I'm running an MX64 with several MR33 access points. I'm watching a particular client that has high data usage ... but when I drill down to the client usage details, the destination ip address is the same as the client. I'm looking at the screen below ... the client IP is 10.5.39.99. Normally this user's data is around 2 to 300MB a day ... but I'm showing a large amount of data transferred during the evening. However, the data is being sent to himself. I tried searching for more information on the client usage detail but could not find anything that addressed this scenario. Any input would be greatly appreciated.
That to me indicates that traffic is being sent to 10.5.39.99. It may be because there are a large number of source IP addresses it has been aggregated down to a single line. You can see their is over 8 million flows.
This is typical of peer to peer file sharing. Also it is using a single port, tcp/5357, 8 million flows all using a single port.
Also under "Network Wide/General" have you got "Traffic analysis" set to "Detailed"?
Thanks for the input Philip. And yes, I have traffic analysis set to detailed. When I noticed this users data usage I switched the traffic to detailed in hopes of getting more information on the activity. I believe you're right about it being peer-to-peer traffic, I was wanting to get more definitive evidence.
You said "That to me indicates that traffic is being sent to 10.5.39.99". Okay ... I think I understand now ... I was expecting to see the ip address that was originating the traffic but like you said, there are a lot of flows (I may have to read up on the exact definition of a flow). I guess I'll have to use wireshark during the actual activity to see what's going on. fun.
If you look carefully, you can see the first column says "Destination". Since its the host itself, it means traffic coming to the device via that port. Flow means a group of packets with similar source IP and destination IP and port number. In this case, you have about 8 million unique flows. Very few applications reach that high and for client computer, that means some form of P2P application. Its entirely possible the client is using P2P Windows update but unlikely.
You can use packet capture when the client device is online to see what his traffic is doing. Just simply filter it to his MAC address or IP address.