1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Howto get top-talkers ?

Discussion in 'DD-WRT Firmware' started by MBChris, Sep 21, 2005.

  1. MBChris

    MBChris Network Guru Member

    @all

    Hi, ive about 70 Users (at the moment) where sometimes over 40 are online at the same time. Ive blocked all the Filesharing Services (L7) and of course some Ports.
    BUT now i think there is ONE User who has running a Tunnel or JAP-Proxy to bypass the restrictions. :thumbdown:

    So my question is: How could i investigate that. It would be cool to have a service on the router, or script which is telling me the actual connections / local IP and the PORTS which are used by this connection also the amount of traffic would be cool.

    At the other hand i must use Etherreal or something like that to get my "TopTalker"

    greets
    Chris
     
  2. 4Access

    4Access Network Guru Member

    Since you're using DD-WRT one option would be to use RFlow Collector to gather bandwidth info. It can also give you some traffic info (IP & port connections) but I think WallWatcher might be better for that.

    Link Logger looks really nice too but I haven't tested it considering it costs $50 after the 14day eval.

    Good luck.
     
  3. MBChris

    MBChris Network Guru Member

    Thank you 4Acc,

    this constelation ive already running and it shows me alot. But, because rflow is not exact realtime, i get only the Traffic _after_ the download. Imagine when a User take a big downloaf or streaming things i couldn't act in realtime.

    In Wallwatcher there is an option to get the traffic per IP, but .... there is allways only the external IP of my border-router lsitet (no internal IPs) so i culdn't "fish" the user/machine.

    And ... if the user is running JAP or HTTP-Tunnel there is no way to restrict via L7 or ports.

    What i try next, i think he/she is using JAP, i block the access to the information Service and cascades of JAP. Ill see if it helps.

    thanks anyway for ur post !
    Chris
     
  4. zgamer

    zgamer Network Guru Member

    What about enabling QoS?
     
  5. MBChris

    MBChris Network Guru Member

    Hi, that wasn't my Question. I would like to see the _actual_ connections and traffic from a single-IP

    thks anyway
     
  6. matthiaz

    matthiaz Network Guru Member

    Well, seeing the traffic afterwards in RFLOW should be enough, since you know the users IP and thus his MAC. That's enough to identify that user. Since you're talking about ONE single bad guy...

    Another solution: get a professional router which are build for that and not a home device...
     
  7. habskilla

    habskilla Network Guru Member

    Try RFlowCollector, works very well and very easy to setup. It's at the www.dd-wrt.com

    Search for 3rd party addons that work with RFLOW. There are a few of those.
     
  8. bigjohns

    bigjohns Network Guru Member

    i have rflow enabled, but it's not working...
    V22r2

    rflow is enabled as is macudp. I get data from macudp, but not from Rflow.... any thoughts?
     
  9. habskilla

    habskilla Network Guru Member

    Not using the same ports? (2055, 2056)

    IP address is correct? (This got me once :) )

    Try RFlowCollector v2 and v3.

    If it's not one of the above, then you got me.

    Did you read through this thread?

    rFlowCollector
     
  10. MBChris

    MBChris Network Guru Member

    Yes, u are right .... but it would be good to identify the "bad guy" on the router itself while ssh or telnet in !

    Anyways thanks all for the suggestions
     

Share This Page