How to pinpoint which process/activity/software/protocol is slowing down LAN on a single computer
When it comes to a single computer, generally you want to get a packet capture and then do some analysis on the packet capture that includes things like:
- Protocol Breakdown
- Packets Per second
- Top senders receivers etc
I recommend using wireshark or maybe Microsoft Network Monitor. With Network Monitor you will get a process breakdown of the capture which can be helpful (If you happen to be on Windows):
You probably want to run it with admin privileges for this.
It is also possible the NIC is malfunctioning. So check the packet rates and various error counters on the switch side for that interface. You could also monitor the switchport by using your switch's "port monitor" functionality. If something like this is going on, I would expect the LAN to get slow (i.e. computer to computer) and not just the Internet.
You do not mention OS of the problematic machine? So I'll answer from perspective of GNU/Linux distribution (like Debian), although part of the answer is multiplatform.
As mentioned, iptraf(8) or Wireshark will tell you what IPs/ports are problematic, but not what application generated them. You might be able check that with netstat(8):
netstat -tupn
(it will show you which ports are used by which program, but usually only if those are longer lived connections).
However, I'd recommend tools like ntop to get easier overview.
Also, ifconfig(8) will tell you if there are any errors, carrier, overrun problems etc. If there are, try changing cable, port on the switch or (in the end) network card (or its drivers) in problematic machine.
You speak about the computer being an iPhoto server, I suspect that you have iCloud enabled or another similar cloud backup in this system that is uploading your whole library of photos. And by saturating the upload it's stalling some of the downloads because some tcp ack packets get lost. That would explain your 800gb.
I would get a packet capture with wireshark to see where is the data going, and then look for the culprit.
The router/firwall I use are Mikrotik and the screen cap below is from a tool called Torch on my Mikrotik router. I am unsure how you would do this in Cisco but I have to believe there is an analog.
As shown in the image, I'm filtering traffic on my LAN interface (ether-2) whose source is 192.x.x.7. In this case I'm keeping connections for 30s after they close (Entry Timeout value) but in a case like yours might set that as high as a couple of hours. The most interesting info is the dst ip address and port.
Using a tool like this right on the router I can see exactly how much traffic is getting sent/received per host:port and protocol. Since you've already identified the problem machine, I'd filter to that machine's IP (as I've done in the image). Then, sorting by Rx Rate you'd see the biggest uploads happening and what port they are both coming from and going to. Using well known ports I can narrow down to what application is causing it. If not a well know port or for whatever reason, you can run a netstat on the machine to see what application is using that port (different OS use diff switches so just look it up or specify your OS and I'll try to answer.)
This is a lot quicker/easier than capturing frames in wireshark (and needing a hub or promiscuous port to do so) then analyzing them and in many cases this will get you your answer or most of the way there.
I don't have enough rep points to attach the image so here's a link to grab it off my server: https://gofile.me/2dNUM/226jmtoI
Sorry for having to cover up so much of the info but I think you'll get the idea.