Packet Flood?
-
I'm having a strange problem….When one computer on my network is on, the our bandwidth gets maxed out immediately. As soon as its unplugged from the network, its fine again. I've tried another computer on the same cable, and its fine. The strange thing is that the LAN traffic graph does not reflect the bandwidth of the WAN at all....it doesn't even register the traffic.
I've done a packet capture, and its getting a whole bunch packets: see attached image.
Not sure if its a bad NIC, I'll get a PCI one and toss that in to see if it makes a difference, but in the meantime, just wondering if anyone can shed light on it.
Thanks!
-
so that sniff is from where - the lan interface, the wan interface of pfsense. The client?
Well if your lan connection is gig, and your wan connection is 10mbps – then its quite possible the graph on the lan side doesn't show much.. Also a request for info is a lot smaller than the info sent back quite often.. All you would see is the acks, and that is going to be a small fraction of the total bandwidth..
If you say it happens when you plug this box in - its possible its infected? Have you looked into the traffic to see what it is - and where its going? You blocked out the dest IP so can not look up what site or who owns the ip, etc.
-
Sounds like you have a process on the PC in question that is pushing a lot of data to somewhere. You didn't mention what OS that PC runs. Its likely that the netstat command on the PC can help you out, use the option that shows the process id - then from your packet capture you can find the same IP:port pair from the netstat output and then find the pid of the process that is sending the data. Finally, you can determine from the PID which app is causing the problem.
For Linux you likely want 'sudo netstat -anop'. For Windows you likely want 'netstat -ano'
-
PC in question is running Windows 7, a fresh install, so its not infected. The sniff is on the WAN of the pfsense box. In regards to the traffic graph, the LAN side is showing around 10-20 kbps, in and out, which is normal, while the WAN is showing 15 Mbps in and 800 kbps out when its happening.
I'll check out the netstat command and post back soon. Also, I haven't got around to putting a different NIC in, will probably get to that tomorrow.
-
What packages do you have installed in pfSense?
-
Doesn't sound like a NIC issue to me. I'd try sniffing on the lan side, and as others have mentioned 'netstat' on the Win7 computer. If the issue subsides with the Win7 computer being disconnected, there is most definitely an issue there - and doesn't feel hardware related to me. If you decide to post another wireshark log, just block out your external ip - it'll help to see what is coming and going and from whom.
-
So your seeing this inbound to your pfsense on the wan - and its being blocked.. Why does it not go to the client that requested it. If your saying it stops when you remove client X from the network, that really points to it being client X. Sure its not just downloading the gazillion updates a new install of windows 7 would call for?
What makes no sense is how your not showing any traffic on the lan - sniff the traffic.
-
If your saying it stops when you remove client X from the network, that really points to it being client X. Sure its not just downloading the gazillion updates a new install of windows 7 would call for?
^^This.
Windows 7 downloads in the background, so next time you shut down it can say "…Please don't shut off the power. Applying Update 12 of 135329" :)