Wallwatcher and tracking usage

Discussion in 'other firewalls' started by stevwolf, Jun 29, 2011.

Thread Status:
Not open for further replies.
  1. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    I have a small school.
    With school out the usage should be lower but it really isnt. I think it is one of 3 students still left in the dorm.

    IM trying to track down whats causing the high usage. Sometimes 7 or 8 gigs a day.

    I have a tomato router, I have set up opendns on it. I have now installed WallWatcher on a pc.

    I can see who the offending person is, but when I look at the sites that they go to nothing really looks bad.

    While I know that we could go to them and say what the heck are you doing, really what Im trying to do is learn. They are only one student, in the future there may be others who will do the same thing. So I really want to learn what is taking up band width and at least figure out how I can see what it is, for future education. Perhaps we will in the future make a rule NO X if we knew that X was the problem. At this point we dont know what causes heavy usage.

    All that having said, Is there anything that can tell me in wallwatcher (or perhaps other free software) what sites are hogs on the network. I have also installed snmp on the tomato so I can do bandwidth summarys.

    Thanks
     
  2. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    You can do it using wireshark, probably the traffic is due to somebody using p2p, or you can ask directly to the students. :D

    http://wiki.wireshark.org/BitTorrent

    http://seguridadyredes.wordpress.co...tshark-detectando-trafico-p2p-en-nuestra-red/ (in spanish but it's all you need to know, it explains clearly how to detect p2p traffic in your network using wireshark) try google translator

    http://www.brighthub.com/computing/smb-security/articles/48875.aspx

    A commercial solution
    http://www.imfirewall.com/en/

    http://www.google.es/search?q=wires...gc.r_pw.&fp=c45d40a242b37c57&biw=1280&bih=706
     
  3. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Thank you this is Very helpfull.

    Just as a question (which perhap you or someone could answer) Shouldnt WallWatcher show if someone dowloads from say a p2p site. Ok if its just an ip address that doesnt resolve to a name I have to look it up, (and often you cant see that its associated with any company) but still shouldnt some of them show up.

    Secondly, as a exmaple if I ping say google shouldnt that show up on wall watcher, cause when I do this it doesnt show up. Im sure Im missing something rudementry in my understanding but still I would have thought all traffic should show up?

    Thanks
     
  4. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    I have never used WallWatcher but with WallWatcher you can see the remote ip's if he using a p2p probably you will have thousands of ip's from other p2p users and them 3 or 4 from the p2p websites (in case he visit any website to get the links), so it's not a good method.

    Maybe you can filter the log for the most active port, you will have in one log all the ip's related with the high traffic, but again will be a lot.

    What you can do is block the port with the highest traffic, although then the student can change to another port, but you can do the same again.
     
  5. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Thanks I will take a look at those things.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    As others have put forward, it could be P2P traffic, although of course it could just as well be downloads from file_lockers(rapidshare etc) or usenet, or it could be video streaming(as examples). Unfortunately, looking at the logs from "tomato" router, it only indicates TCP/UDP traffic, not specific P2P (or other) protocol types.
    You may find the url/IP of a P2P site or a P2P tracker IP, but the actual downloading would be from other clients, so the IPs could be many and would not necessarily resolve to a site.
    Yes, ICMP should show in the log as "out" traffic.

    You could block all P2P traffic (that is covered in the filtering of the router) via the "Access restriction", but of course that can be bypassed via VPN/proxy. It would also not stop heavy downloading from file_lockers or usenet.
    Do you currently have "qos" enabled in the router?

    - Stem
     
  7. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Thanks for your comments stem.

    Yes I have qos enabled and have tried to set it up as best I can.
    Putting those things I dont want very low, to discourage them.

    Whether it works or not or how well I dont know. I try to do my best to read and follow instructions. However I think ?? that if there are few people in the houses and this person is say playing games then he will get the bandwidth he needs. From what I understand about qos is that it doesnt stop people it just give precidence to some types of data and lowers other types. If there are few people using it say to surf the web which is what is higher then it will still dole out the needed bandwidth to the gamers.
    I admit that I set this up perhaps a year ago and I have forgotten how I did it. Or all the details of how to set it up, but I did do it. (not that it doesnt need fine tuning or that I have done it poorly.)

    It is possible that there is more info on the net, or better faq's than I read at the time. I also wonder if there is a way to update the "dropdown" boxes in the sites eg bit torrent or what ever the latest is. As new software comes out Im sure some of the presets are out of date.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    I must admit that I do not usually use routers as my gateway, but I was curious as to your setup. So I downloaded the "tomato" firmware (1.2:cool: and placed it on an old router I have to test it. I have also set up "Wallwatcher", so it is a bit of an experiment here at the moment.

    I have checked and it does stop P2P via the "Access restrictions", also the "qos" does restrict with settings, although I am not actually convinced yet of its accuracy of percentage. It does appear to give less than specified (although that is not necessarily a bad thing).
    The good point about the qos, is that it will also restrict large download bandwidth, so that would cover file_lockers / usenet etc.(depending on settings).

    If you have the same firmware, we can go through the settings and I can test them to check results.

    - Stem
     
  9. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Well thats extreemly generous of you.
    You obviously like to tinker.

    Tomorrow Im going away for a few days and I dont have Internet access. Im in the wilds of the North. (maybe you are too)

    I will pick this up with much apreciation on Monday.

    Regards
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Cannot help myself but tinker with firewalls- TCP/IP

    North west, and it does get wild at times.

    I have the setup, so when you are ready.

    - Stem
     
  11. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Well Im back from my break. Love to hear what you have discovered.
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    Although I did get sidetracked (unfortunately that is not unusual for me), I did make some basic tests, but got mixed results due to how various connections are maintained. As example. For torrent traffic (if allowed) that can be controlled via outbound rate qos. But for large downloads, such as an .exe or .avi (as examples), there would be a need to lower the rate for inbound in qos, but that then leads to problems with inbound packet loss (dropped at router) with excessive re-transmissions needed.

    The restrictions work well, with the ability to block directly P2P and/or various layer7 protocols, along with the ability to block the download of various file types (such as .exe or .jpg as example) or visit any named site.

    With ref to your original concern/question:-
    Although your current setup can place various limits/restrictions, you are going to face a bit of a struggle determining as to what is being downloaded due to the minimal logging given.



    - Stem
     
  13. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Presumably people need to download executables and even some videos. Although I would like to stop downloading of movies, but Im not sure thats possible, in that its too granular. Its that trade off. You can certainly stop anything you like, but stopping one thing will stop another thing. Unless you start putting web sites in and that can be a full time job.

    I view p2p as any torrent edonkey etc site.(I may be wrong, ) Unfortunetely I dont think there is a generic method for blocking them. The tomato router has some qos settings for many sites. Unfortunetely there are always new ones. And Setting up every single setting on the router seems a little onerous. I also done know if there is a going to be a point where the router will say enough is enough and slow down. I dont know.

    As far as on line gaming, Is there any way to block that generically, or is that another situation where you must create qos or blocks for each game. I dont play games (Im boring I know). So I know little about these things.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    For P2P you would block the protocols rather than specific servers. In the "Access Restrictions" you can place a rule to block "All IPP2P Filters"

    01.png

    I did make a quick test by attempting to use BitTorrent after setting the filter to block, and it was blocked.

    I would enable the qos and leave on default settings for now, and after stopping P2P and any games (and possible file_types) you decide on, you can re-check the bandwidth/ download amounts. Enable the qos and enter your bandwidth, also enable the "TCP Vegas".

    Have a look in the "Access Restrictions", there are in the "Layer 7" drop down menu a number of filters for games that can be added.

    02.png

    I could not find a current listing, but there is some info here:- http://l7-filter.sourceforge.net/protocols that will show you which are games.

    For any file_type you want to block, just enter the extension into the "Http request" window (one extension per line)

    03.png



    -Stem
     
  15. stevwolf

    stevwolf Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    22
    Thanks for the help.
    I have blocked the p2p and we shall see if that reduces things a bit.
    The blocking of file types was unknown to me, I didnt realize that I could do that here. I tried it a wow it works.

    I have blocked a few known file types that can cause problems eg .bat and .scr. Im sure I will add to the list.

    While IM sure there may be other products out there. The tomato router is prety good and does a lot that other paid for routers either charge for or dont do at all.

    Thanks again. I have moved forward a little more. Your ability to pick up the tomato router, having never seen it, is obviously a sign of your skill level.
     
Thread Status:
Not open for further replies.