Get the time a connection is established to a destination IP? Detect VPN?



  • Hi,

    is there a possibility to get the time how long a connection to a destination IP is established ?
    I think this could make it possible for me to find connections which are VPN connections.

    So lets say a connection which is established to the same destination IP longer than 5min is not a common http or https connection. There could be of course some exception.

    So is there a way from pfsense webGUI or some freebsd command line code ?

    Thanks



  • Perhaps you can use the firewall log to see when a connection is established, then check the state table (Diagnostics->States) to see if the connection is still open and do the math.

    But I wouldn't make the assumption that an http/https connection open longer than 5 minutes is inappropriate. Dowloading a large file, for example.



  • @babtras:

    Perhaps you can use the firewall log to see when a connection is established, then check the state table (Diagnostics->States) to see if the connection is still open and do the math.

    Would be hardly possible I think because I have to check many many https connections and that would be really hard. But in theory this would work.  :)

    @babtras:

    But I wouldn't make the assumption that an http/https connection open longer than 5 minutes is inappropriate. Dowloading a large file, for example.

    Generally you are right. But then I would have regularyly a look on this connection and if this will be there every day then I can take a deeper look at that.

    I thought about a "top ten" of the longest established connections somewhere on pfsense GUI or on command line.



  • I did some more search on the internet and some tips for the command line or other tools but I did not find anything useful.

    So if there is someone who could give me some tips it would be really great.


Log in to reply