16

I can see from our ISP stats that a large amount of bandwidth is being used throughout the day, I suspect it's someone using our wireless router although I'm not definite. Our PC's all run various types of windows, are there utilities/sniffers that I can use to detect where the bandwidth is going?

vartec
  • 6,277
MrTelly
  • 311

9 Answers9

15

You can install a PC on a hub (or managed switch emulating a hub) with the router, and use Wireshark to capture all the traffic. From here you can get some useful metrics to point you to your bandwidth hogs.

13

Adding to Jon B's answer, I have also used ntop to get a good idea of where traffic is going. I downloaded a Virtual Appliance to make it easier to set up.

Joseph
  • 3,807
5

Wireshark (used to be called Ethereal) will tell you everything you want to know.

Gareth
  • 8,733
2

Can you give us more details about your network setup? I can propose two different approaches:

  1. Depending on the type of wireless device you have, you may be able to use a network management application that uses SNMP to pull down stats from the AP. Most enterprise APs will have a MIB table that tracks the list of associated client, their signal quality, and the number of bytes used. Similarly, your router may have a MIB that tracks traffic by IP address.

  2. You can use a wired traffic sniffer (wireshark, etherpeek) to watch the traffic. Those tools can usually give you a breakdown of traffic by user. You'd have to sniff the traffic before it hits your router (if your router does NAT). You can use a hub (though those are really hard to find these days) or turn on port mirroring on a managed switch. You can also use a wireless sniffer, but if the network is encrypted, you'll just get an idea of the volume of traffic from each user, not where the traffic is destined.

Jason Luther
  • 408
2

Depending on the make and model of the wireless access point/switch you are using, Tomato might be just what you are after. It provides a nice bandwidth monitor, among other things.

Also, a bit costly, but it seems it would do what you want as well.

1

Your router likely has a way to show what clients are connected through it, possibly as DHCP clients. That would identify who is connecting to your wireless router, although it wouldn't necessarily tell you who was using your bandwidth.

OtherDevOpsGene
  • 2,592
1

If you aren't already I'd highly recommend a program such as Cacti (which can be used in conjunction with ntop) to grab the traffic stats from your switches (and hopefully your WAPs as well). This can help you pin down when and where the traffic is originating.

Additionally it will also give you a good feel for the flow of traffic - and anomalies in traffic tend to stand out in the graphs a bit more than just browsing logs.

Chealion
  • 5,753
1

If your router supports it, you could turn on netflow monitoring. Flows would show you exactly what you are looking for.

jj33
  • 11,388
0

Most wireless routers log MACs of the connecting WiFi cards, many also allow monitoring who is actually connected. As for sniffing WiFi, the standard tool is Kismet.

"Someone" refers to someone not actually authorized to use it, who's hijacking your signal?

To protect your WiFi you should take following steps:

  1. deter script-kiddies (won't work against experienced work-drivers):

    • Turn off your SSID broadcasting
    • Limit connection only to given list of MACs
    • Limit DHCP only to static MAC -> IP assigments

  2. use WPA2 (with EAP-PSK, use random passphrase).

  3. for real hardcore security, use WPA2 with 802.1X authentication server.

vartec
  • 6,277