I'm super confused about an issue I'm having. The last few weeks I've had a PC on my network at the top of the list in terms of bandwidth usage. Heads and tails above the rest. For example, today...only an hour and a half into the work day they're at 14.8 GB when I view the Network Usage - Bandwidth Usage report. Viewing the details of this PC shows 1 HTTP-ALT TCP 13.2 GB 99.29 1.5 GB 99.96 14.7 GB 99.35 4 692 271 100.00 2 HTTP TCP 71.5 MB 0.52 429.3 kB 0.03 71.9 MB 0.48 19 0.00 3 HTTPS TCP 25.6 MB 0.19 220.6 kB 0.01 25.8 MB 0.17 65 0.00 Yet when I look at the web report Top user by Traffic for today I'm only seeing this user at 144MB. So how can I tell what is happening on this PC, for http-alt 8080? Something causing a large amount of traffic to the UTM on port 8080 from this PC? I'm confused

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bandwidth Usage

I'm super confused about an issue I'm having. The last few weeks I've had a PC on my network at the top of the list in terms of bandwidth usage. Heads and tails above the rest.

For example, today...only an hour and a half into the work day they're at 14.8 GB when I view the Network Usage - Bandwidth Usage report.

Viewing the details of this PC shows

1	HTTP-ALT	TCP	13.2 GB	99.29	1.5 GB	99.96	14.7 GB	99.35	4 692 271	100.00
2	HTTP	TCP	71.5 MB	0.52	429.3 kB	0.03	71.9 MB	0.48	19	0.00
3	HTTPS	TCP	25.6 MB	0.19	220.6 kB	0.01	25.8 MB	0.17	65	0.00

Yet when I look at the web report Top user by Traffic for today I'm only seeing this user at 144MB.

So how can I tell what is happening on this PC, for http-alt 8080? Something causing a large amount of traffic to the UTM on port 8080 from this PC?

I'm confused

This thread was automatically locked due to age.

Parents

0 BAlfson over 7 years ago

Does the web browser in that PC have the UTM defined as an explicit Proxy? Is the Web Filtering log full of rejections of surf attempts by that PC?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 7 years ago

Does the web browser in that PC have the UTM defined as an explicit Proxy? Is the Web Filtering log full of rejections of surf attempts by that PC?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rsenio over 7 years ago in reply to BAlfson

Yep, this is controlled by group policy. And the web filtering log isn't abnormal compared to other PC's on the network. The odd block from visiting a site that has content from Facebook etc. Funny thing is that the PC was at the top of the usage list, higher than the actual WAN IP...which is normally at the top.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to rsenio

It's probably time to put a packet capture on that traffic from the UTM to the PC. It almost seems like there's something that the UTM keeps trying to send something to the PC, but something at the PC isn't accepting it fast enough. What happens if you do a proxy restart?

/var/mdw/scripts/httpproxy restart

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel