Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Normal traffic graph in "idle"?

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 593 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @rasputinthegreatest
      last edited by

      @rasputinthegreatest

      Ask pfSense what it is ?

      Select LAN, ask for "Full" (details) :

      44a4acef-9946-4f5a-80fa-e186cbca93c2-image.png

      and hit the start button at the bottom of the page.

      What was it ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      R 1 Reply Last reply Reply Quote 0
      • R
        rasputinthegreatest @Gertjan
        last edited by

        @Gertjan I see a lot of stuff but I can't really identify what it is.
        I see netgate forum but also an IP from Google that according to Alienvault belongs to Certificate Subject detectportal.firefox.com and some STP and LLDP coming from my Qnap Switch. And a TCP retransmission. OTX alienvault shows a high AV detection ratio? It's whitelisted but also malicious apparently. Is that cause for concern?
        I also see some 34.x.x.x adresses
        How can I make sense of that capture?

        Unrelated I had some weird IPs from my Windows computer connecting to some random network from svchost.exe but the service was LanmanServer which is sus. I am on high alert since then.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          What is the source of that traffic on the LAN? The pcap should show you that. Or you could check the states in Diag > States.

          It's a very small amount of traffic though.

          R 1 Reply Last reply Reply Quote 0
          • R
            rasputinthegreatest @stephenw10
            last edited by

            @stephenw10 It says mostly Application Data and the source is either my laptop or the IPs from Google etc. There is no directionality. Its a back and forth.

            stephenw10S GertjanG 2 Replies Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator @rasputinthegreatest
              last edited by

              @rasputinthegreatest said in Normal traffic graph in "idle"?:

              There is no directionality. Its a back and forth.

              Yes, that's how traffic works. But unless you have port forwards setup or an entirely routed network then Google cannot open a connection to your LAN. It can only reply to connections your LAN side clients have opened to it. So your laptop is talking to Google.

              R 1 Reply Last reply Reply Quote 0
              • R
                rasputinthegreatest @stephenw10
                last edited by

                @stephenw10 It looks like my laptop initiates it. I use Firefox. It seems to do a lot of talking if I look up the IPs. Like detectportal or push.services.mozilla.com and 93.243.107.34.bc.googleusercontent.com

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Yup. All normal and expected.

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rasputinthegreatest @stephenw10
                    last edited by

                    @stephenw10 What I wonder though. I am having a double nat situation. So if I says Source and Destination in Wireshark is that actually flipped in that case? So I should see the source as the destination because behind it the actual ISP router sits?

                    R stephenw10S 2 Replies Last reply Reply Quote 0
                    • R
                      rasputinthegreatest @rasputinthegreatest
                      last edited by

                      Also what does [TCP Dup ACK 46#1] mean

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @rasputinthegreatest
                        last edited by Gertjan

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        It says mostly Application Data and the source is either my laptop or the IPs from Google etc. There is no directionality. Its a back and forth.

                        A Windows OS ? You ever heard about telemetry data ? The keylogger you installed on your PC ? 😊

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        I see a lot of stuff but I can't really identify what it is.

                        As a router pfSense admin, it's your job to know what this 'thing' actually does.
                        You actually stared doing so :
                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        I see netgate forum

                        Normal. While you are capturing you'll see traffic from your PC going to the Netgate's IP, port 443. That your browser or a javascript in your browser chatting with that web server.

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        to Alienvault

                        What is that ?

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        detectportal.firefox.com

                        That's your browser doing auto-captive-portal detection. This is port destination 80 TCP traffic, right ?

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        some STP and LLDP

                        and you can also so DHCP, ARP, NTP, DNS requests and many more.

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        I also see some 34.x.x.x adresses

                        Nearly anything from 1.1.1.1 to 254.254.254.254.254 is possible.
                        Wait until you see IPv6 traffic, the one that is replacing IPv4 right now.

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        How can I make sense of that capture?

                        As said above, 'IP' traffic is a very recent invention. Not that hard to understand. But it does take time to look for examples and finding out what is used when etc etc.
                        You were actually using all this stuff all the time. It's always a good thing to find out how things work.

                        Btw : your "less then 10 Kbit" LAN traffic, that's more the usual back ground noise.
                        You LAN initiated traffic can go to the outside (== the Internet) but nothing can come in if that traffic was non-invited = not requested for by some device on your LAN.
                        With the packet capture you can discover what devices communicate to where and what. You'll find out that the actual data = payload is often TLS encrypted, but at least you know who is going where.

                        @rasputinthegreatest said in Normal traffic graph in "idle"?:

                        Also what does [TCP Dup ACK 46#1] mean

                        Euh ... you've missed the original goal of Google ?!

                        Here is my version : Also what does TCP Dup ACK 46#1 mean ?

                        Most stuff can be found by copy past Google click read done.
                        More then often, as the question was already asked a couple of xxxxx times, you'll find answers right away.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        R 1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator @rasputinthegreatest
                          last edited by

                          @rasputinthegreatest said in Normal traffic graph in "idle"?:

                          I am having a double nat situation. So if I says Source and Destination in Wireshark is that actually flipped in that case?

                          No. The source and destination are stll the same.

                          If you pcap on WAN you will see the traffic outside the NAT of pfSense so you only ever see the pfSense WAN IP as the local address.

                          If you pcap on LAN you will see the internal client IPs that are sending and receiving.

                          1 Reply Last reply Reply Quote 0
                          • R
                            rasputinthegreatest @Gertjan
                            last edited by rasputinthegreatest

                            @Gertjan said in Normal traffic graph in "idle"?:

                            A Windows OS ? You ever heard about telemetry data ? The keylogger you installed on your PC

                            It's Ubuntu though ;)

                            @Gertjan said in Normal traffic graph in "idle"?:

                            What is that ?

                            A website to check what is behind an IP. For example:
                            https://otx.alienvault.com/indicator/ip/34.149.144.89

                            @Gertjan said in Normal traffic graph in "idle"?:

                            That's your browser doing auto-captive-portal detection. This is port destination 80 TCP traffic, right ?

                            Yep port 80 traffic

                            @Gertjan said in Normal traffic graph in "idle"?:

                            You were actually using all this stuff all the time. It's always a good thing to find out how things work.

                            I am still trying to figure things out. I haven't gotten into the packet capture part yet. Only superficially by checking Snort captures. I also googled what TCP Dup ACK is but I don't know if it is something to worry about or a normal occurance. The last couple of days I saw 3 out of 5 Windows computers make outgoing connections to malicious IPs that are flagged on otx.alienvault and it makes me worried. Even on a fresh Windows install I had this happen by a service that should only communicate on LAN (Windows LanmanServer). I just blocked the whole IP range to be safe. It was also blocked by Snort with "ET INFO Packed Executable Download", Misc activity 3. I hope it's just a false positive.

                            @stephenw10 said in Normal traffic graph in "idle"?:

                            No. The source and destination are stll the same.

                            Ok great. Thank you :)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.