What is going on here?
-
if he is not using ipv6, simple disable is not a waste of time… It is what anyone should be doing, you don't run protocols on your network your not using - this is security 101!!
Windows in its infinite wisdom runs 3 different transition methods for getting to ipv6 over ipv4, teredo, isatap and 6to4.. If your not going to use ipv6 as of yet then disable them should be what your doing. Its a simple reg entry - sorry ms doesn't give you a gui. If you want can give you a fixit exe they provide to make the setting.
You can do it all from netsh if you want as well and disable the interfaces your not using like teredo. But the simple reg key is much quicker and easier.
Understanding what device is putting out the noise is not a waste of time - its understanding the devices on your network.. Suggesting someone just completely ignore it because its "noise" is just beyond stupid!!! Once they understand what is sending out the noise, if he can not turn off the noise at the source, then they can either block it at switch level for stuff like multicast, or can just not log it in the firewall if they don't want to see the noise.
But saying tracking down the noise producing device is a waste of time is just beyond nonsense!
-
Certainly do appreciate your time and help. I figured out what was flooding my logs with all that crap, Darkstats is the culprit, with no way to turn the logging off, so bye bye Darkstats.
Again, guys thank you….
-
_"Certainly do appreciate your time and help. I figured out what was flooding my logs with all that crap, Darkstats is the culprit, with no way to turn the logging off, so bye bye Darkstats.
Again, guys thank you…."_
You're welcome:)
I never would've thought about darkstat. I do love that package. But, like you, I also ended up disabling it unless I really needed to analyze traffic. Most of the time I would just use wireshark. Gotta love that program. Speaking of wireshark by the way. I did a little test at home because I was suspicious of my cable boxes being mic'd due to the way I was getting commercials. So I went around and got the boxes IP addresses. I then started monitoring traffic from a clean slate on wireshark and wouldn't you know it. As soon as I started speaking I saw traffic from the box that was in the same room. I guess they do it for advertising but I still don't like it. Glad we could help. Good day to you.
-
"Darkstats is the culprit"
Why would dartstats be sending out multicast traffic from an APIPA??
That makes no sense at all.. And your running the package on pfsense - or some other box.. Why would pfsense be seeing traffic to its lan1 and lan2 interface from darkstat package running on pfsense? Darkstat doesn't even monitor multicast –- why would it be sending it out?? Not sure what you think was sending it out, but I find it REALLY REALLY unlikely that darkstat was sending out traffic to 1900 from an APIPA when it sniffs traffic on your interfaces and reports on stats...
BTW the smite is because your post was pure nonsense!! Sorry it was - so smite.. And then you take credit for helping the guy, you told him tracking down or turning off the noise maker was just a waste of time.. Yeah bad post so smite..
The post is bad it gets 1 smite, not the person that hit me with like 30 in a less than 2 days.. Because he didn't like a comment..
-
I hit you with one after you got me. The 30 you are talking about is not from me.
Before you start talking about how I write nonsense. Realize that sometimes when we answer something it may not be exactly what the poster is talking about even though it may be the right answer according to you. I know. You think that makes no sense. In other words it may be better to brainstorm a little bit rather than worrying about a direct answer that is a hit or miss. It's hit or miss because we're not actually in the room with the people asking questions and not every scenario is the same. Sometimes people don't know exactly how to express the problem that they are having and sometimes you might get half the problem. It really doesn't do any good to start with your own question of "what did you do that for?" It sounds snotty and it contributes absolutely nothing to what they asked and most likely they will look elsewhere for help and I can't blame them. You must have 29 other people that smited you. You say it was two days? You can only do 1 per hour and I hate to break it to you but I have much better things to do than to worry about smiting someone over and over.
-
Yes dude it was like over 2 days.. There is 48 hours in the day.. So yes its possible.. Maybe it was 3 – either way you get the point..
Telling someone to not track down stuff because its noise, after they ask about that specific noise is the WRONG freaking answer... And going to call you on it every time...
-
Do whatever makes you feel better:)
-
Not sure, can't understand it either. I stopped the service and my logs are back to normal.
-
well running the service would normally put your interfaces in to promiscuous mode… This might pulling stuff into the firewall that it would normally not see since the traffic was not sent to it??
If I turn on log default I see that sort of traffic without darkstat even installed..
Its possible that package turns on default rule logging that maybe you had disable before?
So your saying that your not seeing any more blocks to 1900, be it ipv6 or ipv4 169.254 to your interfaces and you have the log default block rule enabled?
what I would suggest is track down the stuff that is in the log, and if you do not want to see it either stop it at the source, block it at switch level for multicast if you don't want that traffic in your network. Or just turn off default logging, or create specific rules in your interfaces to not log the specific traffic you don't want to see in your log to reduce your noise level.
As you can see that 169.254 is coming from my dvr from my previous post and the apipa address..
darkstat is not causing this traffic, but maybe it changed a setting in your system so your now seeing it?? I would not uninstall darkstat for that reason but adjust your settings so your logs log what you want, or better yet use these logs to clean up noise on your network you don't want. Like ipv6 or multicast traffic, no matter what IP its coming from... If you don't understand where its coming from - simple sniff would help you find the device.
-
Since disabling darkstat, my logs are back to normal, I am unsure what it could of turned on. Just happy my logs are not being flooded anymore…
-
I believe I had the same thing and fixed it by Setting IPv6 to none on Lan interface versus Tracking. If set ti tracking it would not only flood the logs but will start blocking over 1 hop IPv4 traffic from LAN. Meaning if you have wifi hot spot attached it will start blocking some of that traffic - throwing it to default IPv4 rule
