Howto get top-talkers ?

Discussion in 'DD-WRT Firmware' started by MBChris, Sep 21, 2005.

  1. MBChris

    MBChris Network Guru Member


    Hi, ive about 70 Users (at the moment) where sometimes over 40 are online at the same time. Ive blocked all the Filesharing Services (L7) and of course some Ports.
    BUT now i think there is ONE User who has running a Tunnel or JAP-Proxy to bypass the restrictions. :thumbdown:

    So my question is: How could i investigate that. It would be cool to have a service on the router, or script which is telling me the actual connections / local IP and the PORTS which are used by this connection also the amount of traffic would be cool.

    At the other hand i must use Etherreal or something like that to get my "TopTalker"

  2. 4Access

    4Access Network Guru Member

    Since you're using DD-WRT one option would be to use RFlow Collector to gather bandwidth info. It can also give you some traffic info (IP & port connections) but I think WallWatcher might be better for that.

    Link Logger looks really nice too but I haven't tested it considering it costs $50 after the 14day eval.

    Good luck.
  3. MBChris

    MBChris Network Guru Member

    Thank you 4Acc,

    this constelation ive already running and it shows me alot. But, because rflow is not exact realtime, i get only the Traffic _after_ the download. Imagine when a User take a big downloaf or streaming things i couldn't act in realtime.

    In Wallwatcher there is an option to get the traffic per IP, but .... there is allways only the external IP of my border-router lsitet (no internal IPs) so i culdn't "fish" the user/machine.

    And ... if the user is running JAP or HTTP-Tunnel there is no way to restrict via L7 or ports.

    What i try next, i think he/she is using JAP, i block the access to the information Service and cascades of JAP. Ill see if it helps.

    thanks anyway for ur post !
  4. zgamer

    zgamer Network Guru Member

    What about enabling QoS?
  5. MBChris

    MBChris Network Guru Member

    Hi, that wasn't my Question. I would like to see the _actual_ connections and traffic from a single-IP

    thks anyway
  6. matthiaz

    matthiaz Network Guru Member

    Well, seeing the traffic afterwards in RFLOW should be enough, since you know the users IP and thus his MAC. That's enough to identify that user. Since you're talking about ONE single bad guy...

    Another solution: get a professional router which are build for that and not a home device...
  7. habskilla

    habskilla Network Guru Member

    Try RFlowCollector, works very well and very easy to setup. It's at the

    Search for 3rd party addons that work with RFLOW. There are a few of those.
  8. bigjohns

    bigjohns Network Guru Member

    i have rflow enabled, but it's not working...

    rflow is enabled as is macudp. I get data from macudp, but not from Rflow.... any thoughts?
  9. habskilla

    habskilla Network Guru Member

    Not using the same ports? (2055, 2056)

    IP address is correct? (This got me once :) )

    Try RFlowCollector v2 and v3.

    If it's not one of the above, then you got me.

    Did you read through this thread?

  10. MBChris

    MBChris Network Guru Member

    Yes, u are right .... but it would be good to identify the "bad guy" on the router itself while ssh or telnet in !

    Anyways thanks all for the suggestions
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice