Figure out users uploads

  • We have about 30 users at our office and I'm just trying to keep an eye on people using too much bandwidth and slowing it down for everyone else. I've noticed a user using alot of upload like all the time. I went into BandwidthD to see their usage and just in the last 3 days 10Gb's up, this month 25Gb up. I asked them if they had any type of Dropbox or Google drive, even torrent software installed. Dropbox was installed but the user said they havent used it much and actually me going to their computer and looking at dropbox it wasnt syncing.

    The machine is Mac Pro about a few years old, I verfied the IP address and it matches up so I know I have the right machine. So I'm having trouble figuring out what they are doing to use so much bandwidth. I've put a limiter on their IP which helps a little but I need to figure out what the machine is doing and stop it.

    Is there something in the background that could be running? I'm not the greatest at OSX but from what I can tell nothing is running.

    Anyway addons to tell whats going on?

  • I am sure there are a couple of ways. Some come to mind, but I think this is the wrong forum for such a question.
    Using pfSense, you can see what IPs it is going to. A netstat on the machine with appropriate flags could clue you into the program doing it. (No idea what they are .. I don't use MAC.)

  • @nutt318:

    I need to figure out what the machine is doing and stop it.

    1. You could do a pfSense packet trace (through the web GUI or tcpdump shell command) on the interface the MAC connects to and filter on the MAC's IP address.

    2. You could add a pfSense firewall rule to pass and log connections from the MAC then look through the pfSense filter log.

    3. You could add a pfSense package to generate flow records, collect the flow records on another system, export to a CSV file, import into a spreadsheet program and then sort on suitable key (e.g. IP address then bytes sent).

    I would start with 1 to see what is going on. That might provide enough information for your purpose.

  • Thanks for the help so I've found these IP's to always having a connections and after making a rule on the WAN to block these they still reconnect. Any ideas?

    tcp <- <- 10.X.X.X:63769 FIN_WAIT_2:FIN_WAIT_2
    tcp <- <- 10.X.X.X:63776 ESTABLISHED:ESTABLISHED
    tcp <- <- 10.X.X.X:63793 ESTABLISHED:ESTABLISHED

  • LAYER 8 Global Moderator

    you need to make sure you reset the states if you put in a block rule, if there is a state there already.

  • I've reset the states but I still continue to see those IP's having connections. Here are my rules, should this work?

  • LAYER 8 Global Moderator

    NO!  If you want to block outbound connections they need to be on the LAN side.  What those rules says is something from those networks can not create a session to your IP.  But they are not creating the session, your side is creating the session.  Those bottom 2 rules with dst networks are completely meaningless since your pfsense box does not have those networks on its wan interface - does it.

    Move those to the top of your lan rules as dst networks and the source would be the IP(s) on your lan or or your whole lan if you don not want access to them.  Wan rules have default deny on them for inbound.  So normally you would only need allow on there say if you wanted only IP address to be able to ssh to you.  Or you want to allow icmp, etc.  You would use deny on there as ways of preventing specific creation of access.  But unless you have rules on the lan side your lan side can create the connection.

    Rules are evaluated as inbound to the interface not outgoing.  If you want to prevent access to a network from your clients the rules would go on your lan side or other interface they are accessing pfsense from.  So for example you did not want dmz client to go to specific network then you would put that rule on your dmz tab.  If you don't want lan clients going somewhere you put that on your lan tab.

    So if on a lan rule you put source as your lan segment if you want to block everyone, or if you wanted to say just block from accessing then any port would be source, and dst would be or whole netblock if you want and dst port would be either just 80 or any, etc..  Now as packet comes in from to pfsense lan interface that says hey my dest is, pfsense would block the traffic.  Now client on can never create a session to

  • Thank you for explaining that, I think I figure out it out now. But somehow I'm still seeing open states even though I cleared them to this IP range. I've search for this IP and noticed a lot of machines are going to this IP and I cannot figure out what it is.

  • LAYER 8 Global Moderator

    If you cleared states after you have put in that block.  Are you sure that your lan net is correct… You might want to replace the lan net source with any.

    If your trying to figure out what it is, look on a machine that is creating the connection and what binary is creating it. If windows simple enough to do with netstat -anb to see what process is creating the connection.  On linux box netstat -p should should you the pid of the what is making the connections.

    Do a sniff to see what is contained in the traffic.

    You sure the connections are not going down say that sprinttunnel interface or from dmz?  You sure the outbound connections are hitting the lan interface?

  • I've changed it to Any and it looks from watching the traffic graph that it is still not being affected. The machine in question is a Mac Pro desktop and when ever the user is on the machine during working hours theres a lot of uploading from their IP. I've gone to the machine once physically to double check that it is the correct IP and it is, so I know I've got the right person. Anyways here is the BandwidthD graph from just today, there is a lot of upload and it needs to stop. The user says there not doing anything and I cant see anything running on the machine that would cause this.

    I know that the user is on the LAN connection, the Sprint is a Tunnel VPN to another network and the DMZ is a seperate network for some DEV servers in the server room.

    When you say sniff, should I just run a packet capture on their IP from within pfSense or are you suggesting another way?

    Thanks for all the help!

  • LAYER 8 Global Moderator

    lot of upload - there is one tiny little spike between 9 and 10 am this morning..  Today is the 14th.

    You can sniff right on pfsense for the traffic from their IP.. No reason to go to their machine unless the traffic would not be going to pfsense, ie lan to lan traffic.  But if what your worried about is internet then pfsense has to see it - right ;)

    And that graph is showing you the traffic from their ip to a specific destination?  Or all your traffic to a specific dst.  I don't see any current traffic on that graph.

    If you blocked it on pfsense (correctly) and cleared the states, then its not possible for the traffic to be getting past pfsense.

    You stated their were A lot of machines
    "noticed a lot of machines are going to this IP"

    So do you have only this one mac client generating traffic to these networks your trying to block?  Or more than 1 lan clients?  Mac  you can do the same thing, not sure if you can see processes involved with netstat version on OS X, but you should be able to use the lsof command for this.

    You really should be interested in finding what is making the connection on the box(es) – maybe its legit, maybe its not?  on the couple of ips you listed that were to port 80, you would think http - but they respond with not http sort of data when you do a wget to them on that port.  And I show the being owned by

    organisation:    ORG-EdPe1-RIPE
    org-name:        Entreprise des Postes et Telecommunications
    org-type:        LIR
    address:        Entreprise des P&T
                    2, rue Emile Bian
                    2999 Luxembourg

  • Well its basically just 1 user that is consistantly showing around 4-5gb of upload a day. From the time stamps its only when the user is at work, not like something is running while he is at home.

    My main goal is to find out if this traffic is legit or not, so if I do a packet capture, how long do I let it run for; besides wireshark are there any other tools to actually tell what is going on?

  • LAYER 8 Global Moderator

    you can do the capture on pfsense, and sure use wireshark to look at the capture.  Let it run for say 100 packets with the destination netblock in the host field..  if your saying his moving that about of traffic should only take a couple of seconds to get the packets.

    But would really look to see what process on his box is creating the connections.  lsof should be able to tell you that on his machine.  Once you no what process is doing it, you can stop it at the source of the problem.

    4-5gb a day on the upload side??  Yeah I would be really curious about that as well.

  • Netgate Administrator


    lsof should be able to tell you that on his machine.

    Nice, fact learnt for today!  :)


  • So after running a packet capture and looking at it in Wireshark is there a way I can tell what destination or IP is cosuming the most bandwidth?

  • LAYER 8 Global Moderator

    sure you can look at the wireshark stats under converstations

    example - quick 2 second capture on my workbox

  • perfect, thank you!

    Well it looks like i've found out the souce on where the traffic was going. It is our email hosting provider, which is strange to me. Now I need to check with the user and see if something is stuck trying to send in their outbox.

  • LAYER 8 Global Moderator

    really?  Must be one huge email, or maybe they are infected sending spam?  Or maybe it keeps trying to send same email and failing?

    Once you figure out please post, got me curious ;)

  • Netgate Administrator

    My money's on spam.  ;)
    Though you might expect the provider to have notified you.


Log in to reply