<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I would consider this a learning opportunity to instal/learnl packetbeat, Elasticsearch, and kibana, rather than using tcpdump or wireshark… Probably setup logging from the network devices to go there too. Might be able to correlate behaviors that would be harder with the disparate tools.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Feb 10, 2020, at 11:48, Jeff Chapin <<a href="mailto:chapinjeff@gmail.com" class="">chapinjeff@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class="">
>> There is enough granularity in the graph so that it is possible to determine<br class="">
times and to get an idea as to the volume of packets (that part isn't<br class="">
as precise). <br class=""></div><div dir="ltr" class=""><br class=""></div><div dir="ltr" class=""><br class=""></div><div class="">That's what I am asking about -- if you are talking 1 packet, it would be nearly impossible to detect if it was masked by legitimate usage, unless the legitimate usage is '0' packets. If it was 1TB/night, that would be easily seen.<br class=""></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 10, 2020 at 11:45 AM o1bigtenor <<a href="mailto:o1bigtenor@gmail.com" class="">o1bigtenor@gmail.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Feb 10, 2020 at 11:34 AM Jeff Chapin <<a href="mailto:chapinjeff@gmail.com" target="_blank" class="">chapinjeff@gmail.com</a>> wrote:<br class="">
><br class="">
> How big was the 'spike' overnight? Is it small enough that it's just masked by normal usage?<br class="">
><br class="">
Operator of said device(s) is not on the network during the daytime.<br class="">
<br class="">
There is enough granularity in the graph so that it is possible to determine<br class="">
times and to get an idea as to the volume of packets (that part isn't<br class="">
as precise).<br class="">
<br class="">
The spikes on the 'wired' services are about 3 per every 2 hours and<br class="">
that's around the clock.<br class="">
If its ms google (or for that matter any other of the nutty 5) being a<br class="">
'x'itch well - - - - she<br class="">
can just ride her broom on out of here (LOL).<br class="">
<br class="">
Thanks for the assistance!!!<br class="">
_______________________________________________<br class="">
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota<br class="">
<a href="mailto:tclug-list@mn-linux.org" target="_blank" class="">tclug-list@mn-linux.org</a><br class="">
<a href="http://mailman.mn-linux.org/mailman/listinfo/tclug-list" rel="noreferrer" target="_blank" class="">http://mailman.mn-linux.org/mailman/listinfo/tclug-list</a><br class="">
</blockquote></div><br clear="all" class=""><br class="">-- <br class=""><div dir="ltr" class="gmail_signature">Jeff Chapin<br class="">President, CedarLug, retired<br class="">President, UNIPC, "I'll get around to it"<br class="">President, UNI Scuba Club<br class="">Senator, NISG, retired</div></div>
_______________________________________________<br class="">TCLUG Mailing List - Minneapolis/St. Paul, Minnesota<br class=""><a href="mailto:tclug-list@mn-linux.org" class="">tclug-list@mn-linux.org</a><br class="">http://mailman.mn-linux.org/mailman/listinfo/tclug-list<br class=""></div></blockquote></div><br class=""></body></html>