Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to monitor / sniff traffic out of a certain machine in detail.

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 5 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nambi
      last edited by

      It seems like my server is sending out a lot of data not sure if it's out onto the network or out to the internet, bandwidthD it showing appears to be showing its out on the inet, but I don't understand why, or what data.

      Are there any tools within PFSense that can aid me in trying to determine what is being sent out?

      I have scanned for viruses but nothing comes up.

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Switchport going to the machine in question mirrored to a switch mirror port going into a laptop with wireshark is what I would do.  Get at the traffic in question while it's isolated to the host in which you are interested.

        That or wireshark on the subject server, but who likes installing extra software on their servers?.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Use the packets capture facility in pfSense filtered for just that machine. Feed the resulting file into wireshark for analysis.
          https://doc.pfsense.org/index.php/Sniffers,_Packet_Capture

          Steve

          1 Reply Last reply Reply Quote 0
          • F Offline
            filament
            last edited by

            easy solution is install ntop from packages.  will tell you in detail out and in. (haz neet grafs)

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              The reason I would use a mirror port over pfSense's packet capture is to be sure you're seeing everything on the NIC, including spoofed IPs, etc.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                And for what reason would pfsense packet capture not show you everything??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  I agree that using a port mirrored to the suspect machine port will show you everything. Including traffic that never makes it to pfSense for whatever reason. It would also show if the traffic you think is coming from the server is actually coming from some other box(es) spoofing the IP, though you should be able to see that from the MAC.

                  I would always start off using the packet capture in pfSense just because it's very easy to do. If you still have questions after that then setup a port mirror.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "Including traffic that never makes it to pfSense for whatever reason."

                    But the issue is
                    "bandwidthD it showing appears to be showing its out on the inet, but I don't understand why, or what data."

                    So if bandwidthD is showing it on pfsense - then the traffic is making it to pfsense ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Indeed and hence I would expect to able to see what's going on here from the pfSense box. However it wouldn't show traffic the suspect machine might be sending to other local machines if there was some malware that had invaded multiple boxes. It potentially could be a number of machines all sending packets with the same IP/MAC. Unlikely I admit but you wouldn't know from the pfSense box.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Valid point!!!

                        If doesn't have the ability to do span/mirror ports on his switch - can just install say wireshark on the machine in question to see other traffic it might be sending that is not dest internet.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.