Need help to understand the source of my traffic



  • Hi - I am trying to find out what is causing all the traffic here. Daily mails pfsense sends me (from vnstat) typically look like this:

       daily
                         rx      |     tx      |    total    |   avg. rate
         ------------------------+-------------+-------------+---------------
         yesterday      1.84 GiB |    4.00 GiB |    5.84 GiB |  566.64 kbit/s
             today         0 KiB |       0 KiB |       0 KiB |            n/a
         ------------------------+-------------+-------------+---------------
         estimated        --     |      --     |      --     |
     WAN (pppoe0)                                                             00:00
      ^            t
      |            t
      |            t
      |            t
      |            t
      |            t
      |            t
      |            t
      |            t
      |           rt
     -+--------------------------------------------------------------------------->
      |  01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 00
    
     h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB)
    01       6.83       1.40    09      32.00       7.86    17     152.36      12.53
    02      11.86       2.20    10     104.47       9.93    18      31.25       9.40
    03       7.66       1.55    11      27.72      16.07    19      19.71       7.57
    04     600.87    3883.34    12     109.87      13.36    20      20.89       6.48
    05       9.43       1.54    13      16.25       9.81    21      14.21       3.95
    06      15.85       1.97    14      55.42       7.71    22      39.00       5.30
    07      14.86       2.54    15     112.65      18.86    23     141.25      22.49
    08      56.26      25.11    16     176.02      17.53    00       0.00       0.00
    

    I.e. you see a spike around 4 a.m. and then nothing. I have no clue what this traffic is about.

    I have looked at Status -> Traffic totals, but that doesn't really help much further. Is there a way I can find out - without sitting down in front of the machine at 4 a.m. - the internal IP and ports associated with that traffic at that time?

    Thanks!


  • Galactic Empire



  • Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis?  That would give you the traffic, no?



  • @NogBadTheBad:

    Patch Tuesday maybe ?

    It occurs almost daily, and it's mostly traffic that's sent out…

    @mer:

    Setup a cron job to do packet capture, start at 0358, end at 0402 then do offline analysis?  That would give you the traffic, no?

    Ok, to make sure I understood this correctly: I have now installed the cron package and entered a command for 04:00:

    /usr/sbin/tcpdump -G 3600 -W 1 -i pppoe0 -s 65535 -w /var/storage/pfsensedump.pcap
    

    (I quickly created /var/storage and mounted a server share with sufficient space there to make sure it can hold the dump.)

    And then I will use some tool to analyze the dump, right?

    If so, any suggestion for a tool that can easily produce traffic summary (per IP and port) from such dump? Or do I need to install wireshark for this?

    Thanks!


  • Galactic Empire

    Wireshark goto Statistics -> Conversations



  • Install ntopng. It can tell you which client used up your bandwidth. It will even tell you what kind of app/service/protocol



  • Thanks for the hint. I have ntopng installed, but it doesn't appear to store traffic data, but only shows live data. I.e. I would have to get up at 4 a.m….?