Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Conduct an Investigation

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 980 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Popolou
      last edited by

      Afternoon

      How does one start investigating an event like this and ultimately which client/network it originated from: -

      82059a33-b354-4cac-8e5e-2951a6cabe5d-image.png

      Thanks
      Pops

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Popolou
        last edited by

        @popolou

        Several solution.

        Goto Status >Traffic Graph, select an interface, and observe ...

        Or have the system do all the work for you ( this works as soon as you know how to ask the system ) : goto System >Package Manager > Available Packages
        and see what bandwidthd and / or ntopng - maybe others.
        Keep in mind : these could use huge quantityies of RAM and/or disk space, so don't leave home and stay on the task while you run these ;).

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        P 1 Reply Last reply Reply Quote 1
        • P
          Popolou @Gertjan
          last edited by

          @gertjan, hi

          Bandwidthd had long been installed but it never appeared to be accurate in discovering all the peers and so logging what passes between them. The server is a VPN box with several subnet networks connecting into it. Some services hosted on remote networks also traverse the tunnel to use it as their gateway. Nothing overly complicated...yet bandwidthd struggles to log what should be quite a bit of traffic to/from these networks.

          Do people packet log all their traffic between the subnets to build a picture of what is traversing the gateway?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            See: https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html

            For long term full details you want to be exporting netflow data to a external collector.

            Steve

            1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance
              last edited by

              There isnt any package other than netflow that would give you that historical data you need to diagnose. All the other packages would give you real-time data which wont help you.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                ntop-ng and bandwidthd keep historical data. It may not be sufficiently detailed for this though.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10 I have the same issue with bandwidthD as the OP. It doesn’t capture all hosts and in my case some top talkers aren’t graphed.
                  Ntopng has heavy r/w’s on my ssd. Maybe for in the moment kind of snooping but I don’t think it’s recommended to keep enabled all the time.

                  Is there a way to log a session at close and know how many bytes was sent and received? That’s good data.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Use netflow if you really need that sort of detail.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @stephenw10
                      last edited by

                      @stephenw10 Ive seen nfsen but are you aware of any other open source collectors ?

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @michmoor
                        last edited by

                        ive personally have issues with bandwidthd not reporting data on top talkers.
                        https://forum.netgate.com/topic/177849/bandwidthd-not-capturing-any-toptalkers

                        ntopng always works but its hard on the ssd with lots of flows happening.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.