Monitor Network Traffic from Individual Hosts/Devices in pfSense (2.3.x) - ntopng

Discussion in 'Networking Guides' started by Nimrod, Mar 23, 2017.

  1. Nimrod

    Nimrod Exotic Vendor

    Joined:
    Jun 1, 2007
    Messages:
    1,991
    Likes Received:
    533
    Location:
    London, United Kingdom
    pfSense is a fantastic fully fledged OS for turning any device into a home router. However, despite all its features with the loss of BandwidthD in the latest release (2.3.x); tools for monitoring network traffic are quite lacking which is surprising given its a fully featured OS running on FreeBSD.

    The community has been at a loss, and numerous people have been hoping that BandwidthD would be updated to support it but almost a year later and there is still no sign of it. BandwidthD worked well by allowing you to see network usage per device/host over a period of time on your network.

    There is however a different plugin available on the official Package Manager which not only can achieve the same; but also has a lot more features called ntopng.

    You can download and install to your pfSense build by browsing to System > Package Manager > Available Packages and putting "ntopng" into the Search box.

    Screen Shot 2017-03-23 at 14.56.30.png

    It's quite a big plugin requiring a lot of dependencies including MySQL however providing your not running it on an old 600mhz machine you should find it fits within your build.

    The install itself takes around 250mb, and it does capture all network traffic so the database size will grow. You can in the settings adjust how long it stores Data for if you have a pfSense build with limited disk space.

    Once installed, you can adjust the Settings under Diagnostic > ntopng Settings

    Screen Shot 2017-03-23 at 15.02.32.png

    The big choice you have to make is what Interface it is to capture packets from. You would naturally think WAN is a good place to start; however be aware the traffic and logs will be big as it means traffic that hits your Firewall but doesn't go past it is also logged (meaning the reports will have a lot of host names!). I've found monitoring from the LAN side of things works nicely, as I have a Switch before pfSense so the only traffic to hit the LAN side on pfSense will be traffic inbound/outbound across pfSense and onto the internet so will only include Internet traffic which was actually successful.

    Before committing your settings, make sure to set a password and also click Update GeoIP Data as it doesn't have it out of the box. I also recommend disabling alerting, as you will get a lot of false positives filling your pfSense logs otherwise. There our other plugins for monitoring/intrusion detection if that is what you are after.

    Once you are set you can access the report at any time by using the 'Access ntopng' button at the top.

    Please note: The username is admin and the password is what you set in the settings above.

    Once in, the first place to go is Settings and set your recording limits.
    Out of the box, it will record RAW packets for 1 day in your File System, the Rolled up reports in MySQL for 30 days, and Total's for 1 year. You can adjust here to work with the available disk space and RAM you have for pfSense.

    Screen Shot 2017-03-23 at 15.02.16.png

    Screen Shot 2017-03-23 at 15.02.10.png


    The Reports

    Everyone will be different and have there own needs for reporting, but I wanted to screenshot some of the cool reports you can generate and view in ntopng to share with you all.

    Of course; you can customize and work with anything which is captured going across the LAN.

    You can view total traffic on your local network and sort by usage:

    Screen Shot 2017-03-23 at 14.51.52.png



    You can view Active Data Flows / Destination / Type in real time with ease on the Active Flows Report:

    Screen Shot 2017-03-23 at 14.59.14.png


    You can even view specifics on a specific host on your Network like so, even with total usage, Activity Maps and more:

    Screen Shot 2017-03-23 at 14.59.47.png


    Even break it down by Protocols:

    Screen Shot 2017-03-23 at 15.00.06.png

    For those of you who are more interested in spying, yes you can see the top HTTP traffic destinations....

    Screen Shot 2017-03-23 at 15.00.25.png


    All in all, its a powerful piece of software and I'd recommend it to anyone running pfSense providing they have the hardware to support it. Even in a home use situation it has a lot of uses. For example, within 24 hours of using it I saw my personal laptop used 60GB of network traffic and it caused me to investigate the cause and stop it (it was the Apple TV Screensaver running on my Mac without Cache turned on - turning it on then meant it didn't download the 4k Stream continuously while I slept!). So it does have its practical uses even at home :)
     
    InsaneNutter likes this.

Share This Page