[Semibug] Diagnosing a saturated network.

[Michael W. Lucas]

On Wed, Jan 11, 2017 at 12:07:25PM -0500, Jeremy Gransden wrote:
> I have a network of 8 pcs and several phones all connected to the
> Internet and our other locations via a single T1 line. I am just
> learning more and more about networking and was hoping for some advice
> on how to diagnose what is filling my network. I have a FreeBSD 11
> machine between the router and switch so that all traffic goes through
> it. I am able to dump the traffic and watch with tcpdump. I can watch
> the load averages with systat -if.
> 
> Most of the time the single T1 is adequate, but periodically it will
> saturate and will become very slow. Typically i can pinpoint the
> slowdown to someone watching youtube or Windows 10 downloading
> updates, but currently I walk around to each PC and look. Id like to
> be able to see who the offender is from the comforts of my cushy
> office.
> 
> How would i find out what host is using the most bandwidth at the
> FreeBSD bridge?

Grab a copy of Chris Sanders' "Practical Packet Analysis."

Yes, Wireshark.

Install a disposable VM on your desktop. Install wireshark
there. Snapshot it, so you have a "known good" system to fall back on
in the event that you capture one of those rare but real
Wireshark-rooting packets.

Forward a tcpdump socket from the FreeBSD station to the disposable
machine.

You'll learn more than you ever wanted to know about packet flows.


-- 
Michael W. Lucas  -  mwlucas at michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/