So I had an interesting situation today and was wondering what more could be done.
I have an MX 100 and a 200/200 fiber connection coming in.
I noticed our Internet lagging, so I started a continuous ping to 188.8.131.52 and was getting maybe 30% loss. I checked the dashboard and there was a spike in the "Live data" section of the appliance. I ran a speed test and my downloads were testing around 10-15MB but my uploads were still l180-190. It lasted maybe 15 minutes and then subsided and all went back to normal.
What I'm wondering is this - how can you detect a client with high usage in real time? I can check the client list, filter by usage, and set it to the last two hours, but this isn't helpful with a real-time problem. Furthermore, we have a lot of devices on network that view security cameras, so total usage for many clients is always excessively high, thus making identifying a new additions somewhat problematic.
To get closer to real time or live analysis I think you will need to employ netflow and/or send network flows to a syslog server for further analysis with another tool. I have not done it myself, but understand generally it should be possible and maybe someone else can chime in with preferred tools for the analysis and monitoring.
Most traffic is headed out. If you're capturing on the WAN port, how can you identify an individual LAN client though? All I was seeing in the packet capture was the Internet destination, but not the client that initiated the traffic.