The pfSense Store

Author Topic: Traffic pattern analysis  (Read 1652 times)

0 Members and 1 Guest are viewing this topic.

Offline 0tt0

  • Full Member
  • ***
  • Posts: 278
  • Karma: +0/-0
    • View Profile
Traffic pattern analysis
« on: July 07, 2009, 05:03:33 am »
Haudi,

In one small network I manage I noticed a very high number of states last night, around 7000-8000 were numbers I saw. Normal numbers are in the hundreds for the network. At the time only one DHCP was active and although there are a group of servers on the network they appeared not to be busy. On states page I filtered on DHCP IP and 99% were belonging to that IP. And the number from first page was indeed also reported back on states page. I then looked at RRD graphs (today), see attached pics.

What type of traffic to/from one single host can produce such high number of states? Are there in practice any alternatives to torrent traffic?

Due to possible legality issues concerning torrent traffic I am quite interested in keeping usage on the network legal, since I cannot accept my servers being raided by swedish anti-piracy stasi due to a teenager's downloading habits on the same network. Here (some) ISPs are actually refusing to hand out IP info to authorities (the law has to be rewritten to be able to force ISPs to do this, so in practice as of now the Pirate Bay case hasn't led to any other effect than actual strenthening of integrity for many swedish users, http://integrity.st/) but I am nonetheless interested in keeping my own resources out of risk of theoretical collateral damage.

What means are there in pfs to examine traffic type etc? I know I can take a dump, save it and directly open it in Wireshark and that works very well, but perhaps there are some other tricks I could do.

Also, is there a limit to how large such a dump can be made, could I have it running for like 24 hrs and fetch GBs of data or would that brake something? (I guess Wireshark could shoke on the files size anyway perhaps..)

I have been runnig a few of the packages as well, like ntop, but some of them have not worked 100% on my 1.2.2, perhaps 1.2.3 will be better with packages?


TIA,

« Last Edit: July 07, 2009, 05:09:52 am by 0tt0 »

submicron

  • Guest
Re: Traffic pattern analysis
« Reply #1 on: July 07, 2009, 10:48:23 am »
Please actually read the forums before asking your question.  This question has been asked and answered approximately 398729837973 times. 

Offline 0tt0

  • Full Member
  • ***
  • Posts: 278
  • Karma: +0/-0
    • View Profile
Re: Traffic pattern analysis
« Reply #2 on: July 07, 2009, 04:03:51 pm »
Always.

Search result is picky about input naturally and it's not always easy to know what key words have been mostly used in threads dealing with your specific problem (which you may or may not know since you may only see symptoms and your guesses as to whatr causes it may be incorrect and hence you use and search for the incorrect keywords) and what exact combination of words will yield that output with the truth...

Search for torrent and states only yields 2 pages of hits and not many seems closely relevant at first glance.

I previously only found one post that seemed 100% relevant (and have forgotten the search keyword to find it).

Thanx for your constructive reply.