Ask the Expert

How to analyze a TCP and UDP network traffic spike

I recently noticed an unusual spike in TCP and UDP flows from a single internal source to multiple destinations. What steps should I take to determine the type of traffic this represents?

    Requires Free Membership to View

In order to analyze network traffic, check the destination port number using the network monitoring tool that identified the spikes. In many cases, this will tell you the type of TCP and UDP traffic you're seeing. For example, traffic on port 80 is normally HTTP traffic, while traffic on port 443 is normally HTTPS traffic. You can consult the Port Database if you encounter a port you don't recognize.

If that doesn't do the trick, you'll need to sniff the network traffic to identify it. You can do this by connecting a computer running a packet sniffer to your network and leaving it running during one of the spikes. My favorite tool for this job is Wireshark. For more information on using Wireshark, see my tutorial: How to sniff network traffic.

For more information:

This was first published in April 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: