Recently I worked with a few IT managers who wanted to know one thing: who were the top users of bandwidth on their networks? In some cases, WAN links were oversubscribed, and in others, access to the Internet was slow due to large downloads.
Finding the top users of bandwidth can be broken down into two steps. First, you need to gain visibility into what is happening on the network; then you need to associate this with usernames. Seems straightforward enough, but this data is spread all around the network. This is especially true if you have multiple data centers.
To gain visibility into what is happening on your network, you must first understand what makes up your network core. A network core is typically made up of one or more network switches where servers, routers, firewalls and other switches connect. It is the crossroads of your network, and it is at this point where you can gain visibility into what is happening on the network. Even traffic from WAN sites gets routed through the core as users in the remote sites access applications and servers which are hosted in the data centre.
Once you have identified your network core, you can then use port mirroring or flow features to monitor what data is moving around the network. Flow features exist on most layer 3 devices, typically routers or network switches which can route packets between VLANs. When enabled the device will report on things like what systems are connecting to what and how much data is moving around. A simple analogy is a flow report is that its like a bill you get from your telephone company. You get to see what calls you made and how much they cost.
Port mirroring features are available on most network switches and some routers. It allows you to take a copy of the network packets as they move through the switch. Some switches allow you to monitor specific ports while others will allow you to monitor VLANs. The analogy I would use for port mirroring is that it is like an old fashioned phone tap. Not only do you know who is calling who but you also get the detail of what was discussed during the conversations. In networking terms this is sometimes referred to as DPI, deep packet inspection.
There are many systems and applications out there that can support packet capturing and/or flow data. You just need to find a system that works on your network and gives you the level of detail that you need. Both port mirroring and flow monitoring techniques will produce reports based on the hostname, IP or MAC addresses as the source of the data.
The next step in finding out who is responsible for generating the data on your network is to get the usernames from you network authentication infrastructure. A lot of networks use Microsoft Active Directory for this purpose, although other systems like RADIUS are also used. No matter what system you use I would recommend that you have auditing of user logons enabled. What you are looking for is that each time a user logs onto your network a record is kept of what system they logged onto and at what time. In most cases the system that the user logged onto is captured as an IP address.
Now it comes to putting the data together. Your traffic analysis (flow or packets) system should be able to produce an output like top IP addresses generating data on the network. You can then look at what usernames are associated with these systems by cross checking the logs on your authentication systems. The final report will then be the top users of bandwidth on your network.
Darragh Delaney is head of technical services at NetFort. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney