Network traffic overload

[Stoly]

I suspect a pc is infected with a virus that overloads the network

How do I detect network traffic so I can pinpoint which PC has the problem. There are about 20 pcs/laptops on the network.

 

[Red Squirrel]

You could install Wireshark which is a packet sniffer. Let it sniff for a while on another PC and then you can run a report to see what IP had the most traffic.

May also need to install it at the gateway. Depends what part is being overloaded.

 

[Electrofreak]

If you have a managed router or the like you can run a netflow analysis like ip flow top-talkers that can sort traffic by IP and traffic volume.

 

[GreenMachine]

You could install Wireshark which is a packet sniffer. Let it sniff for a while on another PC and then you can run a report to see what IP had the most traffic.

May also need to install it at the gateway. Depends what part is being overloaded.

Also to remember that Wireshark will bog the network down while its sniffing. So make sure to notify the users that they will see their network connections go down for a period of time if/when you go this route.

 

[SpaceHonkey]

Also to remember that Wireshark will bog the network down while its sniffing. So make sure to notify the users that they will see their network connections go down for a period of time if/when you go this route.

That is only if it is installed inline. If you sniff a monitor port (as is done in the real world), performance is completely unaffected as no traffic is flowing through the sniffer - you are only monitoring a port that is duplicating the traffic of the other port.

However, this is what netflow was designed to do so that's the route I'd go.

 

[michaelkahl]

A port span or port monitor is the way to go with Wireshark / tshark. Just be careful about over subscribing the monitoring interface.