Need help to understand the source of my traffic
-
Hi - I am trying to find out what is causing all the traffic here. Daily mails pfsense sends me (from vnstat) typically look like this:
daily rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- yesterday 1.84 GiB | 4.00 GiB | 5.84 GiB | 566.64 kbit/s today 0 KiB | 0 KiB | 0 KiB | n/a ------------------------+-------------+-------------+--------------- estimated -- | -- | -- | WAN (pppoe0) 00:00 ^ t | t | t | t | t | t | t | t | t | rt -+---------------------------------------------------------------------------> | 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 00 h rx (MiB) tx (MiB) h rx (MiB) tx (MiB) h rx (MiB) tx (MiB) 01 6.83 1.40 09 32.00 7.86 17 152.36 12.53 02 11.86 2.20 10 104.47 9.93 18 31.25 9.40 03 7.66 1.55 11 27.72 16.07 19 19.71 7.57 04 600.87 3883.34 12 109.87 13.36 20 20.89 6.48 05 9.43 1.54 13 16.25 9.81 21 14.21 3.95 06 15.85 1.97 14 55.42 7.71 22 39.00 5.30 07 14.86 2.54 15 112.65 18.86 23 141.25 22.49 08 56.26 25.11 16 176.02 17.53 00 0.00 0.00
I.e. you see a spike around 4 a.m. and then nothing. I have no clue what this traffic is about.
I have looked at Status -> Traffic totals, but that doesn't really help much further. Is there a way I can find out - without sitting down in front of the machine at 4 a.m. - the internal IP and ports associated with that traffic at that time?
Thanks!
-
Patch Tuesday maybe ?
https://en.wikipedia.org/wiki/Patch_Tuesday
-
Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis? That would give you the traffic, no?
-
Patch Tuesday maybe ?
It occurs almost daily, and it's mostly traffic that's sent out…
@mer:
Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis? That would give you the traffic, no?
Ok, to make sure I understood this correctly: I have now installed the cron package and entered a command for 04:00:
/usr/sbin/tcpdump -G 3600 -W 1 -i pppoe0 -s 65535 -w /var/storage/pfsensedump.pcap
(I quickly created /var/storage and mounted a server share with sufficient space there to make sure it can hold the dump.)
And then I will use some tool to analyze the dump, right?
If so, any suggestion for a tool that can easily produce traffic summary (per IP and port) from such dump? Or do I need to install wireshark for this?
Thanks!
-
Wireshark goto Statistics -> Conversations
-
Install ntopng. It can tell you which client used up your bandwidth. It will even tell you what kind of app/service/protocol
-
Thanks for the hint. I have ntopng installed, but it doesn't appear to store traffic data, but only shows live data. I.e. I would have to get up at 4 a.m….?