The customer required a detailed report on what was going on on their Internet Link. to capture the traffic utilization on the link I used Packeteer 6500 appliance. The diagram below shows how I setup the capture.
The first thing you need to remember is how to define the inbound and outbound traffic. The convention of what is inbound traffic versus what is outbound traffic is determined by the MAC Address that the network analyzer is watching. For this study, we are watching the F0/1 MAC address of the Internet Router, therefore the traffic direction will be as follows:
Inbound = Traffic sourced from Internet Router F0/1 MAC Address
Outbound = Traffic destined to Internet Router F0/1 MAC Address
Below is the information captured in Graphical format
Top 10 Application Utilization Inbound
Top 10 Application Utilization Outbound
Average Rate Inbound
Web Traffic (HTTP) – Sample Top Talker/Listener
•n.n.n.251 (http://www.Customer.ca/) transmit 86% of the web traffic to the Internet.
Top Listeners
Sample data showed that on Oct 13, two Internet hosts were sending a high amount of HTTP Data to Customer.ca
•204.2.208.35, Reverse DNS gives a204-2-208-35.deploy.akamaitetechnologies.com as source
•204.2.208.44, Reverse DNS gives a204-2-208-44.deploy.akamaitetechnologies.com as source
Summary of findings
Excessive HTTP traffic from the Internet to Customer (Downloads or or some Game) appears to have caused the Internet slow down. The traffic was primarily sourced from two separate IP addresses used by the Internet hosting domain of deploy.akamaitechnologies.com
While excessive HTTP traffic exists, other data traffic decreased significantly. This was likely due to a high volume data demand by small number of hosts. Long and highly utilized TCP session was kept opened with some TCP retransmission. At the same time other TCP SYN requests were dropped due to network congestion.
If QOS was correctly configured for this customer the issue would not have arisen.