WAN traffic logs needed

[dieter]

Hello,

On frequent occasions, WAN traffic from my laptop drops from 60Mbps to 12Mbps. I have a variety of non-computer devices on my network (Chromecast, Ooma, Roku, etc.) which are not being used when this slowdown is happening. I'm trying to find out what is going on.

My DLink DIR655 provides an internet sessions log, but there are noo time stamps. Also I have not found what COUNT and Time Out means in that log.

Are there any tools which will provide for logs of detailed WAN traffic?
Or do any routers generate detailed, time stamped activity traffic logs?

Thanks, Dieter

 

[ColinTaylor]

You could start by creating a free "ping" monitor from the someone like http://www.thinkbroadband.com/ping (preferably local to your country)

You will then be able to monitor the latency of your internet service. The slowdowns might be a problem with your ISP. If so this will show it.

 

[dieter]

ThinkBroadband does not appear to work in the USA. Any other tools to monitor the Comcast broadband?
Are there any routers which can replicated the WAN port, which then can be monitored?

 

[Nullity]

ThinkBroadband does not appear to work in the USA. Any other tools to monitor the Comcast broadband?
Are there any routers which can replicated the WAN port, which then can be monitored?

Use tcpdump and/or mirror all traffic to another device?

I have port-mirrored with Cisco devices, and the results were as-expected.

 

[ColinTaylor]

Use tcpdump and/or mirror all traffic to another device?

I have port-mirrored with Cisco devices, and the results were as-expected.

That won't monitor the latency between his cable modem and his ISP.

 

[Nullity]

That won't monitor the latency between his cable modem and his ISP.

I thought he was trying to detect which device was using up 48Mbits of his 60Mbit internet connection, not latency. (Though, latency & bandwidth are interrelated.) There is nothing lost if he combines both of our options.

I have no experience with it, but perhaps SNMP could be useful as well?

 

[ColinTaylor]

Yeah, sorry. We were talking a crossed purposes.

He asked about monitoring his WAN. I suggested that an external latency monitor might reveal the problem is with his ISP rather than his home network. Unfortunately I don't know of any services based in the US.

 

[Nullity]

Yeah, sorry. We were talking a crossed purposes.

He asked about monitoring his WAN. I suggested that an external latency monitor might reveal the problem is with his ISP rather than his home network. Unfortunately I don't know of any services based in the US.

I am just curious, how do the results of an external ping monitor differ from those of an internal one (like me just running "ping")?

 

[ColinTaylor]

I am just curious, how do the results of an external ping monitor differ from those of an internal one (like me just running "ping")?

There shouldn't be any difference really. Actually, it's better if you run your own because you can choose a particular route to test.

But the main advantage is that you don't have to have something running on your network (preferably the router) 24x7. And something like thinkbroadband's monitor produces nice graphs, keeps historical information for comparison and is free.

 

[Nullity]

There shouldn't be any difference really. Actually, it's better if you run your own because you can choose a particular route to test.

But the main advantage is that you don't have to have something running on your network (preferably the router) 24x7. And something like thinkbroadband's monitor produces nice graphs, keeps historical information for comparison and is free.

As much as I prefer pfSense's capabilities & open-sourcery, the rrd graphs it spits out is a big part of why I prefer pfSense over standard routers.

Example:

 

[ColinTaylor]

Nice. Sort of similar the thinkbroadband's but more detailed. The advantage of thinkbroadband is it requires no special equipment or technical knowledge to set up.

 

[dieter]

Ok, so I have a Dlink DIR655, which I believe does not support port replication. Which home routers (if any) have such a feature?

 

[Nullity]

Ok, so I have a Dlink DIR655, which I believe does not support port replication. Which home routers (if any) have such a feature?

Have you checked out SNMP?

 

[Klueless]

On frequent occasions, WAN traffic from my laptop drops from 60Mbps to 12Mbps.

Intriguing. How do you know this?

Are there any tools which will provide for logs of detailed WAN traffic?

Please do let us know what you find!

Or do any routers generate detailed, time stamped activity traffic logs

My Asus comes close ... kinda. It gives me a 10 minute real time graphical view of WAN traffic. (I can also view by Ethernet, 2.4Ghz and 5 Ghz.) I can also view a 24 hour graphical depiction. I can click on any point of interest on any of the charts and it will give me time and Mbps.

Mr. Taylor makes a good point. Towards that I use a product called PingPlotter. You load it onto a local PC and just run it. It graphs an automated series of pings and tracerts for hours at a time. You get a graphic of latency, % packet loss and ... you get a graphic showing all the hops between you and your target with latency and packet loss for each hop.

I thought I was shooting a traffic problem so I had my Asus traffic monitor running on a 2nd screen as I went about my day. Just because I could ... I also had my PingPlotter view sitting on top of my view of the traffic kinda like an overlay (see my Avatar).

Halfway through the day we had an outage. I looked at my traffic monitor. Little to nothing. I looked at PingPlotter. 70% packet loss at hop 3 which carried all the way through to the target. Hop 3 was my ISP's router.

Same technique also revealed a problem on our local network (which we were also able to fix).

Best of Luck!

 

[dieter]

So I have a thought. Can I put an ethernet switch on the port going to the Internet (to the cable modem), and then run WireShark from a PC also hooked up to the switch? In other words, is this a way to port-replicate?

1. I run the Ookla speed test several times a day.

 

[dieter]

My mid-day slowdown happened again today. So I turned ON MAC Filtering on the DIR655, and allowed ONLY (but all of) my MAC addresses. And the slowdown stopped!

At the time of the slowdown, my hardwired machine worked find at 60Mbps. But the wireless connection list did not show any strange devices...

I have no clue what is causing my WAN slowdown.

Dieter

 

[Klueless]

So I have a thought. Can I put an ethernet switch on the port going to the Internet (to the cable modem), and then run WireShark from a PC also hooked up to the switch? In other words, is this a way to port-replicate?

OK. I'll give you a dumb answer, that will bump your post back to the top and maybe someone will give you the right answer : -) A switch is simply a multi-port bridge. It protects your bandwidth by blocking other users thus your wireshark PC would not be able to see what's going up and down on the WAN port.

That said higher end (not cheap) switches have management software that would allow you to "span ports" (port mirroring) thus allowing wireshark to see your WAN traffic.

I don't think an old fashioned hub (multi-port repeater, all ports see all ports) would work because they're only half duplex.

One would think there'd be a cheap three port switch, with "span" (mirroring) already enabled, available for exactly what you say, wouldn't one?

1. I run the Ookla speed test several times a day.

OK. So luck of the draw? You just randomly run speed test and get good or bad results?

 

[Klueless]

My mid-day slowdown happened again today. So I turned ON MAC Filtering on the DIR655, and allowed ONLY (but all of) my MAC addresses. And the slowdown stopped!

At the time of the slowdown, my hardwired machine worked find at 60Mbps. But the wireless connection list did not show any strange devices...

I have no clue what is causing my WAN slowdown.

Dieter

OK. I'm confused. You were doing whatever, things got slow, you ran a speed test and it was bad. So you ran another speed test from a wired PC and it was good. So you then applied MAC filters and everything got good?

 

[Nullity]

...
I don't think an old fashioned hub (multi-port repeater, all ports see all ports) would work because they're only half duplex.
...

With a hub, if your connected NIC runs in promiscuous mode, it can see all LAN traffic. Check the 1st and 3rd paragraphs of the Wikipedia article about promiscuous mode. I think duplex type is an unrelated topic, but I am not sure.

 

[Klueless]

I think duplex type is an unrelated topic, but I am not sure.

Well, probably irrelevant anyway. Can't even remember the last time I saw a hub : -)

Dieter wanted to load wireshark onto a PC and view the traffic between his router's WAN port and the modem.

Full duplex uses one pair to send and a different pair to receive on. Half uses a single pair for both send and receive. Since hubs support half duplex only I was just speculating whether a hub would, or would not, work as a tap but,

1. He'd be hard pressed to find a hub.
2. I do not know if newer devices even bother to negotiate full or half duplex anymore.
3. He'd be effectively reducing WAN speed (even further).

But yes, wireshark would reset his PC port to promiscuous.