Monitoring traffic on EAP245?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Monitoring traffic on EAP245?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Monitoring traffic on EAP245?
Monitoring traffic on EAP245?
2024-02-27 09:19:37
Model: EAP245  
Hardware Version:
Firmware Version: 5.0.6 Build 20220429 Rel. 44315

I have observed some very curious traffic patterns on the office LAN: high levels of traffic during the night, for example. I can see this on the statistics graphs on the Omada web app. To track down what is going on, I need to run a packet trace on the EAP245, and I have already found the xtcpdump command that will print a continuous stream of IP packets.

 

However, in order to use it, I need to manually log on to the appliance, and then it turns out that xtcpdump cannot be interrupted except by closing the connection. Is there an alternative way to monitor traffic to the same level of detail - one that can be automated and extracted by an external monitoring script?

  0      
  0      
#1
Options
4 Reply
Re:Monitoring traffic on EAP245?
2024-02-27 13:23:10

  @j4nd3r53n 

 

You could enable logging services to an external or internal logging server.  AND also enable SNMP/Logging.  That will give you all the data you need. 

I can not teach anyone anything - I can only make them think - Socrates
  0  
  0  
#2
Options
Re:Monitoring traffic on EAP245?
2024-02-27 13:56:27 - last edited 2024-02-27 13:57:27

  @j4nd3r53n 

 

If the 'Omada Web App' means you have an Omada controller there is a much easier way to do this.  The controller tracks individual client (IP) stats both in near-realtime and also historical aggregates.  If the high traffic pattern is nightly , or almost every night, you can log in and see which clients are consuming what bitrate (you can sort by highest bitrate) and you determine if it's primarily inbound or outbound traffic.  If it only happens for a few hours in the middle of the night, then take a snapshot of the client aggregate data at 6pm and 6am, and see which clients jump up the most overnight. You may have to customize the columns in the Clients table to get the fields you need, and you can further narrow things down by noting which clients are attached to the AP reporting the high traffic volumes.  All of the above should tell you if its a compromised internal machine or an unauthorized device.  Keep in mind that some devices, iphones in particular I think, randomize their WiFi MAC addresses (so differnent IP per) to prevent 'tracking', which in itself tells you quite a bit. 

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#3
Options
Re:Monitoring traffic on EAP245?
2024-02-28 11:27:55 - last edited 2024-02-28 11:29:22

  @KimcheeGUN Two good suggestions - thanks!

  0  
  0  
#4
Options
Re:Monitoring traffic on EAP245?
2024-02-28 11:32:54

  @d0ugmac1 @KimcheeGUN Thank you both for your suggestions! I will work on this now - I hope I can end up with something I can feed into our monitoring system.

  0  
  0  
#5
Options