Re: [m0n0wall] How to monitor network activity?

From:	Lee Sharp <leesharp at hal dash pc dot org>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] How to monitor network activity?
Date:	Wed, 12 Sep 2007 22:32:36 -0500

Joe Lagreca wrote:
> I have a client that is running a m0n0wall.  I have been watching
> their network activity via the traffic graph, and I see that their
> outbound traffic has been pegged all day.  I would like to find out
> which machine is causing this and why.  How can I go about figuring
> this out?  Is there some SNMP monitoring utility I can run that will
> give me per user bandwidth information, etc?  Thanks.

Welcome to the Storm Worm.  I got quite good at this. (Thanks in no 
small part to the list.

1) Go to Firewall states, and take a snapshot.
2) View Delta.  You don't need to wait more than 10 seconds or so, as 
Storm sends a lot of traffic.
3) Sort by IP. The offending IP will have a lot of traffic to many 
hosts.  Up to 300 a minute.
4) Go to the LAN section of the firewall rules and create a new rule 
High that blocks all from that IP.
5) Watch the net performance get so much better.  Wait for a ticked off 
user to call.  See if they recognize the system name from the DHCP 
Leases section for that IP.
6) Have beer.

This is my LAN ruleset for a hotel that gets a lot.  I just disable the 
default rule to clean it up enough to work.  DHCP is .100 - .200

X	* 	192.168.68.224/28 	* 	* 	* 	Virus Block  	

X	* 	192.168.68.208/28 	* 	* 	* 	Virus Block  	

^	*	*	* 	* 	* 	Default LAN -> any  	

^	LAN net 	* 	* 	80 (HTTP) 	HTTP LAN -> any

^ 	LAN net 	* 	* 	443 (HTTPS) 	HTTPS LAN -> any  	
^	LAN net 	* 	* 	110 (POP3) 	POP3 LAN -> any  	
^	LAN net 	* 	* 	25 (SMTP) 	SMTP LAN -> any  	
^	LAN net 	* 	* 	21 (FTP) 	FTP LAN -> any  	

^	LAN net 	* 	* 	143 (IMAP) 	IMAP LAN -> any