Who's Hogging the Bandwidth?


The internet is slow at the moment. I want to know who's using it.

The best way to see what's eating up your bandwidth "right now" is to use a program built-in to ipcop called "iftop" It is a "command line" program which shows a graphic bar chart along with numbers showing the top current connections.  wikipedia has a brief description of the program here:
http://en.wikipedia.org/wiki/Iftop

To use this program you just need to install on your PC a secure teletype program called "putty " which allows you to login to ipcop from your PC. (This sounds scary, but after you've done it twice, you'll never think about it again.) Putty doesn't need to be installed in windows, it's just a simple executable. Copy it someplace logical like inside the "Program Files" folder, then make a shortcut on your desktop to run it.

  When you launch putty, you need to tell it you want to connect to ipcop (use it's dns name, or it's green IP number) AND it's important to change the port number from the default 22, to port 222. You login as root, NOT admin.

Once you get logged into ipcop, it gets easy. you just need to type iftop to run the program. (Remember that everything is case sensitive on linux.)

I like to see port numbers, so I start it with:

iftop -PN

You'll see a display that updates every couple seconds showing the busiest connections at the top of the screen. After watching about a minute any continuous large downloads will be apparent as other connections tend to come and go very quickly. You'll notice your own computer has a small constant stream of data going on port 222, which is the constant screen updates that you're watching iftop with. :)
To quit iftop type ctrl-c
To close putty and disconnect from ipcop type "exit".

You can learn a whole lot about things happening on your network that you didn't realize, just by watching iftop for a while. (And using google to find things out.)

IPCop numbers the ethernet ports eth0, eth1, eth2 etc. By default iftop will show you eth0 which is your green interface on ipcop. This is normally what you want to see, but if you want to see traffic on the RED interface, (eth1 on most people's ipcops) you startup iftop like so:

iftop -i eth1 -PN
One thing to keep in mind with ipcop is if you look at the RED interface all web traffic going to port 80 on the internet appears to be coming from IPCop itself, so you can't see which user is causing it. You have to look at the green interface to see which user is initiating the web downloads. This is caused by the way dansguardian does a man-in-the-middle attack to police the port 80 stuff.