Good day!
This might seem a stupid question, as it is, but some time back I seem to recall an app in ClearOS that would allow you to watch traffic to/from a specific internal IP. Is that something that is still available? Would I need to install some dependency to see it in 'The Marketplace' or is just a command line app I am thinking of.
In any case, what is the best method to watch traffic to/from a specific IP within the LAN. I am not using the proxy server and there might be an app for use with that.
Thanks!!
John
This might seem a stupid question, as it is, but some time back I seem to recall an app in ClearOS that would allow you to watch traffic to/from a specific internal IP. Is that something that is still available? Would I need to install some dependency to see it in 'The Marketplace' or is just a command line app I am thinking of.
In any case, what is the best method to watch traffic to/from a specific IP within the LAN. I am not using the proxy server and there might be an app for use with that.
Thanks!!
John
Share this post:
Responses (10)
-
Accepted Answer
Peter B wrote:
That is how I found it. I was just surprised to find BitTorrent.
Hi Nick,
I'll get more information on the "Digest not found" messages in the logs.
Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad.
According to Wikipedia, the BBC iPlayer had peer-to-peer support about a decade ago, but that's no longer the case. BitTorrent is definitely a tricky little encrypted protocol, so it could be a false positive. Go to the Flows > Stream page in the Netify portal. Open up the Filters widget and make sure:
- BitTorrent is selected as the protocol
- The iPad is selected as the device
Do you see a large number of flows? -
Accepted Answer
Hi Nick,
I'll get more information on the "Digest not found" messages in the logs.
Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad.
According to Wikipedia, the BBC iPlayer had peer-to-peer support about a decade ago, but that's no longer the case. BitTorrent is definitely a tricky little encrypted protocol, so it could be a false positive. Go to the Flows > Stream page in the Netify portal. Open up the Filters widget and make sure:
- BitTorrent is selected as the protocol
- The iPad is selected as the device
Do you see a large number of flows? -
Accepted Answer
Hi Peter,
I have a couple of questions. I've been logged into Netify for about 30 min, and I am seeing the following in the logs:
I think it only started once I logged in.Nov 22 17:13:51 server netifyd[720]: nd-conntrack: [U:2437240128] Digest not found in flow map.
Nov 22 17:14:52 server netifyd[720]: nd-conntrack: [U:3942254144] Digest not found in flow map.
Nov 22 17:15:52 server netifyd[720]: nd-conntrack: [U:2535011648] Digest not found in flow map.
Nov 22 17:16:52 server netifyd[720]: nd-conntrack: [U:1600467648] Digest not found in flow map.
Nov 22 17:17:52 server netifyd[720]: nd-conntrack: [U:269099328] Digest not found in flow map.
Nov 22 17:18:53 server netifyd[720]: nd-conntrack: [U:3063242752] Digest not found in flow map.
Nov 22 17:19:53 server netifyd[720]: nd-conntrack: [U:2241623360] Digest not found in flow map.
Nov 22 17:20:53 server netifyd[720]: nd-conntrack: [U:3567994752] Digest not found in flow map.
Nov 22 17:21:54 server netifyd[720]: nd-conntrack: [U:2700552384] Digest not found in flow map.
Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad. He does not have a BitTorrent client installed, but he is constantly streaming from YouTube or watching BBC iPlayer. I just saw him and it he is currently watching iPlayer. Do you know if the iPlayer uses bittorrent? I didn't think it did. -
Accepted Answer
Hi guys,
The installation guide can be found in the latest blog post about tools for network visibility. You'll find the documentation on the Netify Console tool here.
Unfortunately, the console tool does not have the option to filter on a particular IP address. However, feel free to install the Netify app in the ClearOS Marketplace and use the 7-day free trial. No strings attached. You can then use the filter criteria to drill down into the data. For example, the attached screenshot shows traffic from my Samsung TV from 3:00 am to 5:00 am. That gld.push.sumsungosp.com looks mighty suspicious... what are you uploading Mr. TV?
Please keep in mind that each of the rows in the screenshot (and the Netify Console tool) represents a "conversation" (aka flow). For example, you would only see one entry for a Netflix stream, not tens of thousands of entries that you would see from tcpdump and other packet tools. You can then zoom in on any of the conversations to see byte counters, packet counters, network information, security details and more. Here are some Netify flow details that I saw from the same Samsung TV on my home network. In this particular case, the flow is using an old and insecure security protocol -- RC4. Really Samsung?
Well... that turned into a bit of Samsung bashing even though I own and enjoy their TVs, mobiles and tablets. Of course, most device manufacturers are guilty of the same shenanigans, I just happen to use Samsung as an example. And don't get me started on mobile apps and marketers ... shudder. -
Accepted Answer
-
Accepted Answer
You could do something quick and dirty with the firewall. A rule something like:
If you like it change "iptables" to "$IPTABLES" and use it as a custom firewall rule. You can do even better, perhaps with:iptables -I FORWARD -s your_camera_LAN_IP -m conntrack --ctstate NEW -j LOG
Which will add the string "Stairs camera" to the log.iptables -I FORWARD -s your_camera_LAN_IP -m conntrack --ctstate NEW -j LOG --log-prefix "Stairs camera"
Logging goes to /var/log/messages by default. If I ever do logging, I split the logs out with an rsyslog configlet, /etc/rsyslog.d/anything_you_like.conf and in it I put:
It is a bit Mickey Mouse but it works. Restart rsyslog after making changes.# Split out Firewall messages
if $programname == 'kernel' and $msg contains 'IN=' and $msg contains 'OUT=' then -/var/log/firewall
& stop
You then need a logrotate configlet to stop the file growing forever. I have the folowing in /etc/logrotate.conf:
This is because I do a lot of message splitting! Alternatively you can put the configlet in /etc/logrotate.d# rotate the firewall, openvpn, docker dnsmasq and dnsmasq-dhcp log
/var/log/firewall /var/log/openvpn /var/log/dnsmasq-dhcp /var/log/dnsmasq /var/log/docker /var/log/clearglass {
notifempty
missingok
copytruncate
create 0664 root root
rotate 4
}
Other things to look at in the firewall rule:
- add "-o your_WAN_interface" so you only log traffic exiting you LAN
- don't log ntp, but this means separate rules for udp ("-p udp" or "! -t tcp") and tcp ("-p tcp ! --dport 123") or add NTP to ClearOS and use ClearOS as your camera's time server. -
Accepted Answer
If you are just trying to watch traffic in real time, or track down some shenanigans from a particular device, then the Netify Console tool might help - see attached screenshot. That tool can be used to show every single conversation happening between the device on your network and the Internet. The console tool is open source and free. If you're interested, please let me know -- I can write up an install howto.
Hi Peter!
I am not a business anymore at all just retired. I am trying to keep track of some Foscam and some other Chinese cameras and whether or not they are "talking" where/when they shouldn't be. The screen shot looks good, much more informative that iptraf. If you have the time I'd love to know how to install the open source version which is all I need.
Thanks so much!
John -
Accepted Answer
Hi John,
Yes, the old "network detail report" from ClearOS 6 was the app in question. It was a front end for the pmacct project. Yours truly was responsible for that app, but it turned out to be too resource intensive
If you're a business, then (shameless plug!) Netify Network Intelligence might be a worth look - that's one of the products that we are currently working on and we just released it for ClearOS. Here's the ClearCenter announcement.
If you are just trying to watch traffic in real time, or track down some shenanigans from a particular device, then the Netify Console tool might help - see attached screenshot. That tool can be used to show every single conversation happening between the device on your network and the Internet. The console tool is open source and free. If you're interested, please let me know -- I can write up an install howto. -
Accepted Answer
I think there was another report, the network detail report, but in 6.x it was withdrawn as it generated too much traffic for the system-database to cope with and it could bring your system down. It is available from the command line in 7.x but it is dangerous.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »