Congested Network

By mwoods269 ·
Need some help figuring out where and if I have a bottle neck.

First of all I just started here and the network is in shambles. While in the server room I noticed the core Dlink websmart switch with vlan for dmz was flashing away like 2 blinks per second, all ports flashing at the same time except dmz vlan ports. This is why I started investigating this issue, well that and slow dmz backups.

I am new at sniffing traffic but started using Wireshark and mirrored my port to the trusted interface on the firewall and this is what I got from a 3 minute capture.

Protocol hiearchy
-TCP was 74% of traffic (data 19% and DCE RPC 21%)
-Arp was 22%

Total packets captured in 3 mins = 28107

I think something is wrong here?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

That would really depend

by jck In reply to Congested Network

Your network might just have that much traffic.

If you have external streaming blocked, that's a good start.

Second would be to look and see if people are storing media files on servers and playing them from the server drive. If so, all that data is going across your network.

Third, it might just be that there's a lot of network printing, etc., and that your network is not structured into enough segments to reduce tons of broadcast traffic.

Of course, you might just have 100s of users. In that case, it could be high-end traffic is acceptable.

Good luck

Collapse -

how much traffic vs how big a pipe?

by CG IT In reply to Congested Network

the #s you posted represent what makes up the traffic in the pipe, not how much traffic is in the pipe vs pipe size [bandwidth utilization].

Calculate your bandwidth utilization. If your total bandwidth utilization is high, then that might be the cause of network congestion. from there you can do some investigation to find out what is causing all the traffic.

Collapse -

How many workstations/servers?

by robo_dev In reply to Congested Network

If you are sniffing outbound traffic, I would not expect to see a ton of RPC traffic. What port is this traffic on and where is it getting sent to?

My first guess would be that some of your workstations have an unpatched DCOM RPC vulnerability and have been infected with the Blaster worm or something similar.

I've seen PCs that had no apps running on them that were flooding the network with RPC.

I would goto a PC and type netstat as well as netstat -b to see if there are trojans/worms making outbound connections on those PCs.

Related Discussions

Related Forums