TR Forums

Family friend is on mobile broadband and they have some kind of data vampire on their network. Since this is a tens of gigabytes problem and not a hundreds of gigabytes problem, it is not going to be super obvious. Apparently they don't really have any computers that are new enough that are capable of self updating (e.g. no Windows 10) - supposedly it's only two computers, a tablet, and a couple of cell phones. They do have kids, of course.

So - I have a spare SFF PC I could use as a UTM/proxy/traffic analyzer and put in their home for a while. What package/distribution out there will take the least time to install & setup for this purpose? I don't actually want any threat management, or firewalling, or even filtering - I just want to know who is accessing what and how much. I am well aware I could do this with the right SOHO router, but they are using an ISP provided router that is def not capable of this, and I don't have any that are capable of it to spare. Buying a cheap one that *is* capable of it is not off the table if it cuts down on time spent.

Very much appreciate any and all suggestions!

Sophos has a free version of their UTM. The original version isn't great at live monitoring, but XG may be better. The general consensus is that XG isn't ready for prime time, but since you don't want much out of it, it may be fine.

The other option would be to use Wireshark on Linux transparently. It's probably the better option, honestly, if you just want to discover what's going on. If you want to block certain types of traffic you'll need more.

Looks like pfsense with the package BandwidthD is what you want, assuming you can set up pfsense on your own. 2 Nics, a USB drive to boot, and some patience should get you going. Last time I looked at pfsense was like 8 years ago, but I don't remember it being that hard back then.

Can't they just login to the router and see who is connected and using the most bandwidth? Maybe try changing password and see if it still continues after that.

Gave Sophos XG a spin... not surprised to see that it does the network appliance thing I hate where every vendor someway finds a new way to structure everything. I'm sure it's powerful and that it could do what I want, but I don't have the time to learn it. pfSense with ntopng currently seems like the best candidate, evaluating it next

If you can find a Linksys WRT54GL lying around and throw Tomato on it, it'll be all you need.

Captain Ned wrote:

If you can find a Linksys WRT54GL lying around and throw Tomato on it, it'll be all you need.

I do have one, but I haven't touched it in like a decade. Tomato is a bit of a rabbit hole, which mod/fork of it would you use?

At least... I thought I had one. First spelunking expedition couldn't find it. Maybe I gave it away?

I'll cast another vote for pfsense, if you can use it.  I was able to set it up here with a minimum of cursing despite not having much of a background in networking.  It's pretty nifty.

Looks like everything I was going to use for this was either borrowed permanently or simply lost. Guess I'm swinging by the thrift store tomorrow! I've seen WRT54Gs there before. pfSense still looks interesting for this but I'm gonna have to table it due to lack of hardware... too many moves decimated my spare parts

TwistedKestrel wrote:

Gave Sophos XG a spin... not surprised to see that it does the network appliance thing I hate where every vendor someway finds a new way to structure everything. I'm sure it's powerful and that it could do what I want, but I don't have the time to learn it. pfSense with ntopng currently seems like the best candidate, evaluating it next

I do not use pfSense (I build my own firewalls based on Linux. pfSense is a pretty darn good product), but I have used ntopng.

ntopng can be a bit of a pain to configure for initial use; look at the command line options for complicated setups. Once you jump that hurdle the GUI interface is easy to use and can be "served" via it's own internal web server (default interface should be the installed platform's loopback address, making the web interface only accessible via the Console). Don't use the web server via a LAN interface on a possibly compromised network.

ntopng might be the easiest way to evaluate network flows without the complexity of setting up Netflow-style clients & servers and configuring related flow analysis software.

TwistedKestrel wrote:

Tomato is a bit of a rabbit hole, which mod/fork of it would you use?

Vanilla. It'll still show traffic by MAC address. Won't tell you what type of traffic it is, but you'll be able to ID the offending device.