Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client Destination Stats

Donnie-C
Here to help
‎Dec 23 2019 1:27 PM
‎Dec 23 2019 1:27 PM

Client Destination Stats

This subject has probably has been discussed before but I've been unable to find a thread. In short, my clients are showing a destination of "Xfinity TV" and I'm trying to figure out why. I actually use an MX64 at home and recently stumbled across this ... I don't have any oddness like this at work. Why does Xfinity TV show up as a destination.

 

Basically I have a couple of computers in the house that eat up all the bandwidth ... and naturally Comcast has a datacap of 1TB per month for the household. So I installed an MX64 to find out where the data was going. Interestingly, the Meraki is classifying the majority of the data (189GB in this case) as Xfinity TV. I was expecting EA or Origin or Steam or some other gaming platform. I know the users do not watch TV on these computers ... not sure why I can't get more detail out of the destination. Any thoughts?

 

2019-12-23_15-03-12.jpg

0 Kudos
Subscribe
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 23 2019 2:05 PM
‎Dec 23 2019 2:05 PM

If you go Network-Wide/Clients, sort by data usage - that will tell you what machines are generating the traffic.

 

Then go and inspect those machines.

Subscribe
In response to PhilipDAth
Donnie-C
Here to help
‎Dec 24 2019 5:38 AM
‎Dec 24 2019 5:38 AM

Thanks for the input Philip. The screen shot I provided is in fact from one of the machines that are "generating the traffic". Meraki does a pretty good job of making it easy to find the "data hogs". However, when I "go and inspect those machines" ... Meraki is classifying the bulk of data as Xfinity TV ... and there's no protocol listed.

 

So I can see that this computer in particular is using a lot of data. I can also see that 92GB of the data is from origin-a.akamaihd.net (probably gaming) ... and another 42GB is from YouTube. But the top spot is Xfinity TV at a whopping 151GB. Again, I know he's not streaming TV programs to the computer ... I just can't figure out why Meraki is showing the destination as Xfinity TV with no protocol listed and no port number.

0 Kudos
Subscribe
In response to Donnie-C
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 25 2019 11:50 AM
‎Dec 25 2019 11:50 AM

It appears to be a web based service, so probably uses tcp/443.

https://www.xfinity.com/stream/

 

So I'm guessing there wont be any installed software - just someone using a web browser to watch it.

0 Kudos
Subscribe
In response to PhilipDAth
Donnie-C
Here to help
‎Dec 26 2019 8:15 AM
‎Dec 26 2019 8:15 AM

Well ... again ... I know for certain the computer is not actually streaming Xfinity TV ... Meraki just reports it as Xfinity TV. Our ISP is Comcast which is the same as Xfinity so it's not entirely surprising to see Xfinity show up on a Meraki report. What doesn't make sense is that 150+GB shows up. Technically, all of the data being streamed to every computer could be labeled Xfinity (or Xfinity TV) since it is going through Xfinity's network. But why would Meraki be able to single out EA (gaming) and Youtube among others, yet not be able to identify the bulk of the network traffic.

 

If I were a conspiracy theorist I'd say Comcast/Xfinity is doing something to my data (encapsulating?). So Meraki thinks my actual end communication is with Xfinity ... but it's not. Again, I know for a fact this computer is not streaming movies/tv programs from Xfinity.

 

I may have to put an agent on the computer itself (fiddler, wireshark) in an attempt to better classify data usage on the client. I don't think I've ever had this problem with Meraki devices at work ... they do a pretty good job of breaking down the datastream. It's only when I installed one at home that it failed to classify the bulk of the data.

0 Kudos
Subscribe
In response to Donnie-C
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 26 2019 11:30 AM
‎Dec 26 2019 11:30 AM

Try enabling this under Network-Wide/General.  Make sure it is set to collect destination host names.

 

1.PNG

0 Kudos
Subscribe
In response to PhilipDAth
Donnie-C
Here to help
‎Dec 26 2019 12:04 PM
‎Dec 26 2019 12:04 PM

Yep, mine looks a little different but I believe the configuration is set the way you recommended.

 

I did however notice the "custom pie chart". Maybe after I run fiddler or wireshark, I could plug in some specific hostnames/ip addresses that I "think" may be the culprit. I know this computer accesses a lot of "steam" applications and yet I don't see steam on the pie chart. I've got a hunch that this steam data is being classified as Xfinity TV ... I just don't know why.

0 Kudos
Subscribe
In response to Donnie-C
RandyD
Here to help
‎Dec 31 2019 3:53 PM
‎Dec 31 2019 3:53 PM

I think you are on the right track. The truth is on the wire. Wireshark from client or pcap from the appliance. If it is that chatty, you should be able to identify the high volume destinations. You could then also netstat -not to find the owning process. Or use the sysinternals tool TCPview to help you see more on the client side.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.