Hi guys,

I'm using a cisco ASA 5505 as my company firewall and I'd like to find out the IP address of the computer(s) using up the most upload bandwidth at any given time. How can I do this? I tried magic spells but they didn't work.

Thanks for reading this! I hope it's not too stupid a question.

Its not a dumb question at all. The ASDM can show you this, but its rather basic (on the main ASDM page, click on the 'Firewall Dashboard', and you should see a 'Top Usage Status' box on the right, but you may have to enable some options to get it to start showing data; keep in mind that enabling this feature uses a LOT of RAM on the ASA, so make sure you aren't running low before you start)

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

Thanks for the prompt answer.

I already know about the dashboard and the pie chart but the information is not detailed enough (as in amount of kbps per IP) or, most importantly, timely enough (only last hour average) and it includes IPs outside our network as well. I've included a screencap so you can see what I mean. Our network is all 192.168 obviously yet I find a lot of external IPs on there.

I want something close to real time, last minute would be fine for example.

I can't speak to the ASA.

You could use ntop or something similar to capture the traffic off a mirrored port on the switch. It could also collect netflow data if you don't want to mirror a port, but you'll need a netflow capable device (I don't know if the ASA does this).

On a router, you could enable nbar protocol-discovery, and then show the top-talkers. Again, I don't know if the ASA has this.

You could use cacti or a similar tool to monitor switchport usage, find out which switchport has the utilization, and then trace it down from there.

ASAs do NetFlow. Kiwi makes a free collector, I believe.

_________________
http://blog.alwaysthenetwork.com