View source & destination IP address for traffic

keith_opswat · Jun 8, 2011, 11:04 PM

Hi,

I'm not 100% sure whether this should be here or General questions. Also, I tried to search for this but wasn't sure how to word it. So if this is a common question I apologize and please feel free to verbally berate me.

Anyways, I switched from a Cisco ASA 5505 and on it's GUI I could get a graph that would show me both the source & destination IP address.

When I see a large amount of bandwidth by a user on our LAN right now I can only see what the LAN IP is and figure out what user it is. However, I can't see the destination to figure out where it's going. Hopefully I'm explaining this right…

Is there a package that I missed that can give me this in realtime or some option I need to turn on? It would be really nice to see that there is say 9.3 Mbps of data coming to my LAN IP address of 192.168.1.15 but it's coming from IP address 73.212.52.12 or something like that. Because before on my Cisco I could look it up and figure out oh it's Microsoft Update... Or they're streaming something from Netflix.

Thanks in advance and please let me know if you need anymore info.

Metu69salemi · Jun 9, 2011, 5:47 AM

If this helps, your missing hostwatch(as watchguard, names that feature)
I haven't seen that in pfsense, but i didn't use time to look it.

Gloom · Jun 9, 2011, 11:25 AM

I think NTOP is what you are looking for. Not sure of it's current state on RC2

You could also look at the states table under Diagnostics and just filter on the IP to see the flows. It won't give you the amount of data but it will tell you where it's coming from.

Nachtfalke · Jun 9, 2011, 8:51 PM

I have a similar "problem".
I could filter the source IP in the states but it'n not realtime so you can not be sure if the destination IP is the IP which causes high traffic or if the user has many connections open.

The Traffic Graph shows really good the source IP but it would be really nice if you could watch the destination IP.

But a workaround could be:
Use packet capture and capture all traffic from the source IP and then you will see to which destination IPs the source IP will connect.

Perhaps sometimes a DNS lookup of the destination IPs will help, too.

phospher · Jun 10, 2011, 3:44 AM

check out iftop. works great.

stephenw10 · Jun 10, 2011, 11:52 AM

@phospher:

check out iftop. works great.

Wow, that's a great tool! How have I missed that in the past.
Thanks. ;D

Steve

keith_opswat · Jun 10, 2011, 4:42 PM

Oh yeh.. I had that installed on my test PFSense box… Never re-installed it after I moved it into productions.

Thanks. Will check that out again soon.

Nachtfalke · Jun 10, 2011, 7:24 PM

Is iftop a pfsense package ?
I didn't find it in amd64 RC-2

phospher · Jun 10, 2011, 7:27 PM

No it's not a package that you can add through the pfsense gui. But from the shell```
pkg_add -r iftop

Nachtfalke · Jun 10, 2011, 7:42 PM

thx