Real time high usage

AndyWettersten
Here to help

Real time high usage

So I had an interesting situation today and was wondering what more could be done.

 

I have an MX 100 and a 200/200 fiber connection coming in.

 

I noticed our Internet lagging, so I started a continuous ping to 8.8.8.8 and was getting maybe 30% loss.  I checked the dashboard and there was a spike in the "Live data" section of the appliance.  I ran a speed test and my downloads were testing around 10-15MB but my uploads were still l180-190.  It lasted maybe 15 minutes and then subsided and all went back to normal.

 

What I'm wondering is this - how can you detect a client with high usage in real time?  I can check the client list, filter by usage, and set it to the last two hours, but this isn't helpful with a real-time problem.  Furthermore, we have a lot of devices on network that view security cameras, so total usage for many clients is always excessively high, thus making identifying a new additions somewhat problematic.

 

Thoughts?

 

 

 

 

Screenshot 2021-10-12 145025.pngScreenshot 2021-10-12 144827.png

5 REPLIES 5
BrandonS
Kind of a big deal

Re: Real time high usage

To get closer to real time or live analysis I think you will need to employ netflow and/or send network flows to a syslog server for further analysis with another tool.  I have not done it myself, but understand generally it should be possible and maybe someone else can chime in with preferred tools for the analysis and monitoring.

 

 

PhilipDAth
Kind of a big deal

Re: Real time high usage

I do a packet capture of the Internet port for a couple of minutes.  Then load it into Wireshark.  Then go Analyse/Conversations and click on TCP.  Sort by the bytes column.

AndyWettersten
Here to help

Re: Real time high usage

Oooooh, good idea.  But won't capturing the WAN port just give you destinations of the traffic, not the client that's originating it?  Would it be better to packet capture the LAN port instead?

PhilipDAth
Kind of a big deal

Re: Real time high usage

Capturing on the LAN port works well as long as most of your traffic is going to the Internet.  If you do a lot of inter-vlan routing then it gets swamped by that traffic.

AndyWettersten
Here to help

Re: Real time high usage

Most traffic is headed out.  If you're capturing on the WAN port, how can you identify an individual LAN client though?  All I was seeing in the packet capture was the Internet destination, but not the client that initiated the traffic.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels