Clients with high usage

Vipul
Here to help

Clients with high usage

Hi Guys, 

 

One of our users utilizes high network resources even when not using the network. Could you assist me in determining the cause? I checked their computer but found no network activity.

 

 

 

18 Replies 18
alemabrahao
Kind of a big deal
Kind of a big deal

It would be interesting to scan this machine to validate that there is no malicious file.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vipul
Here to help

Thank you for your reply, @alemabrahao . I did scan the device, but nothing was found. Is there any possibility I can track/trace deep inspection on the firewall? 

alemabrahao
Kind of a big deal
Kind of a big deal

do you have the IPS enabled?

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vipul
Here to help

Yes

alemabrahao
Kind of a big deal
Kind of a big deal

Were you able to find any suspicious activity in the logs?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vipul
Here to help

Do you means Change Logs menu?

alemabrahao
Kind of a big deal
Kind of a big deal

Nope, Security & SD-WAN > Monitor > Security Center

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vipul
Here to help

No MX events. Nothing there. 

alemabrahao
Kind of a big deal
Kind of a big deal

Try to perform a packet capture using the client's IP or MAC as the source.

 

 

alemabrahao_0-1692910923300.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vipul
Here to help

Vipul_0-1692911498705.png

 

BlakeRichardson
Kind of a big deal
Kind of a big deal

Do you have Meraki switches and are you able to run a packet capture on the port the devices is connected to?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Vipul
Here to help

I don't have Meraki Switches.

PhilipDAth
Kind of a big deal
Kind of a big deal

Assuming you have an MX, if you go into the client and click "Show Details" under the pie chart - what does it show them accessing?

 

PhilipDAth_0-1692910875191.png

 

Vipul
Here to help

Vipul_1-1692911594720.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Looks like plain old Windows file sharing.  Or are you talking about Internet traffic as opposed to internal traffic?

Vipul
Here to help

That is our on-premises file server, and the user is connected to the same network. But different VLAN. 

Brash
Kind of a big deal
Kind of a big deal

From the above output, the clear majority of network traffic from that client is SMB file sharing.

If that's an unexpected usage amount, you'll have to get a clearer idea of what they're pulling down from the file server and why.
To prevent it, you could look at applying group policies and setting bandwidth limits via a traffic shaping policy.

Vipul
Here to help

@Brash Let me try this. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels