When 28 users share a T3 line (45 Mbps) and experience daytime slowdowns, the culprit is typically one of these scenarios:
- Background updates (Windows Update, Dropbox sync)
- P2P traffic from unaware users
- Video streaming during work hours
- Malware/compromised devices
1. SNMP-Based Monitoring (Quick Setup)
# Python example using PySNMP
from pysnmp.hlapi import *
for (errorIndication,
errorStatus,
errorIndex,
varBinds) in nextCmd(SnmpEngine(),
CommunityData('public'),
UdpTransportTarget(('router_ip', 161)),
ContextData(),
ObjectType(ObjectIdentity('IF-MIB', 'ifInOctets')),
lexicographicMode=False):
if errorIndication:
print(errorIndication)
elif errorStatus:
print(errorStatus)
else:
for varBind in varBinds:
print(varBind)2. Deep Packet Inspection (DPI)
For protocol-level analysis:
// C++ example using libpcap
pcap_t *handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
struct pcap_pkthdr header;
const u_char *packet = pcap_next(handle, &header);
// Analyze packet headers here
pcap_close(handle);Recommended Tools:
| Tool | Best For | Protocols Supported |
|---|---|---|
| PRTG | SNMP monitoring | HTTP, FTP, VoIP |
| Wireshark | Packet analysis | All Layer 7 protocols |
| ntopng | Real-time traffic | 2000+ application protocols |
Sample Cisco IOS QoS configuration:
class-map match-any P2P-TRAFFIC
match protocol bittorrent
match protocol edonkey
policy-map LIMIT-P2P
class P2P-TRAFFIC
police 1000000 conform-action transmit exceed-action drop
interface FastEthernet0/0
service-policy output LIMIT-P2PPython script for threshold-based alerts:
import psutil, smtplib
def check_bandwidth(interface, threshold=70):
stats = psutil.net_io_counters(pernic=True)[interface]
total = stats.bytes_sent + stats.bytes_recv
time.sleep(1)
new_stats = psutil.net_io_counters(pernic=True)[interface]
new_total = new_stats.bytes_sent + new_stats.bytes_recv
usage = ((new_total - total) / 1000000) * 8 # Mbps
if usage > threshold:
send_alert(f"Bandwidth threshold exceeded: {usage} Mbps")
def send_alert(message):
server = smtplib.SMTP('smtp.example.com', 587)
server.starttls()
server.login("admin@example.com", "password")
server.sendmail("admin@example.com", "it-team@example.com", message)When a T3 line (45 Mbps) slows to a crawl for 28 users, the culprit is often hidden in the traffic patterns. Common offenders include:
- Cloud backup services saturating upload
- Automatic Windows updates during work hours
- Streaming media consumption (Spotify/YouTube)
- P2P file sharing applications
Here's a Python script using Scapy to capture bandwidth hogs:
from scapy.all import *
from collections import defaultdict
import time
bandwidth = defaultdict(int)
def packet_handler(pkt):
if IP in pkt:
src = pkt[IP].src
dst = pkt[IP].dst
bandwidth[(src, dst)] += len(pkt)
sniff(prn=packet_handler, timeout=60)
# Print top talkers
for flow, bytes in sorted(bandwidth.items(), key=lambda x: x[1], reverse=True)[:5]:
print(f"{flow[0]} -> {flow[1]}: {bytes/1024:.2f} KB")
For deep protocol analysis, these Wireshark display filters are invaluable:
# Find large transfers
tcp.len > 1000 and frame.time >= "09:00:00" and frame.time <= "17:00:00"
# Detect video streaming
http.request.uri matches "googlevideo|videoplayback"
# Identify torrent traffic
bittorrent or dht or udp.port in {6881 6889 6969}
On enterprise routers (Cisco example):
class-map match-any NON_ESSENTIAL
match protocol bittorrent
match protocol netflix
match dscp cs1
policy-map OFFICE_QOS
class NON_ESSENTIAL
bandwidth remaining percent 5
class class-default
bandwidth remaining percent 95
For those preferring GUI tools:
| Tool | Best For | License |
|---|---|---|
| PRTG | Historical trending | Free (100 sensors) |
| ntopng | Real-time flows | Open source |
| Darkstat | Lightweight | BSD |
Remember to check for:
- Chromecasts auto-updating 4K screensavers
- Dropbox/OneDrive continuous sync
- VoIP calls using excessive bandwidth