I am trying to monitor network traffic to see who is using the most bandwidth (the internet gets very slow sometimes, I know someone is streaming/using BitTorrent) but cannot seem to find the network switch. I have tools like nmap, ettercap, wireshark, and what not, but how can I use these to locate the network switch? Is it just a matter of scanning the whole network and finding the default gateway? Or is the switch not the default gateway and a completely separate router/machine?

You're using nmap on "your" network and you don't know where the switch is?

If you have a valid IP address on the network, you already know the default gateway, as it is set on your PC.

An ethernet switch is a layer-2 device, and may or may not be built into the router which defines the default gatway of the LAN.

Note that on a network using Ethernet switches, tools such as wireshark are of limited use since you can only see broadcast traffic if you are connected to a switch port.

Righto, Wireshark isn't helping me to much because it is a switched LAN.

I'll try and clarify a little bit here....

There are times, while at work, when the internet speed slows down considerably and my suspicion is that someone is using our bandwidth to stream/download movies and/or other large files.

I'm looking for a way to find out who it is.


Look for a lot of packets going to a particular LAN IP. If you think it is a torrent thing, look for packets using unexpected ports.

But all you really need to do is ID whichever host is using high bandwidth (lots of packets).

I would recommend using the Trace Route command: tracert

Do you have a central firewall? Depending on your firewall's features, you may try your firewall logs as well.

Are you part of the Networking Team? Or a general user wanting to help out? You need to find the Router where the traffic is coming into your office and then that should lead to the Uplink Switch connection. You will need a Port Mirror off that Uplink connection so that you can see all the traffic happening between your Router and the rest of the internal network. Rmon type studies are good for this as you are not really interested in the detail packets, but in the summary of what is being done. ie User and Ports involved. This should give you the Server :: Port and User:ort. From that you should be able to get the information you need about the amount of traffic happening at an interval of time.

Later you can use WireShark to filter on just that one User and gather the details about what is happening. But the Rmon should narrow this down to a given user. Then perhaps just walking by that user would give you the details on what they are doing.

You can monitor the link that connects your local network to the Default gateway with Wireshark. Most Managed switch have the ability to "mirror/span" a port, so that you can see all the traffic passing to and from the Internet. If you are not able to configure the switch, then install a small Hub or make up a Passive Tap that does the same thing. A quick web search gives plenty of information on how to make the a Tap and install it. Under the Wireshark Statistics tab there are a number of functions to help identify the source all the traffic on the monitored link.

I know this a friendly, helpful community and all but your request seems a bit odd. What is the size of the network that you are dealing with? are you running DHCP? you know someone is streaming how? if your objective is to monitor this person with out the above information or access to critical network hardware (assuming you mean a physical switch), finding a switch to plug into is the least of your concerns.

To me the easiest way to find your switch would be find your default gateway, but that would seem easy to me. You kind of have me confused, you seem to want to monitor a person, but don't seem to know much about anything else? Please explain?

