Need help to understand the source of my traffic

highc

Hi - I am trying to find out what is causing all the traffic here. Daily mails pfsense sends me (from vnstat) typically look like this:

   daily
                     rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
     yesterday      1.84 GiB |    4.00 GiB |    5.84 GiB |  566.64 kbit/s
         today         0 KiB |       0 KiB |       0 KiB |            n/a
     ------------------------+-------------+-------------+---------------
     estimated        --     |      --     |      --     |
 WAN (pppoe0)                                                             00:00
  ^            t
  |            t
  |            t
  |            t
  |            t
  |            t
  |            t
  |            t
  |            t
  |           rt
 -+--------------------------------------------------------------------------->
  |  01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 00

 h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB)
01       6.83       1.40    09      32.00       7.86    17     152.36      12.53
02      11.86       2.20    10     104.47       9.93    18      31.25       9.40
03       7.66       1.55    11      27.72      16.07    19      19.71       7.57
04     600.87    3883.34    12     109.87      13.36    20      20.89       6.48
05       9.43       1.54    13      16.25       9.81    21      14.21       3.95
06      15.85       1.97    14      55.42       7.71    22      39.00       5.30
07      14.86       2.54    15     112.65      18.86    23     141.25      22.49
08      56.26      25.11    16     176.02      17.53    00       0.00       0.00

I.e. you see a spike around 4 a.m. and then nothing. I have no clue what this traffic is about.

I have looked at Status -> Traffic totals, but that doesn't really help much further. Is there a way I can find out - without sitting down in front of the machine at 4 a.m. - the internal IP and ports associated with that traffic at that time?

Thanks!

NogBadTheBad

Patch Tuesday maybe ?

https://en.wikipedia.org/wiki/Patch_Tuesday

mer

Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis?  That would give you the traffic, no?

highc

@NogBadTheBad:

Patch Tuesday maybe ?

It occurs almost daily, and it's mostly traffic that's sent out…

@mer:

Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis?  That would give you the traffic, no?

Ok, to make sure I understood this correctly: I have now installed the cron package and entered a command for 04:00:

/usr/sbin/tcpdump -G 3600 -W 1 -i pppoe0 -s 65535 -w /var/storage/pfsensedump.pcap

(I quickly created /var/storage and mounted a server share with sufficient space there to make sure it can hold the dump.)

And then I will use some tool to analyze the dump, right?

If so, any suggestion for a tool that can easily produce traffic summary (per IP and port) from such dump? Or do I need to install wireshark for this?

Thanks!

NogBadTheBad

Wireshark goto Statistics -> Conversations

heper

Install ntopng. It can tell you which client used up your bandwidth. It will even tell you what kind of app/service/protocol

highc

Thanks for the hint. I have ntopng installed, but it doesn't appear to store traffic data, but only shows live data. I.e. I would have to get up at 4 a.m….?