Wireshark : How to identify Top-talkers in Network.

Hope you have seen my previous blog about identifying if there is a microbursts in the network or not. If not please visit the post as this one is just an extension from the old post.

So, we have seen how to identify the microbursts in the network. Once you identify the microbursts you tend to look for the hosts in the network who might be sending bursts or huge amount of data(basically top talkers) and why, fortunately there are several ways to identify this. You can do it with following ways :

  1. Configure top -talkers on router(Cisco).
  2. Wireshark packet capture
  3. Configure Netflow and export the stats to external server.

In this blog I am going to discuss two of these methods 1st and the 2nd one.

Lets discuss the 1st one.

Cisco router gives us an excellent way to identify top talkers in the network per IP basis. Below is how we can configure it.

Router(config)#ip flow-top-talkers
Router(config-flow-top-talkers)#top 20
Router(config-flow-top-talkers)#sort-by bytes
Router(config-flow-top-talkers)#cache-timeout 1000
Router(config-flow-top-talkers)#match protocol tcp

Enabling flow cache on interfaces 

Router(config)#int gi 0/0
Router(config-if)#ip flow egress
Router(config-if)#ip flow ingress

Once we have configured the router it starts caching the flow and will show you the entries sorted in the way you have configured like I wanted to see the flow sorted with number of bytes. Following is the sample output…

Top-Talkers
Top-Talkers

This is how you know how to identify the top talkers in the network with the help of cisco router. The another way to identify top talkers is with Wireshark, I am explaining it below..

Suppose you have taken a packet capture on network egress in hope to identify top talkers in your network with the help of this capture. Instead of checking packets one by one there is a very simple way wireshark provides to track this. You need to go to statistics>conversations . Click on conversations and you will see following window popping up. Click on Ipv4 and then click on Bytes to sort the flow with number of bytes and you are done!!

Wireshark-top-talkers
Wireshark-top-talkers

This is very handy way to identify top talkers in the network.

Thanks and reaching out to this blog please rate the post and follow the blog for email updates about new posts.

Stay tuned and happy learning.

Leave a Reply