How to find bandwidth hogs on your network

What is a bandwidth hog

A bandwidth hog is a user, device or application which is using an excessive amount of bandwidth on a network when compared to similar sources. Many times these bandwidth hogs come about because of accidental or unforeseen changes. An example of this that I saw on a customer network was the upgrade of an IP based CCTV system. New cameras were installed which streamed large volumes of HD content across WAN links and overloaded them.

How can you gain visibility as to what is happening on your network

When it comes to finding out what is happening on a network, most network and security administrators choose from these data sources.

  • SNMP stats
  • Flow type data such as NetFlow and IPFIX
  • Metadata extracted from network packets

SNMP data which can be captured by polling network equipment such as routers for port utilization statistics. Ideal if you just want to know that a port on a router is busy. This can then be fed into a network monitoring tool and used to produce visualizations such as a network map showing where segments are busy. However, SNMP based tools will noy give much information as to what is using up the network bandwidth.

Flow based monitoring tools use data from layer 3 type devices such as a network routers. There are many formats such as NetFlow which can be sourced from Cisco devices. Flow data contains fields such as source/destination IP addresses, port numbers and amount of data transferred. The image below shows some of the common fields from a flow type analysis application.

network-flow

This information can then be used to group the data based on source IP address and amount of data sent and received. The result would be the most active systems on a network sending and receiving data. This may be enough in some cases to identify bandwidth hogs on a network.

Metadata from network packets can take this further. For network and security administrators who really want to understand the root cause of bandwidth use, more information is required. For example, flow data may reveal that a bandwidth hog on a network is exporting data to an external IP address over TCP port 443. That may not be enough information to really understand what happened.

Using deep packet inspection (DPI) techniques with network data, we can extract further metadata such as the DNS requests associated with the transfer or the org ID from the SSL negotiation. The image below shows the output of our Insight Network Sensor which includes a network traffic analysis engine. Extra data fields such as app_protocol may be crucial for understanding why you have bandwidth hogs on your network.

app-aware-flow

Finding a bandwidth hog

Once you have a data source in place, you will then need to filter and calculate the bandwidth used on a per asset, IP or username. In my examples I am going to use log search to identify various bandwidth hogs:

  • Top bandwidth hogs across all networks
  • Top systems associated with Internet bandwidth usage
  • Top systems consuming bandwidth on a WAN connection
Top bandwidth hogs across all networks

Use this query if you have one or more Insight Network Sensors deployed and you want to find the biggest consumers of bandwidth across all networks. You can also group by source_user or source_asset.

Log set: Network Flows

Query: groupby(source_address, app_protocol_description) calculate(sum:total_bytes)

Top systems associated with Internet bandwidth usage

Use this query if you have one or more Insight Network Sensors deployed and you want to find out who is using up all of your Internet bandwidth.

Log set: Network Flows

Query: where(direction=‘INBOUND’ OR direction=‘OUTBOUND’) groupby(source_address, app_protocol_description) calculate(sum:total_bytes)

Top systems consuming bandwidth on a WAN connection

Use this query if you have one or more Insight Network Sensors deployed and you want to find out who is using up bandwidth on a WAN connection. In my example the remote site uses the IP range 10.0.1.0/24.

Log set: Network Flows

Query: where(source_address = IP(10.0.1.0/24) OR destination_address = IP(10.0.1.0/24)) groupby(source_address, app_protocol_description) calculate(sum:total_bytes)

2 Likes