Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RRD Graphs strange traffic only error or something else

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      devnull
      last edited by

      Hi guys,

      I've been trying to wrap my head around this for a while but I can't seem to figure it out.

      At my school I setup PFS 1.2.3 as a gateway running on a HP U1 server that's got 6 NICs, the WAN connection is DHCP on a 1GB fiber line Cisco switch.
      NIC usage:
      1. nic = WAN
      2. nic =LAN
      3. nic = VLANS(Admin, Tel, Office, Class, Wifi)
      4. nic = WAN2
      5. & 6. nic = unused for now.

      Anyway about a few weeks a go I started noticing some strange and very large amount of traffic showing up on the WAN interface but not showing up on any other interface. It's as if someone was downloading a few GB of something but the traffic is not going anywhere. Also there's no lose of quality on the quality graphs. It shows up at random intervals, lasts for a various amount of time (between 1/2H to an 1H) and shows up as a very large amount of traffic downloaded without stopping.

      So I was thinking it could be some kind of denial of service attack form wan or something being downloaded onto the PFS. Ok if it's some kind of attack I can't know or can I? But on the other hand the only thing that would show on the WAN and not on any other interface could be form Squid updating the cache for MS updates and AV updates. Would this account for the strange traffic and if so why would then some traffic for MS updates and AV updates still show from PC if squid is already downloading it to cache?

      Anyway I'm attaching a screenshot of the RRD traffic and virtually the only traffic is on the LAN where I downloaded the latest ubuntu image but it's far from the traffic shown on the WAN interface.

      Any ideas?

      Thanks for the input
      status_rrd_graph_img.jpg
      status_rrd_graph_img.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        Does squid log its AV updates and Windows updates? Do the times match the time of the mystery traffic?

        Anything on any of the pfSense system logs (especially firewall) at the time of the mystery traffic?

        Does your ISP provide traffic graphs? Do these show a similar pattern?

        Is there a consistent time interval in which the mystery activity happens (e.g. between midnight and dawn)? Maybe you could run a few packet captures (say 50 to 100 packets) to get some snapshots which might include the mystery traffic.

        Have you talked with your ISP? Maybe its some form of update being broadcast to their equipment and erroneously (or unnecessarily) forwarded to you.

        Do you have a cable connection (as distinct from xDSL)? You might be seeing broadcast traffic on your cable segment that involves some other system on your cable segment.

        1 Reply Last reply Reply Quote 0
        • D Offline
          devnull
          last edited by

          Hi,

          I checked the squid logs in /var/squid/log/ but didn't find anything out of the ordinary (or maybe I just don't know what I'm looking for). I also checked the firewall logs but the logs for yesterday are already gone. I'll keep a lookout next time this happens.

          This is what I use for squid cache update:

          refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims;refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims;refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims;range_offset_limit -1
          

          Our ISP does not provide any other service than just a 1GB DHCP internet connection (that will never fully be utilized) from a Cisco 3560 (configured by the ISP) over fiber. No logs no graphs so all I've got is the PFS. The ISP didn't provide me with any other information .They told me the problem was ether someone is uploading to our IP or downloading at our location if there is traffic.

          I haven't been able to find consistency there might be some but I can't see it. The only constant thing is that the traffic lasts form about a 1/2H to about an 1H and the traffic is consistent without any drops.

          How would I go about capturing packets? With PFS?

          I'll do another experiment next time this happens I'll remove the squid settings and see if the traffic happens again.

          Thanks for the help.

          1 Reply Last reply Reply Quote 0
          • W Offline
            wallabybob
            last edited by

            Depending on your shell scripting ability, you could

            • take a tcpdump on your WAN interface of (say) 20 packets with output redirected to a file, sleep 5 minutes, repeat using an incremented file name (with leading zeroes so the names sort usefully). The RRD graph will show you which files are of interest. The tcpdump output will give you source IP for the traffic. The port numbers may give you an idea what the traffic is attempting to do.

            • to help reduce the number of files your script might watch the wan interface statistics from netstat and only log after an interval of high traffic. (# netstat -I em0 -b will give you bytes sent and received on em0.

            The FreeBSD man pages at http://www.freebsd.org/cgi/man.cgi will give more detailed information on tcpdump and netstat.

            Good hunting.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.