Traffic pattern analysis
In one small network I manage I noticed a very high number of states last night, around 7000-8000 were numbers I saw. Normal numbers are in the hundreds for the network. At the time only one DHCP was active and although there are a group of servers on the network they appeared not to be busy. On states page I filtered on DHCP IP and 99% were belonging to that IP. And the number from first page was indeed also reported back on states page. I then looked at RRD graphs (today), see attached pics.
What type of traffic to/from one single host can produce such high number of states? Are there in practice any alternatives to torrent traffic?
Due to possible legality issues concerning torrent traffic I am quite interested in keeping usage on the network legal, since I cannot accept my servers being raided by swedish anti-piracy stasi due to a teenager's downloading habits on the same network. Here (some) ISPs are actually refusing to hand out IP info to authorities (the law has to be rewritten to be able to force ISPs to do this, so in practice as of now the Pirate Bay case hasn't led to any other effect than actual strenthening of integrity for many swedish users, but I am nonetheless interested in keeping my own resources out of risk of theoretical collateral damage.
What means are there in pfs to examine traffic type etc? I know I can take a dump, save it and directly open it in Wireshark and that works very well, but perhaps there are some other tricks I could do.
Also, is there a limit to how large such a dump can be made, could I have it running for like 24 hrs and fetch GBs of data or would that brake something? (I guess Wireshark could shoke on the files size anyway perhaps..)
I have been runnig a few of the packages as well, like ntop, but some of them have not worked 100% on my 1.2.2, perhaps 1.2.3 will be better with packages?
