@nasheayahu Those are only the actual namelookup attempt. If you are running pfBlockerNG and are bloking those domainnames, then the client will get a NXDOMAIN response from that namelook - and thus won't get any further.

two things to notice:

1: You have one client that is bypassing your Unbound Resolver on pfSense (with pfBlockerNG blokings) and are using 1.1.1.1 and 1.0.0.1 as nameservers.

2: PfBlockerNG does not actually block any IP connections (when it comes do domain names). It only prevents the clients from resoling those names to IP adresses - and are thus unable to contact those services.

@jacotec I know this is an old thread, but I don’t think Softflowd can quite deliver what you are asking. If you want a report of one 30 min flow in NtopNG, you have to ask softflowD not to expire flows on a timer - you need to leave the expiration field empty. (Otherwise it effectively reports flows that is not completed as unique flows).
Then you get what you want, but the problem is then that you cannot see the flow while it is in progress. You have to wait 30 min.

What we really need is a Nprobe package for pfSense that allows us to install Nprobe (and license it). That way it can do the actual capture/analyze part - including the much more insightfull DPI features compared to standard netflow, and report all of it to NtopNG on another machine via ZMQ.

@cuteliquid11
you need to enable and configure this

ac0bd3a0-8e22-4de8-9943-25bf29a0067d-image.png

@michmoor I mean tools inside pfsense, netflow run outside pfsense.

I agree reinstall it

Its working for me

Screenshot 2023-12-21 at 11.42.32 AM.png

@hspindel
band1.png
The only issue I have is that won't show my VLANs traffic, but never have issue with the app.
Regards.

@Lockie happy to help

OK thats a lot better there though there is a lot of crap to filter out. I was able to get most of the crap out by filtering for PSH+ACK like so: 'tcp[13] == 24'

Theres still some junk in there though and it'd be nice to have more LFs in there between packets but this is definitely way better, thanks!

@johnpoz said in Simple package for monitoring IP up status:

why not provide it to the community?

Never said I wouldn't. But likely just remain as a patch file that can be NAME/IP configured by the user before applying. Not sure there is a demand for more configuration than that. Based on the thread here (and no others I can find) Seems the interested usage group would be really low (ie me). Hard to tell, as the only original responses to this thread were both suggesting to do something else.

@johnpoz said in Simple package for monitoring IP up status:

why would there even be a thread asking for such a thing in the first place

because I originally asked the question, not being able to find anything? is this a trick question LOL

Anyway thanks for the feedback, it was just something to occupy a few cycles.

what if i didn't want to loose data :(