Discussion:
I am stumped by this one...
(too old to reply)
essenz
2007-10-11 16:34:42 UTC
Permalink
I have noticed a very unusual quirk in my MRTG reporting that has me
concerned, but also has me stumped.

One of my Cisco 3524XL switches has about 20 devices on it, the
majority of the devices however are on different subnets, a lot of /
29's and so on.

The other day I noticed a very high artificial traffic spike, that
appeared on every single switch port monitored by MRTG. I know it was
artificial, because some of the devices have their own packet
monitoring, and those stats didn't indicate a surge.

The spike was inbound data. Here's the interesting part, one of the
devices had the spike for both inbound and outbound, and that device
is a Windows machine (behind a Netgear Firewall).

My first assumption was it must be some kind of malicious program that
was doing some kind of broadcast throwing of the MRTG reporting, but
to be honest - I cant see how that is possible if no real data actual
transferred.

Has anyone encountered anything like this?

The spike reached my router, which is also on that switch - so on the
router I enabled netflows, maybe that will tell me more the next time
it happens - it has actually happened twice.

Its got me stumped....

Thanks
John
fugettaboutit
2007-10-12 02:13:08 UTC
Permalink
Your SNMP counters may have rolled, or, perhaps you cleared the traffic
counters? In either case, MRTG can "interpret" the large delta from the
real count at time x to what the counter now reads after a roll or admin
reset.
Post by essenz
I have noticed a very unusual quirk in my MRTG reporting that has me
concerned, but also has me stumped.
One of my Cisco 3524XL switches has about 20 devices on it, the
majority of the devices however are on different subnets, a lot of /
29's and so on.
The other day I noticed a very high artificial traffic spike, that
appeared on every single switch port monitored by MRTG. I know it was
artificial, because some of the devices have their own packet
monitoring, and those stats didn't indicate a surge.
The spike was inbound data. Here's the interesting part, one of the
devices had the spike for both inbound and outbound, and that device
is a Windows machine (behind a Netgear Firewall).
My first assumption was it must be some kind of malicious program that
was doing some kind of broadcast throwing of the MRTG reporting, but
to be honest - I cant see how that is possible if no real data actual
transferred.
Has anyone encountered anything like this?
The spike reached my router, which is also on that switch - so on the
router I enabled netflows, maybe that will tell me more the next time
it happens - it has actually happened twice.
Its got me stumped....
Thanks
John
Loading...