By:
Filters
What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

Identifying odd network traffic

Presler

Presler

VIP
VIP Supporter
Rating - 100%
308   0   1
Joined
May 1, 2010
Messages
3,427
Reaction score
644
Points
7,135
Age
44
Location
Skukuza
Network guru's, help 'n bosapie asb!

ISP called, let me know something on my network is chowing up 95% of the bandwidth causing packet loss etc.

They gave me an external IP the traffic is directed to/from. Quick WHOIS showed IP 205.185.216.10 belongs to Highwinds Network Group, a CDN. So the traffic could be anything really. Router screenshot shows it's own IP as destination, but traffic flow equals that external traffic sent through the LAN port to my USG.

Router shows the traffic is pushed to my firewall, however 176 lages of logs pulled from the USG mentions that IP only twice, both times showing the source as the ISP router, can't find anything in the logs identifying any device TX/RX traffic to that IP.

Any clever ways I can source the device that is responsible for said traffic?

My network is built with Ubiquiti AP's, USG 4 Pro, Unifi controller, D'Link switches.

Thanx
 
I'm no network guru but perhaps one of your neighbors is having a ball at your expense?
 
Last edited:
Spaffy said:
I'm no network guru but it perhaps one of your neighbors is having a ball at your expense?
Click to expand...
Could be, but wondering who/what.

Trying to find a way to sniff out the device/IP responsible for that traffic
 
Presler said:
Could be, but wondering who/what.

Trying to find a way to sniff out the device/IP responsible for that traffic
Click to expand...
Maybe a bit obvious but have you tried any IP scanning software?

MyLanViewer, Angry IP Scanner etc
 
What about using Glasswire which Linus plugs in almost every video?
 
rinners said:
Wireshark?

Or get a Mikrotik
Click to expand...
ISP router is a Mikrotik, shows nothing more than the external IP.
Moemfie_ZA said:
What about using Glasswire which Linus plugs in almost every video?
Click to expand...
Don't watch much linus vids, the dude's voice annoys me :LOL:

Going to check out glasswire, thanx
 
Presler said:
ISP router is a Mikrotik, shows nothing more than the external IP.

Don't watch much linus vids, the dude's voice annoys me :LOL:

Going to check out glasswire, thanx
Click to expand...
I feel the same way about that dude from Gamers Nexus xD
 
Switch it on and off
 
Presler said:
ISP router is a Mikrotik, shows nothing more than the external IP.
Click to expand...
Ask the ISP to make sure that their routerOS is up to date. Few weeks ago I got notified from SecOps that there are atleast 6 CVE's (Common Vulnerabilities and Exposures) on RouterOS before 6.44.6
 
Sorry been a while since I used wireshark, I'm sure you can configure it to push logs somewhere and get a nice graph, but maybe glasswire is the way to go in your case. Definitely less leg work.

Wireshark is a monitoring tool that is more a raw packet sniffer listening on the interface itself. Where GlassWire is more of a dashboard type monitoring software with some basic firewall rules and detection. GlassWire focuses more on ease of use and alerts for suspicious activity.
Click to expand...
 
Presler said:
ISP router is a Mikrotik, shows nothing more than the external IP.
Click to expand...
What kind of access do you have? Because you should literally be able to Torch to track network traffic per device
*Ah hang on,you're using the USG WAN? So everything would be NATted
I thought USG had capability to view device/port traffic breakdowns?
 
Presler said:
ISP router is a Mikrotik, shows nothing more than the external IP.
Click to expand...
I vote for brute force
Block that IP from all incoming/outgoing traffic, if something breaks you know what it was.
If nothing breaks, you fixed the issue :p
 
Mikrotik routers (generally) have an ass load of vulnerabilities, could be pwned with commands executing via the router from outside your network environment.
 
Best way to check this is to have something that monitors netflow traffic on the WAN/Outside interface on your router. If your device can do sflow get something like PRTG free version.

Otherwise, one easy thing to do is block everything on your network then allow 1 device. through Check it, if the traffic looks fine remove it from the network and keep doing this until you come across the device that has abnormal traffic. Do this with mac blocking, physical cable removing etc.

Trial and error the kak out of it
 
Highwinds are also a huge Usenet provider group. The UniFi controller shows what client activity - both for the last few minutes as well as total downloaded/uploaded. You can try enabling DPI (Deep Packet Inspection) but if the traffic is encrypted it's not going to help much.

The easiest is probably going to be to narrow it down to a specific or handful of clients and start digging around there.

Also check your UniFI controller for any firewall rules and port forwarding.
 
Dawid_HustleHof said:
Ask the ISP to make sure that their routerOS is up to date. Few weeks ago I got notified from SecOps that there are atleast 6 CVE's (Common Vulnerabilities and Exposures) on RouterOS before 6.44.6
Click to expand...
lol. This is how I got into my neighbour's Mikrotik without signing those pesky Vox forms. Thanks to ancient RouterOS and CVE-2018-14847.
News to me about the more recent CVEs, should look into that.
rinners said:
Sorry been a while since I used wireshark, I'm sure you can configure it to push logs somewhere and get a nice graph, but maybe glasswire is the way to go in your case. Definitely less leg work.
Click to expand...
Yeah, it's geared towards digging into the nitty-gritty. For broader-strokes, tools like glasswire/ntop/netbalancer are the way to go. That being said, if you grap a pcap of your network traffic, there are a variety of tools to analyse, including Wireshark. There are some summary views which are helpful.
 
Ah, just seen you don't have a UniFi switch. Is the DLink managed? That may rule out detecting which device(s) are using the bandwidth. Still worth checking for any open ports and firewall rules which sit on the USG Pro 4. WiFi clients should show up activity.

Narrowing things down per client is still the best place to start.
 
Look at my posts regarding vulnerabilities and bypassed that occur after firmware update.

blog.mikrotik.com

MikroTik blog

MikroTik blog - latest news about our products, announcements and much more. MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most…
blog.mikrotik.com blog.mikrotik.com
blog.mikrotik.com

MikroTik blog

MikroTik blog - latest news about our products, announcements and much more. MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most…
blog.mikrotik.com blog.mikrotik.com

We need more details to help

Usually a span port and software is needed to find all traffic. How ever certain prosumer routers have forwarding abilities.
 
Some free tools (i posted this before)

my top pick based on your username
www.paessler.com

Discover the 3 Paessler PRTG monitoring solutions

Get to know all products of Paessler's PRTG monitoring software for every IT infrastructure. On premises and cloud-based.
www.paessler.com www.paessler.com

www.paessler.com

Stay on top of bandwidth with PRTG Network Monitor

Professional bandwidth monitoring ➤ Prompt alarm in the event of bandwidth hogs ➤ Start your free trial of PRTG today and see for yourself!
www.paessler.com www.paessler.com

Network Bandwidth Monitor - Monitoring Software | SolarWinds

NetFlow Traffic Analyzer (NTA) features a network bandwidth monitor to help you more easily see how bandwidth is used and help determine if you need more. Download free 30-day trial!
www.solarwinds.com

FREE Flow Tool Bundle | SolarWinds

Feel the flow with SolarWinds® free Flow Tool Bundle! Be able to quickly distribute, test, and configure flow traffic with these easy-to-install and easy-to-use tools.
www.solarwinds.com

www.ntop.org

ntopng

ntopng High-Speed Web-based Traffic Analysis and Flow Collection ntopng is a network traffic probe that provides 360° Network visibility, with its ability to gather traffic information from traffic…
www.ntop.org www.ntop.org



Good luck
 
BTW wrt to solarwinds.

DO not use ANY old versions. Download directly from solarwinds
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Similar threads

Saajid
[For Sale] Gigabit PoE Rackmount network switches (new/unused) - 2 x 16 port, 1 x 24 port
  • Location:
    1. Johannesburg
Replies
9
Views
432
Saajid
Saajid
S
Upgrading Existing Combo Hard-Wired & Wireless Network to Mesh Network
Replies
16
Views
444
JollyJamma
JollyJamma
A
[For Sale] Huawei B2368 Router - outdoor - ideal for streaming or use where network is weak.
  • Location:
    1. Johannesburg
Replies
2
Views
182
AAA1
A
Adrenalin
Extending wifi to bedrooms and slightly further out of my property
2
Replies
44
Views
932
AfricanTech
AfricanTech
D4RK_S0LD13R
[For Sale] CCTV shinobi starter (NUC + cctv + etc)
  • Location:
    1. Cape Town
Replies
12
Views
432
hms_dexter
hms_dexter

Latest posts

Top Donors

IOPS
NI∀ƆOƆ‾⊥ᴚ∩ʞ
eagle2k
Sp3c1al1zed
Confucius
nephilm
Athos
EELeat
Off-The-Chart
McDuncun

Share this page

Back
Top Bottom