Traffic that occurred in the past.

A Former User

is it possible to look at the logs in pfsense that show me which connections were made at an earlier time? for example, i am looking at the rrd graphs and see that my connection was heavily used between 4-5am, but i don't know how i can see who was using the connection at that time. i am not looking for it to tell me someone was streaming youtube (although, that would be nice), i would want to see the LAN IP and what IP it was connected to, or something along those lines.

do i need to implement a syslog server and log everything to that?

thanks.

heper

check ntop package

A Former User

@heper:

check ntop package

i'd have to enable it.

and it seems that browsing that won't be very user friendly.

"Enable historical data storage.
WARNING: This feature consumes HUGE amount of disk space. Also, browsing the historical data is VERY slow.
The historical interface is considered abandoned by upstream, pending more usable replacement."

EDIT- i am experimenting with my pfsense box at home. unfortunately, when i am reviewing the data, i don't know what time it is. for example, even though i did select a specific time, when reviewing the data, i don't see date/time. it does show throughput, but it seems like there should be an easier way. if there was a date/time column, that might be a good start.

EDIT2- ok, this is better than nothing, i guess i just need to be as specific as possible with the search and then look at the amount of data consumed, that is way better than nothing at all.

is there a place to set how much storage can be used by ntop? will it recycle storage when it needs more space? i want to make sure i don't crash my box by letting the hard drive pfsense runs on fill up.

thanks.

A Former User

@tdhuck:

@heper:

check ntop package

i'd have to enable it.

and it seems that browsing that won't be very user friendly.

"Enable historical data storage.
WARNING: This feature consumes HUGE amount of disk space. Also, browsing the historical data is VERY slow.
The historical interface is considered abandoned by upstream, pending more usable replacement."

EDIT- i am experimenting with my pfsense box at home. unfortunately, when i am reviewing the data, i don't know what time it is. for example, even though i did select a specific time, when reviewing the data, i don't see date/time. it does show throughput, but it seems like there should be an easier way. if there was a date/time column, that might be a good start.

EDIT2- ok, this is better than nothing, i guess i just need to be as specific as possible with the search and then look at the amount of data consumed, that is way better than nothing at all.

is there a place to set how much storage can be used by ntop? will it recycle storage when it needs more space? i want to make sure i don't crash my box by letting the hard drive pfsense runs on fill up.

thanks.

after testing it some more, something isn't right with ntop…

i loaded data from a few hours ago (took a screen shot of a lookup i did to compare the data if i were to look at it hours later) and once the data loaded from my most recent lookup, the history wasn't there/didn't match. i also noticed that if you try to load the same date/time that was previously loaded, ntop crashes and it needs to be restarted.

i could be doing something wrong, not sure, but so far, ntop isn't working that great.

Guest

is it possible to look at the logs in pfsense that show me which connections were made at an earlier time?

From the WLAN & LAN to the WAN I would imagine you could install Squid with user authentication
and SARG for reporting then. It all depends on the traffic it selfs and the amount of log files that will
be produced. But if all is going through the Squid proxy w/ user authentication you will exactly knowing
who was doing what and at which time.

for example, i am looking at the rrd graphs and see that my connection was heavily used between 4-5am, but i don't know how i can see who was using the connection at that time.

That is more then a real time monitoring but you was asking for a longer time ago usage first.
What you want exactly now? Or both?

i am not looking for it to tell me someone was streaming youtube (although, that would be nice), i would want to see the LAN IP and what IP it was connected to, or something along those lines.

It would be able to realize but then the WLAN should be secured by a radius server and for guests
over a Captive Portal otherwise or if this be an open WLAN as a HotSpot you will never be ale to see
who was it, if the whole street is surfing over your AP or pfSense.

do i need to implement a syslog server and log everything to that?

A small RaspBerry PI 2.0 with the new WD 314 GB HDD one will be sufficient to realize many more things  together with;

• syslog-ng, MRTG & CACTI
• ELK (ElasticSearch, Logstash, Kibana)
• on pfSense directly w/ Squid & SquidGuard & SARG

is there a place to set how much storage can be used by ntop? will it recycle storage when it needs more space? i want to make sure i don't crash my box by letting the hard drive pfsense runs on fill up.

Then add a bigger HDD/SSD or set up a small Intel NUC connected to a monitor where you can install or
run the following things.

• PRTG Network Monitor
• Scrutinizer
• WireShark
• F.l.a.v.i.o.
• Splunk

I would more have a look for the following two thinks

• Squid & SquidGuard + SARG plus
• PRTG on an Intel NUC or ELK
• syslog-ng & MRTG & CACTI on a RAPI