inactive
369
edits
Network Burst Analysis: Difference between revisions
→Who was responsible for the burst?
| Line 40: | Line 40: | ||
we want to analyze the burst we click on it. | we want to analyze the burst we click on it. | ||
== | == What was responsible for the burst? == | ||
Let's take a look on the dashboard. | Let's take a look on the dashboard. | ||
| Line 51: | Line 51: | ||
values as in the incident graph. But we get a good overview of the IPs with the | values as in the incident graph. But we get a good overview of the IPs with the | ||
most traffic during this time interval. AFP and SSL were the most used protocols. The | most traffic during this time interval. AFP and SSL were the most used protocols. The | ||
traffic value of an IP is | traffic value of an IP is bi-direction,l so a sender and receiver pair would | ||
have | have around the same traffic and can be seen quite easily. | ||
We could assume that any of the top four IP addresses is either the sender or | We could assume that any of the top four IP addresses is either the sender or | ||
receiver of the packets | receiver of the burst packets. Though the fifth IP address has a relatively | ||
high packet rate compared to the others, the | high packet rate compared to the others, the byte count is significantly | ||
lower and it is not likely involved in the burst. | lower and it is not likely involved in the burst. | ||
You can zoom in and out in all graphs by pressing the Shift key and use the | |||
mouse wheel. This will set the global time range and update the displayed graphs | mouse wheel. This will set the global time range and update the displayed graphs | ||
and values. After zooming out, | and values. After zooming out, you still see the same traffic distribution on the | ||
dashboard. | dashboard. | ||
| Line 75: | Line 75: | ||
We can immediately see a spike in both IP addresses 10.54.0.108 and 10.54.0.225 | We can immediately see a spike in both IP addresses 10.54.0.108 and 10.54.0.225 | ||
around the time of the incident. | |||
Now let's analyze the IP address 10.54.0.108 by clicking on it and opening the | Now let's analyze the IP address 10.54.0.108 by clicking on it and opening the | ||
| Line 86: | Line 86: | ||
Both IP addresses communicated with each other. 10.54.0.225 suddenly started | Both IP addresses communicated with each other. 10.54.0.225 suddenly started | ||
sending a | sending a unusually high number of packets to 10.54.0.108. | ||
We can now check for more details in the | We can now check for more details in the pcap provided by the throughput incident. | ||
{| | {| | ||
| Line 94: | Line 94: | ||
|} | |} | ||
Before the time of the incident the traffic was significantly lower. At | Before the time of the incident, the traffic was significantly lower. At | ||
14:42:26.69497 IP address 10.54.0.108 sent a packet to 10.54.0.225 | 14:42:26.69497 IP address 10.54.0.108 sent a packet to 10.54.0.225 which triggered | ||
the traffic burst. | the traffic burst. | ||