[SOLVED] Undetected Traffic?

  • Hello all.

    I am having some troubles with me network. My connection is constantly pegged to capacity and I cannot find out what is causing the traffic. Looking at my WAN traffic graph I can see that the full 12Mbps is being used while no IP is accounting for it. Same is happening on the LAN traffic graph. Can anybody point me in a direction to look further?

  • LAYER 8 Global Moderator

    I would sniff and see what is there.. Diag, packet capture.

  • If you have all firewall rules logging, that can sometimes show up whats using bandwidth.

    If you have your wan connection in a bridge modem configuration you can add a device between the modem/router in bridge mode and pfsense and packet capture, in case something has got into pfsense/freebsd, a new Mac virus was in the news today.

    You can also use HAproxy to do a MITM with encrypted data, check out HAproxy SSL bridging on how to set that up.

    IF you have an Rpi lying around, something like this can be useful for unlimited packet capturing and running HAproxy http://williamknowles.co.uk/?p=16
    Hook up to an external HD or redirect the TCPDump output to another machine behind another firewall using Netcat, run HAproxy in full Debug mode which means compiling it yourself and add extra code to fill any gaps the debug output doesnt give you. If attempting this on a Rpi as many have them lying around, check out raspbian-ua-netinst, its just core, network & ssh, got it clocking reliably at 1.1Ghz with USB3-1Gbps usb nics handling plenty of bandwith, 48MB ram used, no swap files all in Read Only mode thanks in part to modding things like cpu governors, schedulers and other tricks.

    If you have some other PC, debian installed on it and much of the rpi links will still apply.

  • Found out it was just a server that was behaving abnormally. Rebooted the server and all is good  :-X

    Noticed it by looking though pfTop after logging into the console. Thanks for the help!

Log in to reply