Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Help me understand the logs

Help
aRiyano
2012-07-29
2013-04-24
  • aRiyano
    aRiyano
    2012-07-29

    Hi, I have successfully installed bandwidthd on windows and it's capturing data.
    I'm just confused on the in/out traffic being monitored.

    Can someone help me understand how the bandwidth is being monitored ? And what is the in and out ?

    Why i'm confused is, that I see alot of Total Sent, but I'm unable to determine if it's true, as I see that on many of the IPs.

    Total sent is the Upload right ? and another thing is, I see alot of P2P traffic while i do not have any p2p running.

    How can I check for major bandwidth hogs ?

    Aj.

     
  • Alestan
    Alestan
    2012-09-15

    The bandwidth is being monitored by libpcap, or whatever the windows version thereof is.  It is callback driven, bandwidthd supplies it with a function that it calls for every packet libpcap sees.  You can adjust which packets these are via the config file, but by default it should see all brodcast packets and all IPv4 packets.  Bandwidthd then decides if it needs to process the packet, if the send or recv address is in the subnet you've told it to monitor, then it processes the packet.  It maintains one table of ip addresses it has seen that fall in the specified subnet.  If the packet is destined for an ip address in the subnet, it adds the length of the packet to the recv table for that ip, the recv table also has information about the port to which the packet was sent, and the length of the packet increments the appropriate columns in the table.  The same is done for the sending ip address.  (Note that if both the sending and receiving address are in the subnet given, the packet is effectively double counted).  I don't know about the configuration when using the cdf file and c-generated html, but when configured with postgres, the data are reported in kb. 

    You are correct that the total sent is upload, while the total received is download.  The reason you see the p2p traffic is because bandwidthd does no true traffic analysis.  Instead, it looks at the port of the packets it processes.  If it is port 80,8080 or 443, then it assumes it is HTTP traffic.  p2p has a long list of ports associated with it, something generating traffic that bandwidthd sees is using a p2p port, even if it is not p2p itself.  It is common for off-the-wall programs to use these ports because firewalls are less likely to block them than some of the other ports.  The other thing to keep in mind is that some software is p2p that you wouldn't realise.  The most common one I see at work is iTunes, but some game updaters (WoW I believe) also use a p2p model to distribute content.  I haven't run windows in 6 years or so, so if I don't remember exactly how to do this, you'll need to figure it out yourself, but I believe the program netstat can give you information on what programs are using what ports.  Something like netstat -a or netstat -e, or maybe /a will give you the complete list.  I'd start with netstat /? and see what it says.  If you pull the bandwidthd source code, you can get the list of ports associated with the various protocols and see what programs are using those ports. 

    As for major bandwidth hogs, I'm less certain.  If you are looking on a single computer, I believe wireshark is available for windows, it also uses libpcap, but it gives more detailed information.  If you are dealing with multiple computers, make sure bandwidthd is configured in whatever the windows equivalent of permiscuous mode is and use it to find the computers using the most bandwidthd, then use wireshark to analyse the major sources of traffic.  Once you have the ports sending the most traffic, you can again use netstat to find the program using them.

    I hope I've anwered your questions well enough, if you have more, just ask.

    Regards,