We're running SBS 2003 SP2 and I'm wondering if there's any easy way to find out were traffic during specific time is generated from?
In my case, the overall traffic consumption per day is roughly 8GB. I'm not concerned about the general traffic (those 8GB mostly include transfering backup files during the night) but in a specific time frame.
Just an example: suddenly at 10:30 a.m. the internet connection slows does very notably. I checked our automated backup and other transfer services and none of them is running. I still have a network with about 15 PCs scattered around the building which could potentially generate the traffic.
We only have a small 2MBit line, thus the line can be quickly saturated during office hours. I'm not suspected any user doing something wrong, I think there's some software automated thing going on, but I'm not sure. Maybe it's the Windows or Adobe automated downloads, but how can I know for sure?
I was looking at the generated report from ISA 2004 already and see a lot of numbers, but I can't tell for sure between which time frame which client generated the traffic.
I can see the peak on the Server itself by going to the network tab in the task-manager and I see that the external 100Mbit interface is at 2% == 2Mbit, but I can't figure out where it's actually coming from exactly.
I think I can rule out that it is the Server itself generating the traffic, because the traffic graph from the external interface matches the LAN interface which serves my users (our DMZ interface, which contains our automated backup services, is at 0 at that time).
How can I further tackle the problem?
I'm sure there's a way to better interpret the info coming from your ISA server, but in case everything fails: "In wireshark we trust"
It runs on Windows too: http://www.wireshark.org/download.html
Agreed on other recommendations for Wireshark, but it might be overkill, netstat -an may give you enough info, you can't see the volume of traffic with, but you can see source and destination.
I surely second the debugging with wireshark, it will give you both the sending and receiving IP-Address, the protocol and even the content, given it's not HTTPS/SSL.
But can't it just be that you are seeing somebodies ritual of coffe break news lurking ? With homepages of news sites tending to 1 MB (with pictures and ads), a 2MB can quickly be capped. And 10h30 seems like a good time for a break for spiegel.de or a daily-webcomic-tour :)
SBS 2003 should have ISA 2004 installed on it, which should make it easy to get pretty detailed logging -- rather than the reports you can set to generate, which give you a summary of traffic over an interval of time, you need to look directly at the ISA logs, which can be set to log firewall, packet filtering, and web proxy traffic in an extremely detailed manner, either to log files or to a database. More about setting up logging in ISA 2004 here.
Some of these answers may help as well:
Who's using our bandwidth?
I use ntop for this sort of thing almost daily. It'll tell you who has the traffic and where they're going if so desired. Very slick and easy to setup.