Results 1 to 8 of 8
  1. #1
    Untanglit
    Join Date
    Nov 2018
    Posts
    25

    Default Spike in activity at 4am - I'm trying to see the source

    New user here trying to figure all of this out.

    I was looking at my dashboard this morning and I see a big spike at 4 am this morning.

    It might be benign, but, I'm trying to poke around and identify the source as everyone in the house should have been alseep.

    4am usage.png

    Can someone tell me where to look to find out what device caused this spike?

    Thanks in advance.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,832

    Default

    Look in /admin/index.do#reports?cat=network&rep=all-sessions in that time frame. Frankly 1MB is not that much. It could be email reports from the box itself.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,029

    Default

    Hi, and welcome to the forums.

    There is a lot to figure out. I'm going to assume that the blue line is the external interface (it's not always blue). To see what inside your network was active at 4:00 am, I suggest looking at Reports > Network > All Sessions as a place to start, to get a feel for things. If you don't see 4:00 am in the Timestamp column, see if you've maxed out the number of events "Showing" and adjust as necessary.

    Since devices can do a number of things while everybody is asleep, don't be surprised if you see a little activity off and on all night long. But as quiet as your external interface appears to be, you should be able to identify more easily than some what hostname got busy at 4:00. If it's not immediately clear, by clicking on Settings you can temporarily add a column to the report, say "From-Client Bytes," to get a handle on what hostname was generating the most traffic at 4:00 am.

    There is a caveat here. By default Untangle itself will not show up in the All Sessions report, I don't think. By default, that traffic is not logged. So keep that in mind as you evaluate the spike.

    I hope I've got all this straight myself and haven't misled you at all.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    zoom in on the graph to the spike plus a little.
    Click "Apply this timeframe" button

    Then click on "Bandwidth Control Top Client (by total bytes)"
    or "Application Control Top Applications (by bytes)"
    etc

    Or just look at "Network All Sessions" click on the column drop down and add the byte count headers and sort by bytes.

    Also, you cropped out the key, but i'm assuming blue is the internal. meaning this was rx (received) on internal meaning it was likely something on your internal network uploading data to the internet.
    Last edited by dmorris; 11-17-2018 at 09:30 AM.
    MindVentures likes this.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untanglit
    Join Date
    Nov 2018
    Posts
    25

    Default

    Thanks for all these suggestions.

    I'll poke around some more.

    I did think it was a very tiny burst of data but was still curious.

    We have a teen that is "internet banned" right now. I wanted to make sure they were not "sneaking" it during the night.

    Thanks again.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,635

    Default

    Quote Originally Posted by glen4cindy@gmail.com View Post
    Thanks for all these suggestions.

    I'll poke around some more.

    I did think it was a very tiny burst of data but was still curious.

    We have a teen that is "internet banned" right now. I wanted to make sure they were not "sneaking" it during the night.

    Thanks again.
    I think it's fair to say that isn't happening, any actual amount of web traffic from a human user would have been much more than that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,165

    Default

    Quote Originally Posted by sky-knight View Post
    I think it's fair to say that isn't happening, any actual amount of web traffic from a human user would have been much more than that.
    Unless it was a toe-in the water 'test' of the real boundary.
    (done raised six of'em)

    My gut feeling is it was telemetry.
    If you think I got Grumpy

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,635

    Default

    Quote Originally Posted by Jim.Alles View Post
    Unless it was a toe-in the water 'test' of the real boundary.
    (done raised six of'em)

    My gut feeling is it was telemetry.
    I've got four... but they don't do subtle... my daughter got curious, starting digging for porn... thanks to untangle managed to step RIGHT OVER all the normal stuff and landed in the incest on some obscure place that wasn't categorized yet, and tumbler...

    Finding that in the logs was fun, my wife was mortified I just busted a gut laughing. 13 is 13, don't care who it is.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2