Unexpected traffic from PFSENSE to WAN
-
Do you have any packages installed? Which ones?
Steve
-
Hello!
Only vnstat2, but it has been installed after the first time I seen this issue.
Except this one, I have no additional script/module/pluggin/package :) -
Well that's very odd then. :-
I can think of no good reason for that traffic.
What connections is it making when it happens? Where is the traffic going to/coming from?Steve
-
I don't know…
What can I do to know exaclty ?The only thing I know is that it is from my WAN to Internet... :-\
-
Packet capture on WAN and see what the traffic is.
-
I will test right now and let you know :)
-
10 secondes capturing packages exchanged between Internet on my impacted WAN interface:
00:45:50.427527 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.428153 IP 109.190.0.52.61861 > 91.121.164.184.53: UDP, length 38
00:45:50.428165 IP 109.190.0.52.61861 > 91.121.164.227.53: UDP, length 38
00:45:50.428257 IP 109.190.0.52.19191 > 91.121.164.184.53: UDP, length 38
00:45:50.428280 IP 109.190.0.52.19191 > 91.121.164.227.53: UDP, length 38
00:45:50.430328 IP 109.190.0.52.62649 > 91.121.164.184.53: UDP, length 38
00:45:50.430339 IP 109.190.0.52.62649 > 91.121.164.227.53: UDP, length 38
00:45:50.441892 IP 109.190.0.52.13861 > 91.121.164.184.53: UDP, length 38
00:45:50.441911 IP 109.190.0.52.13861 > 91.121.164.227.53: UDP, length 38
00:45:50.444127 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.444137 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.446833 IP 109.190.0.52.51254 > 91.121.164.184.53: UDP, length 38
00:45:50.446850 IP 109.190.0.52.51254 > 91.121.164.227.53: UDP, length 38
00:45:50.447549 IP 109.190.0.52.55356 > 91.121.164.184.53: UDP, length 38
00:45:50.447559 IP 109.190.0.52.55356 > 91.121.164.227.53: UDP, length 38
00:45:50.453027 IP 109.190.0.52.61861 > 91.121.164.184.53: UDP, length 38
00:45:50.453037 IP 109.190.0.52.61861 > 91.121.164.227.53: UDP, length 38
00:45:50.459365 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.459374 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.461363 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.461373 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.462566 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.462574 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.467022 IP 109.190.0.52.62649 > 91.121.164.184.53: UDP, length 38
00:45:50.467032 IP 109.190.0.52.62649 > 91.121.164.227.53: UDP, length 38
00:45:50.469234 IP 91.121.164.227.53 > 109.190.0.52.62649: UDP, length 2768
00:45:50.469241 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.470326 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.471419 IP 91.121.164.227.53 > 109.190.0.52.61861: UDP, length 2768
00:45:50.471425 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.472513 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.474385 IP 91.121.164.227.53 > 109.190.0.52.45649: UDP, length 3961
00:45:50.474391 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.475378 IP 109.190.0.52.55736 > 91.121.164.184.53: UDP, length 38
00:45:50.475390 IP 109.190.0.52.55736 > 91.121.164.227.53: UDP, length 38
00:45:50.475875 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.475881 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.476499 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.477748 IP 91.121.164.227.53 > 109.190.0.52.24007: UDP, length 2768
00:45:50.477756 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.478841 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.479779 IP 91.121.164.227.53 > 109.190.0.52.25612: UDP, length 2768
00:45:50.479785 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.481027 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.482277 IP 91.121.164.227.53 > 109.190.0.52.55356: UDP, length 2768
00:45:50.482283 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.482606 IP 109.190.0.52.60126 > 91.121.164.184.53: UDP, length 38
00:45:50.482624 IP 109.190.0.52.60126 > 91.121.164.227.53: UDP, length 38
00:45:50.482780 IP 109.190.0.52.19191 > 91.121.164.184.53: UDP, length 38
00:45:50.482792 IP 109.190.0.52.19191 > 91.121.164.227.53: UDP, length 38
00:45:50.483023 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.483033 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.483206 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.485234 IP 91.121.164.227.53 > 109.190.0.52.49853: UDP, length 2768
00:45:50.485241 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.486171 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.486267 IP 109.190.0.52.49203 > 91.121.164.184.53: UDP, length 38
00:45:50.486284 IP 109.190.0.52.49203 > 91.121.164.227.53: UDP, length 38
00:45:50.487237 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.487244 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.488330 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.489584 IP 91.121.164.227.53 > 109.190.0.52.55736: UDP, length 2768
00:45:50.489736 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.490829 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.492391 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.492399 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.493639 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.495357 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.495363 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.496449 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.497854 IP 91.121.164.227.53 > 109.190.0.52.61861: UDP, length 2768
00:45:50.497861 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.498947 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.499366 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.499384 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.500181 IP 91.121.164.227.53 > 109.190.0.52.19191: UDP, length 2768
00:45:50.500187 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.501117 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.502530 IP 109.190.0.52.50147 > 91.121.164.184.53: UDP, length 38
00:45:50.502547 IP 109.190.0.52.50147 > 91.121.164.227.53: UDP, length 38
00:45:50.502877 IP 91.121.164.227.53 > 109.190.0.52.62649: UDP, length 2768
00:45:50.502999 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.503009 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.503035 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.503094 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.503104 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.503900 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.505617 IP 91.121.164.227.53 > 109.190.0.52.13861: UDP, length 2768
00:45:50.505774 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.506867 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.507960 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.507972 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.508834 IP 109.190.0.52.29227 > 91.121.164.184.53: UDP, length 38
00:45:50.508851 IP 109.190.0.52.29227 > 91.121.164.227.53: UDP, length 38
00:45:50.508936 IP 109.190.0.52.21616 > 91.121.164.184.53: UDP, length 38
00:45:50.508958 IP 109.190.0.52.21616 > 91.121.164.227.53: UDP, length 38
00:45:50.509054 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.510302 IP 91.121.164.227.53 > 109.190.0.52.51254: UDP, length 2768
00:45:50.510459 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.511551 IP 91.121.164.227 > 109.190.0.52: udp -
Mostly DNS, open in Wireshark and see what the queries/responses actually are.
-
Dear cmb,
Something like that ? => http://img15.hostingpics.net/pics/901020Wireshark.jpg
Does it make sense for you ?
Many thanks for your help. -
Guessing the 109.190.0.52 is your IP from that example, at least judging by the fact the bandwidth is downstream. Something is doing ANY lookups on ripe.net and isc.org, which generate very large responses, at an absurd pace. Nothing on a stock pfSense install will generate any queries even remotely like that. Switch the capture to LAN and see if you see the requests there. In a default configuration, the only way any queries like that could possibly be initiated would be by something on an internal network.
