A Single T1 should be horribly easy to max out for a school, that doesn't sound like enough at all. 1.5mbps is hardly a high speed connection, even with a dedicated line, when you are dealing with a whole school. Where are you finding the actual lag to be coming from? All hops, or only certain hops?



I see, sorry, misread the 3 AM part, thought you said it was fine then. I would run a normal trace route, just to be sure the program isn't throwing you off. Seems odd that all the hops would be slow, even after the ISP. Cause even if the ISP was slow, it should still speed up after it passes through them and onto other networks. When you ran a sniffer, were you getting lots of packet drops or anything? Are you letting routing protocol broadcasts accidentally go through the WAN? Is your local LAN running fast?



Well, if you are losing packets that often after it leaves your gateway, it sounds like an ISP problem. I know an ISP will be hard pressed to take responsibility for any problems, even if it is their problem. I would call and complain again, tell them that you can trace, and anything past the gateway is having loss problems, as this seems more likely to be their issue, not yours. If I had to, I would record multiple different sites, and show them proof that it happens every time after the gate. They know they can just blame your network, and most people go away, I would keep with them, cause I just can't see anything else being the problem.



I honestly don't know of a program to do this, since ISPs really don't like you sniffing their traffic, or doing anything that would involve getting information back from their portion of the network.

If your traffic is OUTBOUND (according to your ISP) wouldn't it have to be on the LAN first?



Here is a good tool to see all at one time and see WHO is hogging the system.



Microtik - DUDE network monitor.. works for all devices, including any wireless ones that you may not notice. Better yet its free. Will beat wireshark as it shows all devices and the used bandwidth at a glance!

http://www.mikrotik.com/thedude.php



It may be of some help here since it shows live time which devices are doing what.

This could even be a bad NIC causing a flood when some local program runs.

You can have your ISP put monitoring on your router and have them tell you what IP address(s) are creating the offensive traffic. If not you will need to invest in a sniffer to see where all the traffic is coming from.



Good luck!

I would recommend a good firewall, then block unwanted sites or IP addresses, I worked for an ISP and you need to be sure if it is upload or download speeds, if it is downloading large amounts of data, you may have a device trying to get updates from a site that is refusing the device, if it is upload you may have hacker that is on the system that is downloading files at home, from what you have said it sounds like updates that are trying to be performed, cannot find the updates I would check first if you have added new hardware, it needs updates before implementation, it may be old hardware that cannot get it's updates any longer(site closed) or you may have a device's time server settings wrong(when it updates it gets out of sync)

next you are using T1 very slow for data I would recommend updating. At least a more updated system you can get more bang for your buck these days, T1 is using very slow transfer speeds and with an updated system you will find that some of the problems you are having will go away.



Using a sniffer still may not find the problem but if the device tries to pull an update at 3 am it will continue to ping until the update window is closed. Although ISP service stops at the DMARC, if you have something coming in or out they will not know what it is, just that there is traffic, because it is T1 you have dedicated 64kbs up 64kps down and 16kbs for clocking, it would be quicker to find out which device it is by removing or shutting down different segments while this is happening (not to many people there at 3am) this would be much quicker to do although it is not fun to be there at 3 am, but if you have an ISP that has 24 access to monitor your link could get them on the phone while you disconnect the various segments they would know in about 5 to 15 min if the segment you disconnected has the problem device on it or not, from there you can work on the individual devices on that segment, you may just have a bad redundant link on that segment and need to configure a switch properly, or remove a bridge and replace it with a switch.



Good luck