Host tracking on LAN



  • Hi! I don’t know where to put this question, so it ended up here since the thing I’m looking for is missing from the webgui.
    What I want is to see the bandwidth of specific servers on our lan. From what I’ve found on this forum there is no way to do this now. But the information must be stored in a log file somewhere. I guess my question is; where is the log data stored and what is the best way to retrieve it. I’m going to get one of the ùbernerds here at the office  make an app or a website that will parse it, if that isn’t already made. Any help would be appreciated.

    If this has been answered before, please point me in the right direction.
    Thanx in advance.



  • You can install packages that can display the traffic.

    But if it's a server you could as well install a network monitoring software and get the info directily via SNMP from the server.



  • Thank you.

    Could you please tell me what packages, and where I can find them?



  • Does anyone else know what he’s talking about. Is there an addon to pfSense that shows the host data?



  • System–>Packages

    bandwidthd or darkstat, also ntop might interrest you,



  • Thank you. That helped.



  • Is there a way to make PFSense track the amount of bandwidth each IP address uses? I have 253 external IP addresses behind my PFSense firewall running in transparent bridge mode. I am not using NAT for any of the machines. All of them have external IPs. I want to track how much bandwidth each IP is using so I can target which ones need to be managed better.

    Any ideas on how to do this?

    Thanks

    Bob



  • Something is using the max amout of bandwith allowed on my system
    When watching the bandwidth on my primary WAN I can see
    something is using 30mbps yes 30 mbps. How can I find
    this device and stop it?



  • You can use pftop on console to monitor downloads in the "bytes" column, or ntop, darkstat, bandwithd for gui reporting, I would suggest setting up traffic shaper, there is an option to penalise users who go over a set down/up limit, although I havent played with this feature myself.

    Slam



  • I tried ntop and its a great tool. I shows everything i can think of ever needing  :D  But, its using alot of cpu then crashes. I've seen some posts covering similar problems, but i dont understand. I am a n00b.  ??? Does anyone know of a easy fix for this problem?

    I get this when I try to run it.

    
    $ ntop
    Thu Jan 29 09:45:32 2009  NOTE: Interface merge enabled by default
    Thu Jan 29 09:45:32 2009  Initializing gdbm databases
    Thu Jan 29 09:45:32 2009  ntop will be started as user nobody
    Thu Jan 29 09:45:32 2009  ntop v.3.3.8
    Thu Jan 29 09:45:32 2009  Configured on Dec  4 2008 15:19:28, built on Dec  4 2008 15:19:59.
    Thu Jan 29 09:45:32 2009  Copyright 1998-2007 by Luca Deri <deri@ntop.org>Thu Jan 29 09:45:32 2009  Get the freshest ntop from http://www.ntop.org/
    Thu Jan 29 09:45:32 2009  NOTE: ntop is running from 'ntop'
    Thu Jan 29 09:45:32 2009  NOTE: (but see warning on man page for the --instance parameter)
    Thu Jan 29 09:45:32 2009  NOTE: ntop libraries are in '/usr/local/lib'
    Thu Jan 29 09:45:32 2009  Initializing ntop
    Thu Jan 29 09:45:32 2009  No patterns to load: protocol guessing disabled.
    Thu Jan 29 09:45:32 2009  Checking bfe0 for additional devices
    Thu Jan 29 09:45:32 2009  Resetting traffic statistics for device bfe0
    Thu Jan 29 09:45:32 2009  Initializing device bfe0 (0)
    Thu Jan 29 09:45:32 2009  DLT: Device 0 [bfe0] is 1, mtu 1514, header 14
    Thu Jan 29 09:45:32 2009  Initializing gdbm databases
    Thu Jan 29 09:45:32 2009  VENDOR: Loading MAC address table.
    Thu Jan 29 09:45:32 2009  VENDOR: Checking for MAC address table file
    Thu Jan 29 09:45:32 2009  VENDOR: Loading newer file '/usr/local/etc/ntop/specialMAC.txt.gz'
    Thu Jan 29 09:45:32 2009  VENDOR: ...found 61 lines
    Thu Jan 29 09:45:32 2009  VENDOR: ...loaded 59 records
    Thu Jan 29 09:45:32 2009  VENDOR: Checking for MAC address table file
    Thu Jan 29 09:45:32 2009  VENDOR: Loading newer file '/usr/local/etc/ntop/oui.txt.gz'
    Thu Jan 29 09:45:32 2009  VENDOR: ...found 48541 lines
    Thu Jan 29 09:45:32 2009  VENDOR: ...loaded 7853 records
    Thu Jan 29 09:45:32 2009  Fingerprint: Loading signature file
    Thu Jan 29 09:45:32 2009  Fingerprint: Checking for Fingerprint file... file
    Thu Jan 29 09:45:32 2009  Fingerprint: Loading file '/usr/local/etc/ntop/etter.finger.os.gz'
    Thu Jan 29 09:45:32 2009  Fingerprint: ...loaded 0 records
    Thu Jan 29 09:45:32 2009  ASN: Checking for Autonomous System Number table file
    Thu Jan 29 09:45:32 2009  ASN: Loading file '/usr/local/etc/ntop/AS-list.txt.gz'
    Thu Jan 29 09:45:33 2009  ASN: ...found 111435 lines
    Thu Jan 29 09:45:33 2009  ASN: ....Used 3780 KB of memory (12 per entry)
    Thu Jan 29 09:45:33 2009  IP2CC: Checking for IP address <-> Country Code mapping file
    Thu Jan 29 09:45:33 2009  IP2CC: Loading file '/usr/local/etc/ntop/p2c.opt.table.gz'
    Thu Jan 29 09:45:34 2009  IP2CC: ...found 52395 lines
    Thu Jan 29 09:45:34 2009  Database support not compiled into ntop
    Thu Jan 29 09:45:34 2009  Initializing external applications
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676160]: SFP: Started thread for fingerprinting
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676416]: SIH: Started thread for idle hosts detection
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676672]: DNSAR(1): Started thread for DNS address resolution
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676928]: DNSAR(2): Started thread for DNS address resolution
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683677184]: DNSAR(3): Started thread for DNS address resolution
    Thu Jan 29 09:45:34 2009  Calling plugin start functions (if any)
    Thu Jan 29 09:45:34 2009  SSL is present but https is disabled: use -W <https port="">for enabling it
    Thu Jan 29 09:45:34 2009  INITWEB: Initializing web server
    Thu Jan 29 09:45:34 2009  INITWEB: Initializing TCP/IP socket connections for web server
    Thu Jan 29 09:45:34 2009  INITWEB: Initialized socket, port 3000, address (any)
    Thu Jan 29 09:45:34 2009  INITWEB: Waiting for HTTP connections on port 3000
    Thu Jan 29 09:45:34 2009  INITWEB: Starting web server
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683677440]: INITWEB: Started thread for web server
    Thu Jan 29 09:45:34 2009  Listening on [bfe0]
    Thu Jan 29 09:45:34 2009  Loading Plugins
    Thu Jan 29 09:45:34 2009  Searching for plugins in /usr/local/lib/ntop/plugins
    Thu Jan 29 09:45:34 2009  CPACKET: Welcome to cPacket.(C) 2008 by Luca Deri
    Thu Jan 29 09:45:34 2009  ICMP: Welcome to ICMP Watch. (C) 1999-2005 by Luca Deri
    Thu Jan 29 09:45:34 2009  LASTSEEN: Welcome to Host Last Seen. (C) 1999 by Andrea Marangoni
    Thu Jan 29 09:45:34 2009  NETFLOW: Welcome to NetFlow.(C) 2002-08 by Luca Deri
    Thu Jan 29 09:45:34 2009  PDA: Welcome to PDA. (C) 2001-2005 by L.Deri and W.Brock
    Thu Jan 29 09:45:34 2009  Remote: Welcome to Remote. (C) 2006-07 by L.Deri
    Thu Jan 29 09:45:34 2009  RRD: Welcome to Round-Robin Databases. (C) 2002-07 by Luca Deri.
    Thu Jan 29 09:45:34 2009  SFLOW: Welcome to sFlow.(C) 2002-04 by Luca Deri
    Thu Jan 29 09:45:34 2009  Calling plugin start functions (if any)
    Thu Jan 29 09:45:34 2009  RRD: Welcome to the RRD plugin
    Thu Jan 29 09:45:34 2009  RRD: Mask for new directories is 0700
    Thu Jan 29 09:45:34 2009  RRD: Mask for new files is 0066
    Thu Jan 29 09:45:34 2009  RRD_DEBUG: Parameters:
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpInterval 300 seconds
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpShortInterval 10 seconds
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpHours 72 hours by 300 seconds
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpDays 90 days by hour
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpMonths 36 months by day
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpDomains no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpFlows no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpSubnets no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpHosts no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpInterfaces yes
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpASs no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpMatrix no
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     dumpDetail medium
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     hostsFilter 
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     rrdPath /var/db/ntop/rrd [normal]
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     rrdPath /var/db/ntop/rrd [dynamic/volatile]
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     umask 0066
    Thu Jan 29 09:45:34 2009  RRD_DEBUG:     DirPerms 0700
    Thu Jan 29 09:45:34 2009  THREADMGMT: RRD: Started thread (t683679744) for data collection
    Thu Jan 29 09:45:34 2009  INIT: Created pid file (/var/run/ntop.pid)
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683675904]: ntop RUNSTATE: INITNONROOT(3)
    Thu Jan 29 09:45:34 2009  Now running as requested user 'nobody' (65534:65534)
    Thu Jan 29 09:45:34 2009  Note: Reporting device initally set to 0 [bfe0] (merged)
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683675904]: ntop RUNSTATE: RUN(4)
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683680000]: NPS(1): Started thread for network packet sniffing [bfe0]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676160]: SFP: Fingerprint scan thread starting [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676160]: SFP: Fingerprint scan thread running [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676416]: SIH: Idle host scan thread starting [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676416]: SIH: Idle host scan thread running [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683677440]: WEB: Server connection thread starting [p24309]
    Thu Jan 29 09:45:34 2009  Note: SIGPIPE handler set (ignore)
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683677440]: WEB: Server connection thread running [p24309]
    Thu Jan 29 09:45:34 2009  WEB: ntop's web server is now processing requests
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683677184]: DNSAR(3): Address resolution thread running
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683679744]: RRD: Data collection thread starting [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676672]: DNSAR(1): Address resolution thread running
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683676928]: DNSAR(2): Address resolution thread running
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683680000]: NPS(bfe0): pcapDispatch thread starting [p24309]
    Thu Jan 29 09:45:34 2009  THREADMGMT[t683680000]: NPS(bfe0): pcapDispatch thread running [p24309]
    Thu Jan 29 09:45:44 2009  THREADMGMT[t683680256]: RRD: Started thread for throughput data collection
    Thu Jan 29 09:45:44 2009  THREADMGMT[t683679744]: RRD: Data collection thread running [p24309]
    Thu Jan 29 09:45:44 2009  THREADMGMT[t683680256]: RRD: Throughput data collection: Thread starting [p24309]
    Thu Jan 29 09:45:44 2009  THREADMGMT[t683680256]: RRD: Throughput data collection: Thread running [p24309]
    Segmentation fault</https></deri@ntop.org> 
    


  • It seems that the RRD Graph is crashing.
    Don`t be scaried my traffic looks like this:


    and everything goes well



  • Where are the Übernerds when you need one, eh?


Locked