Figure out users uploads
-
I've changed it to Any and it looks from watching the traffic graph that it is still not being affected. The machine in question is a Mac Pro desktop and when ever the user is on the machine during working hours theres a lot of uploading from their IP. I've gone to the machine once physically to double check that it is the correct IP and it is, so I know I've got the right person. Anyways here is the BandwidthD graph from just today, there is a lot of upload and it needs to stop. The user says there not doing anything and I cant see anything running on the machine that would cause this.
I know that the user is on the LAN connection, the Sprint is a Tunnel VPN to another network and the DMZ is a seperate network for some DEV servers in the server room.
When you say sniff, should I just run a packet capture on their IP from within pfSense or are you suggesting another way?
Thanks for all the help!
-
lot of upload - there is one tiny little spike between 9 and 10 am this morning.. Today is the 14th.
You can sniff right on pfsense for the traffic from their IP.. No reason to go to their machine unless the traffic would not be going to pfsense, ie lan to lan traffic. But if what your worried about is internet then pfsense has to see it - right ;)
And that graph is showing you the traffic from their ip to a specific destination? Or all your traffic to a specific dst. I don't see any current traffic on that graph.
If you blocked it on pfsense (correctly) and cleared the states, then its not possible for the traffic to be getting past pfsense.
You stated their were A lot of machines
"noticed a lot of machines are going to this IP"So do you have only this one mac client generating traffic to these networks your trying to block? Or more than 1 lan clients? Mac you can do the same thing, not sure if you can see processes involved with netstat version on OS X, but you should be able to use the lsof command for this.
You really should be interested in finding what is making the connection on the box(es) – maybe its legit, maybe its not? on the couple of ips you listed that were to port 80, you would think http - but they respond with not http sort of data when you do a wget to them on that port. And I show the 78.141.179.17 being owned by
organisation: ORG-EdPe1-RIPE
org-name: Entreprise des Postes et Telecommunications
org-type: LIR
address: Entreprise des P&T
2, rue Emile Bian
2999 Luxembourg
Luxembourg -
Well its basically just 1 user that is consistantly showing around 4-5gb of upload a day. From the time stamps its only when the user is at work, not like something is running while he is at home.
My main goal is to find out if this traffic is legit or not, so if I do a packet capture, how long do I let it run for; besides wireshark are there any other tools to actually tell what is going on?
-
you can do the capture on pfsense, and sure use wireshark to look at the capture. Let it run for say 100 packets with the destination netblock in the host field.. if your saying his moving that about of traffic should only take a couple of seconds to get the packets.
But would really look to see what process on his box is creating the connections. lsof should be able to tell you that on his machine. Once you no what process is doing it, you can stop it at the source of the problem.
4-5gb a day on the upload side?? Yeah I would be really curious about that as well.
-
lsof should be able to tell you that on his machine.
Nice, fact learnt for today! :)
Steve
-
So after running a packet capture and looking at it in Wireshark is there a way I can tell what destination or IP is cosuming the most bandwidth?
-
sure you can look at the wireshark stats under converstations
example - quick 2 second capture on my workbox
-
perfect, thank you!
Well it looks like i've found out the souce on where the traffic was going. It is our email hosting provider, which is strange to me. Now I need to check with the user and see if something is stuck trying to send in their outbox.
-
really? Must be one huge email, or maybe they are infected sending spam? Or maybe it keeps trying to send same email and failing?
Once you figure out please post, got me curious ;)
-
My money's on spam. ;)
Though you might expect the provider to have notified you.Steve
