One of my friends recently sent me the following question regarding how to identify some unknown traffic he noticed in his pfSense firewall logs. He also sent me a screenshot of the firewall logs.
So I see these things on the firewall being blocked. How do I figure out what they are and if they are harmful? None of those addresses are ones that I know about. Maybe the 192.168.1.69 is the wireless DVR box? All of my computers and gadgets are on 192.168.0.*
Finding the MAC Address
One of the first things I like to do when I’m trying to identify unknown traffic on a network is to find the MAC address and do a vendor search. Sometimes just knowing which company the MAC address is registered to can be enough to identify a host, especially if you only have a few devices from the particular manufacturer in question.
Reader Ohm_Boy pointed out that if you’re running pfSense 2.0 or newer you can now view the ARP table through the web gui (Diagnostics \ Arp Tables).
To view the cache you’ll need to access the pfSense shell using SSH or through the web based command prompt in the diagnostics menu.
Once you’re in the shell issue the arp -a command. This command will list all of the active entries pfSense currently has in the ARP table.
You can use the grep command to filter the output for the specific IP address in question. For example ‘arp -a | grep 192.168.10.3’ , will filter the arp table for the entry matching the IP address 192.168.10.3.
You’ll notice that near the end of each line is the number of seconds until the entry expires. By default pfSense caches entries in the ARP table for 20 minutes, you can manually clear all of the entries by running the command ‘arp -d -a’.
If the IP address I’m trying to track down isn’t listed in the ARP table I’ll try to ping it from the pfSense shell. If it still doesn’t show up a broadcast ping will sometimes flush it out (ping 255.255.255.255).
MAC Vendor Lookup
After obtaining the MAC address it’s pretty easy to determine which company the address is registered to. Below are three of the most popular websites which can quickly run a search for you. Wireshark will automatically do this for you while viewing a capture (more on this later).
If the MAC address search doesn’t identify the host you’re looking for then it should at least narrow it down to a smaller subset of devices on the network.
Port Scanning / OS Fingerprinting
The next most useful tool for identifying an unknown host is a port scanner. Nmap (a well known port scanner) is available as a package for pfSense and can provide more clues toward identifying a rogue host on a local network. Nmap will produce a list of any open ports on a system and it also has a very useful feature called OS fingerprinting which can sometimes determine the operating system of a host.
After installing the package you can run the port scan through an SSH shell or the web based command prompt. To enable the OS fingerprinting feature add the -O flag to the command.
The command should look something like this: nmap -sS 192.168.10.254 -O
If you’re having trouble getting the scan to run you might need to force Nmap to use the LAN interface by adding the -e flag followed by the name of the LAN interface. To list all of the interfaces on the system run the ifconfig command.
Researching TCP / UDP Ports
After running a port scan I like to take a close look at what ports are open on the host. Port numbers are often unique and sometimes are registered to a specific company or device. There are several websites that provide a list of ports and the companies / services they are registered to.
Infosyssec.org has a nice list of well known ports on their site you can use to search for the port you are attempting to identify. Not all ports require registration to use, especially ports above 1024, so the search may not always turn up a result.
Using the Darkstat Package
Darkstat is another useful package for pfSense which can provide many different network statistics for a host. Once installed, and enabled for the LAN interface it will begin collecting information about traffic sent from each host on the network.
From within the web interface for darkstat I like to drill down to see statistics for each individual host. The package keeps track of packets sent, top TCP/UDP ports, mac addresses, top IP sources / destinations, and several other useful bits of information.
If the previous methods haven’t yielded any results you may need to run a packet capture to determine what the host is connecting to. Most devices will eventually attempt to sent traffic to an address on the internet. Being able to see which servers the host connects to can make it easier to identify them.
PfSense provides several different methods to capture packets through the web interface and shell. My preferred method to capture packets on pfSense is to run Wireshark via SSH , this saves me from having to download the capture to my local machine before analyzing it.