Identify Mysterious Traffic

Instructions for identifying traffic that PacketWise does not classify

Many customers view PacketWise auto-discovery, or automatic traffic classification, as their favorite and most useful feature. Knowing the identity of traffic running over your network is a big first step in managing and controlling the performance of network applications.

When PacketWise sees a traffic flow, it matches the flow's characteristics to those of each class in the traffic tree. If it finds a match, that class' metrics are incremented accordingly, and the flow is managed with the class' policies. If it does not find a match, but PacketWise can identify the traffic, and traffic discovery is enabled, PacketWise creates a corresponding new traffic class. There are several reasons PacketWise might not create a class:

• Traffic discovery is disabled
• PacketWise can't identify the traffic
• There are so many classes in the traffic tree that more are not possible
• Insufficient number of flows have passed to prompt PacketWise to make a new class (anywhere from one to 11 flows must pass before a traffic type gets its own class, depending on the type of traffic)
• The PacketWise unit was recently plugged in and started monitoring long sessions that were already in progress. Until a new flow starts, this traffic all counts as Default. In these cases, the solution is just to wait another few hours until you examine the tree.

In any of these cases, PacketWise matches the flow with most appropriate Default class (usually Inbound's or Outbound's Default class).

Determining what traffic is in the Default class is usually not a concern or priority. But if the amount of traffic in a Default class increases precipitously, or if most of your traffic is classified in the Default class, you'll probably want to figure out what that traffic is. Is there a new music download application that is swamping an inappropriate amount of your bandwidth? Or is there a new critical application that you aren't protecting adequately? Or what?

Some of the same techniques used to identify the Default class' traffic can also be used to try to identify the traffic that PacketWise deposits in traffic classes with port numbers as names under the DiscoveredPorts folder.

Steps:

1. Make sure that PacketWise would be classifying your mysterious traffic if it could.
   
   
   • Ensure traffic discovery is enabled.
     
     Perhaps you don't want PacketWise to create classes automatically because you are concerned that you'd clutter up your carefully crafted traffic tree in the process of getting the one class that interests you. If this is the case, then leave discovery off and follow the suggestions below. Once you identify the traffic, you can create a class manually.
     
     
   • Make sure your traffic tree has not exhausted PacketWise's supply of traffic classes or matching rules. If that is the case, PacketWise ceases creating new classes.
     
     You can check estimates of system boundaries based on model. Keep in mind these are rough estimates of maximum limits that vary with real-time conditions. In addition, you can check your real-time system limits with the CLI command detailed below. Using the command-line interface, check your system limits. Examine the number of remaining traffic classes and matching rules to see if they are approaching zero. From the command line, enter: sys limits
     
     You'll see results similar to these:  show screen.
     
     
2. Set Top Talkers and Top Listeners on the mysterious default or port-based class. PacketWise will track who are the top contributors and recipients of the traffic in the class. Let some time pass so that new traffic has a chance to pass and PacketWise has the opportunity to monitor.
   
   
3. Examine your class' top contributors and recipients.
   
   If you configured a DNS server during installation and setup, then your Top Talkers and Top Listeners tables may contain domain names instead of the less decipherable IP addresses. But either way, do you recognize the clients or servers that are the top contributors? Do you know their associated applications/tasks? Can you call them on the telephone and ask them what they're doing?
   
   
4. If there is a particular contributor or recipient that is of interest, create a distinct traffic class just for its traffic. Set Top Talkers and Top Listeners on that class as well to see if the information sheds any light.
   
   
5. Use the CLI command traffic history recent <classname> for your class to see the date, time, IP address, port number, and URL for each flow in the specified class.
   
   If there is an IP address or DNS name that you'd like to explore further, do a traffic history find <host>. This command allows you to see in which classes a host's flows hit, as well as the number of flows and the protocol. If the protocol cannot be identified, a dash (—) appears.
   
   
6. Explore the mysterious default or port-based class further with the traffic flow CLI command. It has many options that display a variety of different information. If you enter traffic flow without any any additional parameters, you get a list of the command's options.
   
   You can use the traffic flow command for a particular address that interests you (that you got from Top Listeners, for example), a particular class or host, a certain number of flows, and more. Here are some examples of useful variations on the traffic flow command:
   For a summary: traffic flow -tuIo
   For data on 100 flows from a single class such as Inbound's Default:
   traffic flow -tupIn 100 -c /inbound/default
   For a single IP address: traffic flow -tupvA 192.168.1.10
   
   Do most users communicate with a a common server or subnet? Note its IP address. Is there an associated service listed? If PacketWise identifies the service associated with a flow (even though it must classify it in a default class), it will display the application or protocol name. In these cases, your quest ends here.
   
   
7. Repeat the same traffic flow command, this time adding the -A option for an IP address with the address you noted in the previous step. You'll filter the information further so you're not confronted with such an overload of data.
   
   
8. Take information (such as IP addresses associated with the mysterious traffic) you isolated with the traffic flow command to use them with industry-standard networking utilities. Suggestions include:
   • Try an nslookup command from a PC command prompt to get the DNS name. You can also use the PacketWise CLI command dns rlookup <IPaddress>.
   • Try traceroute on a PC or UNIX machine to fill out your information on the mysterious traffic's path from source to destination.
   • Find out who owns the block of IP addresses by entering the IP address at a Whois site such as http://www.arin.net/whois/index.html.
   • Explore a search site (such as Google) to search for firewall-related postings for specific port numbers.
     
     
9. As a final suggestion for more information, have PacketWise capture a log of the class' traffic and then feed that log to a sniffer or third party analyzing software such as EtherPeek. For instructions, see the Sniff without a Sniffer recommendation.

Note: PacketWise's adaptive response feature can automatically monitor the size of default classes and notify you when the size grows unexpectedly. If you want to monitor a default class' traffic automatically without needing to check it manually, the adaptive response feature can be helpful. See Create Default Traffic Agents.