Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Monitor traffic to specific IP on TNSR

    TNSR
    4
    8
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      Qwireca
      last edited by

      I'm looking if there is any way to extract traffic logs on TNSR.
      In this specific case I need to monitor traffic to a specific IP, to harden what IP:s are allowed to communicate with this old and potential vulnerable device.

      The best I've found so far is use IPFIX, that will give me the flows and I might be able to track source-destination IP. Problem is my monitoring tool PRTG gives me top talkers 15 minutes at a time, so generating a report over some weeks are manual labor.
      I could also use a SPAN port and attach some taping device with Tcpdump or Wireshark for data collection. This feels like something that should not be needed in 2023, so I ask here before I execute that idea :)

      Normally I would log the ACL to get this information, but I haven't that this is possible in TNSR.

      1 Reply Last reply Reply Quote 0
      • planedropP
        planedrop
        last edited by

        I think capturing traffic and then analyzing with Wireshark might be your best bet here sadly.

        But I am guessing a bit, not much experience with TNSR (still working on trying to get it running in my lab but it doesn't seem to run well on XCP-ng/xenserver).

        Is there a reason TNSR is in use and not pfSense? I know that's far from a solution to your ask lol but if you don't need insane bandwidth throughput I'd consider just going with pfSense as it's far more capable for things like this.

        1 Reply Last reply Reply Quote 0
        • Q
          Qwireca
          last edited by

          You are right that it's not the normal approach using a router to do firewalling :)
          In this specific case we had a migration where multiple networks were present within the same vlan.
          Earlier attempts to split each network into their own vlan had failed without us finding the reason. Moving to TNSR were the closest thing to the original setup we could find.

          Moving it behind a proper firewall will be a later step in the process, but I also have to support the TNSR in the meantime.

          planedropP 1 Reply Last reply Reply Quote 1
          • planedropP
            planedrop @Qwireca
            last edited by

            @Qwireca Totally makes sense to me!

            Like I said I haven't used TNSR that much at this point, so the main thing coming to mind is the packet capture and then Wireshark idea, certainly not ideal though. I'll dig through the docs some to see if I come up with anything else and maybe try to get it running in my lab again to see if I can find an easier way to do this.

            Q 1 Reply Last reply Reply Quote 0
            • Q
              Qwireca @planedrop
              last edited by

              @planedrop
              Have tried some in my labb, and it might be the best way.
              IPFIX almost work, except it does not send source and destination port in the template, making the monitoring somewhat lacking.

              Problem with the Wireshark idea is that I need to monitor for at least a week.
              Probably not a big problem with the correct filter, but still somewhat of a workaround.

              planedropP fractal_boyF 2 Replies Last reply Reply Quote 0
              • planedropP
                planedrop @Qwireca
                last edited by

                @Qwireca A weeks worth of traffic might be a pretty insane file size, I'd be worried Wireshark might crash with that much info lol, I've had 100,000 line pcaps and it'll open them but takes a bit longer than normal. You could easily be looking at millions of packets though.

                P 1 Reply Last reply Reply Quote 0
                • P
                  paulwollner66 @planedrop
                  last edited by

                  @planedrop If you are looking to do this over a long period, I would rather use pmacctd (http://www.pmacct.net/) to collect stats.

                  It has worked very well for me in the past.

                  1 Reply Last reply Reply Quote 0
                  • fractal_boyF
                    fractal_boy @Qwireca
                    last edited by

                    @Qwireca FYI, TNSR 23.11 release will have a bunch of IPFIX bug fixes.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.