A quick overview of the problem
We've been experiencing some issues with our bandwidth usage lately which I fear may be due to misuse (whether intentional or not) of our internet in the office. I want to be able to monitor the network traffic to see if a certain internal IP address is at fault. Our bandwidth should be more than sufficient.
Our setup
We have a 3Com Superstack 3 Switch connected to a Cisco PIX 501 firewall, which then connects into our ISP-provided router.
What I've tried
It seems that neither the switch or firewall have a Port Mirroring feature available, so I am not able to keep up a permanent trace. The PIX does offer a temporary trace into it's own memory buffer, however I am not too confident using this.
I've also tried installing Wireshark on our (Windows 2000) DNS server, but the packet data here didn't help.
Next steps
Any suggestions from you guys as to how monitor the traffic would be great. We're not in a position to replace the existing hardware just yet, though. I have looked into the cost of a Network Tap, which I could place between the switch and firewall (or firewall and router) and set up a machine to monitor the packets there. I've never taken this approach before, so wondered if it's really viable.
Best Answer
Two possible choices... a packet capture tap (which is quite viable) or packet capture on the ASA.
If you're not interested in buying a tap and inserting it inline, you shouldn't be afraid of capturing on your Cisco PIX. To capture traffic on the PIX, first define an ACL... assume you're trying to capture traffic from a host inside the firewall at 10.10.10.1.
Now start capturing the traffic that matches the ACL using a buffer large enough to find whether this host is legitimately a problem...
You can optionally download the capture using tftp...
This Cisco doc has a lot of good information about capturing traffic on a PIX / Cisco ASA... DOC 17345 Capturing PIX Traffic