Forums

Resolved
0 votes
Good day!

This might seem a stupid question, as it is, but some time back I seem to recall an app in ClearOS that would allow you to watch traffic to/from a specific internal IP. Is that something that is still available? Would I need to install some dependency to see it in 'The Marketplace' or is just a command line app I am thinking of.

In any case, what is the best method to watch traffic to/from a specific IP within the LAN. I am not using the proxy server and there might be an app for use with that.

Thanks!!

John
Thursday, November 14 2019, 08:15 PM
Share this post:

Accepted Answer

Thursday, November 14 2019, 08:51 PM - #Permalink
Resolved
0 votes
The Network Visualiser is all we really have and it is not brilliant as it is per port and can't be filtered. You can try ntop/ntop-ng. I think it clashes with one of the other reports for some reason. Or there are other programs like iptraf.
The reply is currently minimized Show
Responses (10)
  • Accepted Answer

    Friday, November 22 2019, 08:52 PM - #Permalink
    Resolved
    0 votes
    Peter B wrote:

    Hi Nick,

    I'll get more information on the "Digest not found" messages in the logs.

    Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad.


    According to Wikipedia, the BBC iPlayer had peer-to-peer support about a decade ago, but that's no longer the case. BitTorrent is definitely a tricky little encrypted protocol, so it could be a false positive. Go to the Flows > Stream page in the Netify portal. Open up the Filters widget and make sure:

    - BitTorrent is selected as the protocol
    - The iPad is selected as the device

    Do you see a large number of flows?
    That is how I found it. I was just surprised to find BitTorrent.
    The reply is currently minimized Show
  • Accepted Answer

    Peter B
    Peter B
    Offline
    Friday, November 22 2019, 08:21 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I'll get more information on the "Digest not found" messages in the logs.

    Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad.


    According to Wikipedia, the BBC iPlayer had peer-to-peer support about a decade ago, but that's no longer the case. BitTorrent is definitely a tricky little encrypted protocol, so it could be a false positive. Go to the Flows > Stream page in the Netify portal. Open up the Filters widget and make sure:

    - BitTorrent is selected as the protocol
    - The iPad is selected as the device

    Do you see a large number of flows?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 22 2019, 05:54 PM - #Permalink
    Resolved
    0 votes
    Hi Peter,
    I have a couple of questions. I've been logged into Netify for about 30 min, and I am seeing the following in the logs:
    Nov 22 17:13:51 server netifyd[720]: nd-conntrack: [U:2437240128] Digest not found in flow map.
    Nov 22 17:14:52 server netifyd[720]: nd-conntrack: [U:3942254144] Digest not found in flow map.
    Nov 22 17:15:52 server netifyd[720]: nd-conntrack: [U:2535011648] Digest not found in flow map.
    Nov 22 17:16:52 server netifyd[720]: nd-conntrack: [U:1600467648] Digest not found in flow map.
    Nov 22 17:17:52 server netifyd[720]: nd-conntrack: [U:269099328] Digest not found in flow map.
    Nov 22 17:18:53 server netifyd[720]: nd-conntrack: [U:3063242752] Digest not found in flow map.
    Nov 22 17:19:53 server netifyd[720]: nd-conntrack: [U:2241623360] Digest not found in flow map.
    Nov 22 17:20:53 server netifyd[720]: nd-conntrack: [U:3567994752] Digest not found in flow map.
    Nov 22 17:21:54 server netifyd[720]: nd-conntrack: [U:2700552384] Digest not found in flow map.
    I think it only started once I logged in.

    Also, more relevant to the thread, I am seeing a load of BitTorrent on my 9 year-old's iPad. He does not have a BitTorrent client installed, but he is constantly streaming from YouTube or watching BBC iPlayer. I just saw him and it he is currently watching iPlayer. Do you know if the iPlayer uses bittorrent? I didn't think it did.
    The reply is currently minimized Show
  • Accepted Answer

    Peter B
    Peter B
    Offline
    Friday, November 22 2019, 04:27 PM - #Permalink
    Resolved
    1 votes
    Hi guys,

    The installation guide can be found in the latest blog post about tools for network visibility. You'll find the documentation on the Netify Console tool here.

    Unfortunately, the console tool does not have the option to filter on a particular IP address. However, feel free to install the Netify app in the ClearOS Marketplace and use the 7-day free trial. No strings attached. You can then use the filter criteria to drill down into the data. For example, the attached screenshot shows traffic from my Samsung TV from 3:00 am to 5:00 am. That gld.push.sumsungosp.com looks mighty suspicious... what are you uploading Mr. TV?

    Please keep in mind that each of the rows in the screenshot (and the Netify Console tool) represents a "conversation" (aka flow). For example, you would only see one entry for a Netflix stream, not tens of thousands of entries that you would see from tcpdump and other packet tools. You can then zoom in on any of the conversations to see byte counters, packet counters, network information, security details and more. Here are some Netify flow details that I saw from the same Samsung TV on my home network. In this particular case, the flow is using an old and insecure security protocol -- RC4. Really Samsung?

    Well... that turned into a bit of Samsung bashing even though I own and enjoy their TVs, mobiles and tablets. Of course, most device manufacturers are guilty of the same shenanigans, I just happen to use Samsung as an example. And don't get me started on mobile apps and marketers ... shudder.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Peter B
    Peter B
    Offline
    Monday, November 18 2019, 08:09 PM - #Permalink
    Resolved
    0 votes
    I'll write up an install howto this week. Stay tuned!
    The reply is currently minimized Show
  • Accepted Answer

    Peter B
    Peter B
    Offline
    Monday, November 18 2019, 08:08 PM - #Permalink
    Resolved
    1 votes
    I'll write up an install howto this week... stay tuned!
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 16 2019, 10:19 AM - #Permalink
    Resolved
    0 votes
    You could do something quick and dirty with the firewall. A rule something like:
    iptables -I FORWARD -s your_camera_LAN_IP -m conntrack --ctstate NEW -j LOG
    If you like it change "iptables" to "$IPTABLES" and use it as a custom firewall rule. You can do even better, perhaps with:
    iptables -I FORWARD -s your_camera_LAN_IP -m conntrack --ctstate NEW -j LOG --log-prefix "Stairs camera"
    Which will add the string "Stairs camera" to the log.

    Logging goes to /var/log/messages by default. If I ever do logging, I split the logs out with an rsyslog configlet, /etc/rsyslog.d/anything_you_like.conf and in it I put:
    # Split out Firewall messages
    if $programname == 'kernel' and $msg contains 'IN=' and $msg contains 'OUT=' then -/var/log/firewall
    & stop
    It is a bit Mickey Mouse but it works. Restart rsyslog after making changes.

    You then need a logrotate configlet to stop the file growing forever. I have the folowing in /etc/logrotate.conf:
    # rotate the firewall, openvpn, docker dnsmasq and dnsmasq-dhcp log
    /var/log/firewall /var/log/openvpn /var/log/dnsmasq-dhcp /var/log/dnsmasq /var/log/docker /var/log/clearglass {
    notifempty
    missingok
    copytruncate
    create 0664 root root
    rotate 4
    }
    This is because I do a lot of message splitting! Alternatively you can put the configlet in /etc/logrotate.d

    Other things to look at in the firewall rule:
    - add "-o your_WAN_interface" so you only log traffic exiting you LAN
    - don't log ntp, but this means separate rules for udp ("-p udp" or "! -t tcp") and tcp ("-p tcp ! --dport 123") or add NTP to ClearOS and use ClearOS as your camera's time server.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 16 2019, 01:58 AM - #Permalink
    Resolved
    0 votes
    If you are just trying to watch traffic in real time, or track down some shenanigans from a particular device, then the Netify Console tool might help - see attached screenshot. That tool can be used to show every single conversation happening between the device on your network and the Internet. The console tool is open source and free. If you're interested, please let me know -- I can write up an install howto.


    Hi Peter!

    I am not a business anymore at all just retired. I am trying to keep track of some Foscam and some other Chinese cameras and whether or not they are "talking" where/when they shouldn't be. The screen shot looks good, much more informative that iptraf. If you have the time I'd love to know how to install the open source version which is all I need.

    Thanks so much!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Peter B
    Peter B
    Offline
    Friday, November 15 2019, 05:07 PM - #Permalink
    Resolved
    0 votes
    Hi John,

    Yes, the old "network detail report" from ClearOS 6 was the app in question. It was a front end for the pmacct project. Yours truly was responsible for that app, but it turned out to be too resource intensive :(

    If you're a business, then (shameless plug!) Netify Network Intelligence might be a worth look - that's one of the products that we are currently working on and we just released it for ClearOS. Here's the ClearCenter announcement.

    If you are just trying to watch traffic in real time, or track down some shenanigans from a particular device, then the Netify Console tool might help - see attached screenshot. That tool can be used to show every single conversation happening between the device on your network and the Internet. The console tool is open source and free. If you're interested, please let me know -- I can write up an install howto.
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 14 2019, 08:57 PM - #Permalink
    Resolved
    0 votes
    I think there was another report, the network detail report, but in 6.x it was withdrawn as it generated too much traffic for the system-database to cope with and it could bring your system down. It is available from the command line in 7.x but it is dangerous.
    Like
    1
    The reply is currently minimized Show
Your Reply