We have been noticing for several weeks that we are using most of our bandwidth for no apparent reason. We use MRTG to watch which buildings on our campus are using bandwidth and in some cases are able to monitor to the port level in buildings. Some time back we installed a Packeteer Packetshaper to be able to control how the bandwidth was being used since implementing QOS wasn't an option. The Packetshaper is showing at least 10 to 20 percent of our bandwidth at any given time as being used by the "Default" traffic class. How can we get an idea of what is using the bandwidth that is being reported as "Default" class? -- Via the Internet
You will learn that the Packeteer can be your friend - it is the world's biggest gossip on a network. The first thing you should go do is to check that you are on the latest firmware image for the particular Packetshaper model that you have, and download a newer one if needed. Also, check to make sure that you also have the latest plug-ins installed as well, so that the PacketShaper can do the job you need it to.
Once this is done, go into the Default traffic class for the inbound side of the Packeteer configuration. Enable the Top Listeners option and give the Packeteer a few minutes to start collecting the information. What you have just done is to tell the Packetshaper to start collecting a list of the IP addresses of everyone who is being seen by the default traffic class.
Once you have some IP addresses to work from, pull out your laptop and a protocol analyser and do some snooping. Either by port mirroring/spanning, or plugging directly into the building, or by watching directly at your Internet connection, look specifically for all traffic going to and from the suspect IP address. You will want to look for traffic that is using port numbers other than the standard stuff such as www, smtp, etc. Look for patterns in the communication that you would not normally expect to see. Look at the packet decodes to see if you can tell what is going on.
Once you have looked at one or more packet captures, you will probably notice a pattern where you can't see anything intelligible in the payload area of the packet decodes. If you are seeing what I expect, you are looking at some of the peer to peer file sharing software that has implemented both port roaming and traffic encryption.
Without seeing your decodes, I am going to guess you are looking at traffic generated by either ARES or other new packages that have gone the encryption route. Make sure that you have the new plug-ins loaded and have restarted the PacketShaper. Create a new traffic class and set it to Discard so the traffic is dropped at the Packetshaper. You will want to do this for both inbound and outbound segments of the Packeteer.
You should start seeing a drop in the default traffic class. In addition to discarding the ARES and/or other peer to peer traffic, you may want to consider partitioning or limiting the amount of bandwidth that the default traffic class is allowed to use. Anytime that you want to know what is going on with your bandwidth, the Packeteer can tell you who is using what, and then you can use a protocol analyser to see what is going on with a particular connection.