile:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule :
Identity Policy Matched Rule:
Selected Identity Stores:
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:
Other
ACS Session ID:
Service:
AV Pairs:
Response Time:
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=359
Device Port=59840
Protocol=Tacacs
Authentication Result
Steps
Received TACACS+ packet from unknown Network Device or AAA Client
Additional Details
DiagnosticsACS Configuration Changes -
Macs show up as "unknown" on my router's DHCP Client Table
Both of my Macs, an Intel Mac Mini running Snow Leopard and a G4 iMac running Tiger show up as "unknown" in my router's DHCP client table.
All of my Windows PCs all show up with their computer names.
Is there a way to get my Macs' computer names to show up in the DHCP client table? The router is a Linksys RTP300.Open Network System Preferences, click on the service you are using to connect to the network (airport, ethernet, etc), click on Advanced and go to the TCP/IP tab. There is a field for DHCP client ID. This may pass a name to the router and it may use it. I don't know.
Another option is the WINS tab. You can set the Netbios name (other than the default) and workgroup (and any WINS servers, if you know their addresses). -
What is the correlation of Logger Private network to Router Private Network.
What is the correlation of Logger Private network to Router Private Network.
You have to define them in Websetup for the Router and Logger but what is communicating on the Private network path between the Logger and Router? I thought that was over the Public network. is it only Recovery from the Loggers talking over the Private network?Hi,
you can read about the types of messages exchanged over various links in the SRND.
G. -
Connecting to an unknown network when a password is required.
I struggle to connect to an unknown network when a password is required. In settings, there's a tick as if it's connected but it isn't. What am I doing wrong?
- Googling shows that you have to join the network and then open Safari and agree to the terms and conditions and then the connect will be completed.
- Try:
Reset networks settings: Settings>General>Reset>Reset Network Settings
- Go to Settings>Safari and clearing history, cookies and data -
I just updated itunes and started to update my phone to iSo5 when wireless connection was lost on my laptop, I can't get it back and it says there are no networks available-router is working fine, am using it on my iPhone now. Help!
Reboot your router. You by chance dont have a netgear N300 WNR2000 router do you? I had one of those and would lose wifi on it constantly, Switched to a Cisco wifi router and it works much better.
-
When getting online Macbook defaults to an unknown network.
Lately, when I get online, my connection defaults to an unknown network. This happens only on the Macbook, other devices are OK. Is there any way to lock the computer into just my own nework? Could not find anything in preferences.
Please try the following on your MacBook:
1a. Delete Preferred Network(s)
System Preferences > Network > AirPort > Advanced > AirPort tab
Under "Preferred Networks," delete the network(s) you regularly use from the list.
1b. Delete AirPort Keychain Entries
Launch the "Keychain Access" application located in Applications/Utilties.
Click on the "Kind" filter at the top, and look for any "AirPort network password" entries...and delete them.
1c. Add Preferred Network(s)
System Preferences > Network > AirPort > Advanced > AirPort tab
Add the preferred network(s) using the "+" button.
Restart or log out then back in.
Maybe you are looking for
-
Can't create a repository with a local physical disk
Hi, I'm using Oracle VM Manager 3.0.3. I created a non clustered server pool with one server. That server has 2 identical SATA 500GB internal drives and 1 eSATA 750GB drive in AHCI mode. The 750G eSATA drive is the primary boot drive and hosts the MB
-
Chinese Characters Printing as Boxes in SAPscript
Issue...why would a Chinese standard text print fine using the "INCLUDE" method, but output as boxes when that same Chinese standard text is retrieved successfully using the "PERFORM" method? Summary...I am currently experiencing problems printing Ch
-
NODIM function Returns wrong values?
Hi All, We have a KF Quantity in PC and we are using NODIM(Quantity) to diaply it without units.But NODIM(Quantity) displays wrong results. For Example:Quantity = 3123214 PC and NODIM(Quantity) = 3123214.123 What could be the reason for it?can a
-
Can you use surround sound with the built-in optical out on dual 1.8 g5?
Ok here's the thing, I just got the new version of Final Cut Studio, and was wanting to set up my g5 to utilize the surround mixing capabilities of SoundTrack Pro 2. I have verified that i'm getting 5.1 sound via Apple's DVD Player, but when i go to
-
After a successfull BC implementantion, we are doing the transports and tests. However when we tried to load data from 0CO_OM_CCA_1 we get a dump saying that Function module "CO001_BIW_PARTNER_DECODE" not found. It looks like we need to include this