Finding Internet bandwidth hog on your ASA

[Dieselboy]

A few months ago I found an old thread on Reddit using a Google search. I don't use Reddit but in the comments the discussion was about someone trying to find a bandwidth hog in their network and the others were offering advice. Someone mentioned a command I'd never seen or used before and from memory it gave total bytes transferred on the connections for the top X connections.

I thought I wrote this command down but I cannot find it.

Can't find the reddit post either. I've been looking all week.

The command may have been a variation of "show local-host..." but I've tried playing with that just now and can't get the output I remember.

Nearly all of the searches I've found have suggested using ASDM but I've already been doing that for the past 10 years and this one command appeared better.

The best I could get is to use Linux to parse the "show conn" output through this command:

|awk '{print $9, $1, $3, $5}' |sort -nr | head -10

It does the same thing but there's something simpler and I'm not able to find it

[dlots]

I don't know if it works for ASAs but generally top talkers (if your device is setup for netflow) will give you that info.

[DanC]

It's not this is it?

Code Select Expand

sh threat-detection statistics top


Also, this is quite a handy tool:

https://www.tunnelsup.com/cisco-asa-show-connections-analyzer/

[deanwebb]

I'd fire up the netflow and check out the top talkers that it reveals.

[Dieselboy]

I don't have anything netflow yet. Can you recommend any product or tool to manage that?

[wintermute000]

Nfsen is free on Linux, but has a brutal 90s GUI.

[deanwebb]

I don't have anything netflow yet. Can you recommend any product or tool to manage that?

If you have a budget, Plixer. I have admired that tool for some time, now.

[wintermute000]

That's free for up to X sources and Y duration. Probably enough lol
IIRC nagios have a flow analyser as well which wasn't bad for the price 1k
You probably don't want to know the price for solar winds or statseeker

[Dieselboy]

Thanks guys.
I'm in talks with Cisco about their new Lancope Stealthwatch. I'm also speaking with them about DNA. I'm interested in a scenario they explained where a user normally downloads spreadsheets from the accounting server which is normal. Then the same user starts uploading content to some internet server and because this is outside of the norm, the traffic is blocked and alerts are sent. I'm real keen to look into that some more to get insights like that. The only blocker on this is that it takes 6 months to do anything here in Australia

I'll check out those other products in the meantime thanks very much

[wintermute000]

yeah that kind of metadata analysis stuff is amazing, but have seen little proof yet. Also you won't know exactly hwo well it copes with various scenarios until you see it for real. How do you even quantify its performance?

[Dieselboy]

A handful of test scenarios, then put it in production   

How you define the base lines I've no idea! But they say it can be done so I'm keen for them to show me.

[deanwebb]

Baseline data means watching what happens between now and the next six months from now and assuming that that's normal.

However, one can also apply statistical analysis on different users to determine if they have any major outliers of activity. IE, compared to everyone else in the same department, User X seems to have some very unusual access times and upload behavior. One could then retroactively determine that User X needs some more investigation. There could be a good reason for that stuff, or it could be evil. The anomaly in and of itself is not sufficient evidence of evil on the user's part. Maybe there is malware on the PC that is leveraging User X' credentials? Investigate.

I just read J.P. Anderson's 1980 paper on tracking user access, in fact. Quite an interesting read and the math in it is not too hard, if you remember series notation. http://seclab.cs.ucdavis.edu/projects/history/papers/ande80.pdf