This is why graphing switch ports is always a good idea! Log in to switch and check each port ./Ok3ch On Tue, Jun 3, 2014 at 1:03 PM, Thuo Wilson <lixton@gmail.com> wrote:

On 3 June 2014 11:27, geoffrey gitagia <ggitagia@gmail.com> wrote:

...

i am suspecting i might have a device in the network causing a udp/TCP flood , i have cleaned PCs (antivirus ) and still i seem not to be able to get the culprit even when looking at wireshark to check broadcasting IP's and have eliminated the PCs ,what can i do to get to the bottom of this.

​Traditional method​ by

- ​Elimination method. - Narrow down to switch port​ (ploting ports?)

Kind Regards, Wilson./

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

here are some logs captured 15h 27m 6s <http://10.0.0.194/>1:48 <http://10.0.0.194/device/device=16/tab=port/port=51514/> Port reached saturation threshold: 98.7Mbps/98.5Mbps(99/99) >85% of 100Mbps15h 27m 7s <http://10.0.0.194/>1:46 <http://10.0.0.194/device/device=16/tab=port/port=51512/> Port reached saturation threshold: 613kbps/90.7Mbps(1/91) >85% of 100Mbps15h 27m 8s <http://10.0.0.194/>1:43 <http://10.0.0.194/device/device=16/tab=port/port=51509/> Port reached saturation threshold: 19.4Mbps/98.7Mbps(19/99) >85% of 100Mbps15h 27m 9s <http://10.0.0.194/>1:30 <http://10.0.0.194/device/device=16/tab=port/port=51496/> Port reached saturation threshold: 4.19Mbps/95.8Mbps(4/96) >85% of 100Mbps15h 27m 11s <http://10.0.0.194/>1:24 <http://10.0.0.194/device/device=16/tab=port/port=51490/> Port reached saturation threshold: 4.77Mbps/95Mbps(5/95) >85% of 100Mbps15h 27m 12s <http://10.0.0.194/>1:15 <http://10.0.0.194/device/device=16/tab=port/port=51481/> Port reached saturation threshold: 97.7Mbps/80.0Mbps(98/80) >85% of 100Mbps15h 27m 14s <http://10.0.0.194/>1:13 <http://10.0.0.194/device/device=16/tab=port/port=51479/> Port reached saturation threshold: 2.27Mbps/88.6Mbps(2/89) >85% of 100Mbps15h 27m 15s <http://10.0.0.194/>1:12 <http://10.0.0.194/device/device=16/tab=port/port=51478/> Port reached saturation threshold: 98.0Mbps/69.5Mbps(98/70) >85% of 100Mbps15h 27m 23s <http://10.0.0.194/>1:5 <http://10.0.0.194/device/device=16/tab=port/port=51471/> Port reached saturation threshold: 94.2Mbps/30.6Mbps(94/31) >85% of 100Mbps On Wed, Jun 4, 2014 at 8:39 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:

okay i am looking at my switch DGS-3100 , i want to enable storm broadcast control , is 3500 Kbps a good threshold ? thats the defualt on the device.

On Tue, Jun 3, 2014 at 1:51 PM, Okechukwu <okechukwu@gmail.com> wrote:

...

This is why graphing switch ports is always a good idea! Log in to switch and check each port

./Ok3ch

On Tue, Jun 3, 2014 at 1:03 PM, Thuo Wilson <lixton@gmail.com> wrote:

...

On 3 June 2014 11:27, geoffrey gitagia <ggitagia@gmail.com> wrote:

...

i am suspecting i might have a device in the network causing a udp/TCP flood , i have cleaned PCs (antivirus ) and still i seem not to be able to get the culprit even when looking at wireshark to check broadcasting IP's and have eliminated the PCs ,what can i do to get to the bottom of this.

Traditional method by

- Elimination method. - Narrow down to switch port (ploting ports?)

Kind Regards, Wilson./

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- GG

-- GG

1. How many devices do you have that are potentially causing the udp flood? * i am suspecting 3 devices* 2. Can you localise the source of the flood to a layer 2 device or a layer 3 device? *no clue on how to go about this* 3. Can you have a look at the packet counters on suspected devices? Perhaps you can zero out the per port metrics and check on them after awhile to home in on ports with large deltas. * i know my suspect devices by IP only and already identified 1 to be formatted later in the week , i suspect the other to be a laptop as i cannot log on to it with my domain admin credentials, the other IP has been dodgy to pin point so i am suspecting another laptop /tablet or smartphone (i want to implement a wifi for BYOD that will be monitored *Awaiting financing from the chief kahoonaz hehe) , but i want to enable port protection so as to see which "pig" squeels when their port is blocked (hoping no the wifi)* 4. Or you can install a monitoring agent on all your devices to report on network traffic statistics *any good suggestions for this? i find that most monitoring tools that get the detials will consume a lot of processor and diskspace so if you can point me to the right direction i will be more than happy* On Wed, Jun 4, 2014 at 9:37 AM, Laban Mwangi <lmwangi@gmail.com> wrote:

1. How many devices do you have that are potentially causing the udp flood? 2. Can you localise the source of the flood to a layer 2 device or a layer 3 device? 3. Can you have a look at the packet counters on suspected devices? Perhaps you can zero out the per port metrics and check on them after awhile to home in on ports with large deltas. 4. Or you can install a monitoring agent on all your devices to report on network traffic statistics.

On Wed, Jun 4, 2014 at 8:43 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:

...

here are some logs captured

15h 27m 6s <http://10.0.0.194/> 1:48 <http://10.0.0.194/device/device=16/tab=port/port=51514/> Port reached saturation threshold: 98.7Mbps/98.5Mbps(99/99) >85% of 100Mbps 15h 27m 7s <http://10.0.0.194/> 1:46 <http://10.0.0.194/device/device=16/tab=port/port=51512/> Port reached saturation threshold: 613kbps/90.7Mbps(1/91) >85% of 100Mbps 15h 27m 8s <http://10.0.0.194/> 1:43 <http://10.0.0.194/device/device=16/tab=port/port=51509/> Port reached saturation threshold: 19.4Mbps/98.7Mbps(19/99) >85% of 100Mbps 15h 27m 9s <http://10.0.0.194/> 1:30 <http://10.0.0.194/device/device=16/tab=port/port=51496/> Port reached saturation threshold: 4.19Mbps/95.8Mbps(4/96) >85% of 100Mbps 15h 27m 11s <http://10.0.0.194/> 1:24 <http://10.0.0.194/device/device=16/tab=port/port=51490/> Port reached saturation threshold: 4.77Mbps/95Mbps(5/95) >85% of 100Mbps 15h 27m 12s <http://10.0.0.194/> 1:15 <http://10.0.0.194/device/device=16/tab=port/port=51481/> Port reached saturation threshold: 97.7Mbps/80.0Mbps(98/80) >85% of 100Mbps 15h 27m 14s <http://10.0.0.194/> 1:13 <http://10.0.0.194/device/device=16/tab=port/port=51479/> Port reached saturation threshold: 2.27Mbps/88.6Mbps(2/89) >85% of 100Mbps 15h 27m 15s <http://10.0.0.194/> 1:12 <http://10.0.0.194/device/device=16/tab=port/port=51478/> Port reached saturation threshold: 98.0Mbps/69.5Mbps(98/70) >85% of 100Mbps 15h 27m 23s <http://10.0.0.194/> 1:5 <http://10.0.0.194/device/device=16/tab=port/port=51471/> Port reached saturation threshold: 94.2Mbps/30.6Mbps(94/31) >85% of 100Mbps

On Wed, Jun 4, 2014 at 8:39 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:

...

okay i am looking at my switch DGS-3100 , i want to enable storm broadcast control , is 3500 Kbps a good threshold ? thats the defualt on the device.

On Tue, Jun 3, 2014 at 1:51 PM, Okechukwu <okechukwu@gmail.com> wrote:

...

This is why graphing switch ports is always a good idea! Log in to switch and check each port

./Ok3ch

On Tue, Jun 3, 2014 at 1:03 PM, Thuo Wilson <lixton@gmail.com> wrote:

...

On 3 June 2014 11:27, geoffrey gitagia <ggitagia@gmail.com> wrote:

...

i am suspecting i might have a device in the network causing a udp/TCP flood , i have cleaned PCs (antivirus ) and still i seem not to be able to get the culprit even when looking at wireshark to check broadcasting IP's and have eliminated the PCs ,what can i do to get to the bottom of this.

Traditional method by

- Elimination method. - Narrow down to switch port (ploting ports?)

Kind Regards, Wilson./

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- GG

-- GG

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- GG