How to monitor / sniff traffic out of a certain machine in detail.



  • It seems like my server is sending out a lot of data not sure if it's out onto the network or out to the internet, bandwidthD it showing appears to be showing its out on the inet, but I don't understand why, or what data.

    Are there any tools within PFSense that can aid me in trying to determine what is being sent out?

    I have scanned for viruses but nothing comes up.

    Thanks


  • LAYER 8 Netgate

    Switchport going to the machine in question mirrored to a switch mirror port going into a laptop with wireshark is what I would do.  Get at the traffic in question while it's isolated to the host in which you are interested.

    That or wireshark on the subject server, but who likes installing extra software on their servers?.


  • Netgate Administrator

    Use the packets capture facility in pfSense filtered for just that machine. Feed the resulting file into wireshark for analysis.
    https://doc.pfsense.org/index.php/Sniffers,_Packet_Capture

    Steve



  • easy solution is install ntop from packages.  will tell you in detail out and in. (haz neet grafs)


  • LAYER 8 Netgate

    The reason I would use a mirror port over pfSense's packet capture is to be sure you're seeing everything on the NIC, including spoofed IPs, etc.


  • LAYER 8 Global Moderator

    And for what reason would pfsense packet capture not show you everything??


  • Netgate Administrator

    I agree that using a port mirrored to the suspect machine port will show you everything. Including traffic that never makes it to pfSense for whatever reason. It would also show if the traffic you think is coming from the server is actually coming from some other box(es) spoofing the IP, though you should be able to see that from the MAC.

    I would always start off using the packet capture in pfSense just because it's very easy to do. If you still have questions after that then setup a port mirror.

    Steve


  • LAYER 8 Global Moderator

    "Including traffic that never makes it to pfSense for whatever reason."

    But the issue is
    "bandwidthD it showing appears to be showing its out on the inet, but I don't understand why, or what data."

    So if bandwidthD is showing it on pfsense - then the traffic is making it to pfsense ;)


  • Netgate Administrator

    Indeed and hence I would expect to able to see what's going on here from the pfSense box. However it wouldn't show traffic the suspect machine might be sending to other local machines if there was some malware that had invaded multiple boxes. It potentially could be a number of machines all sending packets with the same IP/MAC. Unlikely I admit but you wouldn't know from the pfSense box.

    Steve


  • LAYER 8 Global Moderator

    Valid point!!!

    If doesn't have the ability to do span/mirror ports on his switch - can just install say wireshark on the machine in question to see other traffic it might be sending that is not dest internet.


Log in to reply