search

lephisto / pfsense-analytics

Pfsense Analytics w/ Graylog, Elasticsearch, InfluxDB and Grafana fully dockerized for Firewall and DPI..
GNU General Public License v3.0
157 stars 56 forks source link

Data seems wrong #32

Closed oneofthegeeks closed 3 years ago

oneofthegeeks commented 4 years ago

When looking at the dashboards I am seeing numbers that don't seem to make sense?

Some totals are in the TB totals for the last 6 hours. Most data seems wrong on the NDPI interface dashboard. Any ideas on where to start looking? I followed your instructions and all went well, just seems like something is wrong as there is no way that the data is correct.

Thanks.

lukeren commented 4 years ago

I see the same. I tried downloading roughly 2.5GB from Norway, where I had 0 data from already. It registered as 5GB when I first looked at it, but while doing this post I flipped back and forth and it kept rising, 24GB and then 34GB. It must be adding the same data over and over again.

oneofthegeeks commented 4 years ago

Well, at least it is not just me. @lephisto any ideas.

jopeek commented 4 years ago

Ok, phew, good to know I'm not alone. For added context, I only used the dpi dashboard json from here to set up my dashboard after just configuring ntopng to direct data to my influxdb server, so I'm not using the full docker setup or anything. What could be wrong here? Numbers are way too high and I even saw some IP addresses outside of any of my hosts that also don't appear in ntopng (I use 192.168.x.x and those were 10.10.x.x addresses)

corsbj commented 4 years ago

Are you running pfblockerng? I believe the 10.10.x.x range is used to redirect blocked sites.

jopeek commented 4 years ago

Are you running pfblockerng? I believe the 10.10.x.x range is used to redirect blocked sites.

That might have been it. I cleared the database and those IPs haven’t returned.

The traffic volume numbers are way out of whack still though.

jopeek commented 4 years ago

Are you running pfblockerng? I believe the 10.10.x.x range is used to redirect blocked sites.

Actually, no. I don’t habe pfblockerng running and it’s still tracking 10.x.x.x IPs which don’t exist. I have no idea what’s going on. The data in ntopng looks fine but whatever is either written to influxdb or displayed by grafana is very wrong.

lephisto commented 3 years ago

I will look into it and validate the data on the GL4 release. Up until now everything still seems reasonable. If problem persists re-open issue.