 Tom here from Warren systems and we're going to dive into end top NG with PF sense now end top NG is a tool that allows you to dive deeper into the packet and flow rate of data going across your PF sense. It's a great tool. It offers layer seven visibility, but I want to please note this exception to that, that it is not doing full SSL inspection. Therefore, some of the deep visibility you may get in this will not necessarily be 100% accurate or not just labeled as unknown traffic. So take that with a grain of salt on there, but it will allow you to at least see where the data is flowing from and to from different IP addresses internal and external. It also will create a time series slice. So you understand data over time. This is not keep all the historical connections. This is not a way to trace backwards through old connections, something like that should be done by taking all the syslog data and piping it over to a tool such as gray log, which I'll leave a link to a video down below on gray log. If you're looking for something to give you more historical data, not just like packet flow data and charts, which this does do. But before we dive into this video, if you'd like to learn more about me and my company, have a warrant systems.com feel like to hire for a project such as network consulting. There's a hires button right at the top. If you want to support this channel in other ways, there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel. Now the first step is to always make sure you're on the latest version of PF sense. If you are on an older version, you try to load newer packages, you will very likely run into some type of conflicts with the packages newer than a version of PF sense. So whether using community edition or you're using the PF sense plus edition that comes with the neck eight hardware, make sure you're on the latest version, go to system, go to package manager, we're going to show on the installed packages that I already have it installed here. If it's not installed, easy enough, go and install it under the available packages under and top and G. They're right over here to diagnostics and we want to go to the settings. Now a couple boxes to make sure our check here is check this to enable and top kind of obvious, but keep this settings. This is an important box. If you do this in configuration and you would like all those settings to be saved and exported into the backup XML, that's what that box there means. Then we're going to set an admin password, confirm the admin password, and then select all the interfaces you want it to monitor. Also of note, it is bound to port 3000. So make sure you don't have the web admin interface for PF sense port bound to port 3000. And if you have additional networks that are also connected to this system, you want to make sure you put a block rule in so those networks don't access this interface unless you want them to, for example, for me, like maybe land too, I wouldn't want devices to access any of the PF sense interface and I probably put an additional block in so it also can't access this interface on port 3000. Just a couple little housekeeping notes on there. Scrolling down the mode generally this is fine to consider all RFC 1918 networks local, but you can customize that if you have some special use case for it. I do not. Geolite to DB license key. This is the Geo IP information database. You don't have to fill this in if you would like to. You have to register register for a free Max mind account. But of note, that's only if you care about any of the Geo IP data and you want to do the cool overlay mapping. I recommend doing it. It's free because it looks cool, but it's ultimately up to you. Delete data down here. If you would like to purge or you have goofed up the settings beyond what you can remember how to undo, delete data will purge and reset this and you can then start over and start this process again. Once you have all this, you click save down here at the bottom and then you can access and top and G and when you first access the interface, it's admin and whatever passwords you would come up with to put in there. And the first thing is going to bug you is right here in the corner. Contribute to the project by sending encrypted anonymous telemetry data. I will do that dismiss. I'm going to contribute. I do not need them to contact me and I'll hit save. Now once that's done, the next thing I'm really going to recommend and we'll dismiss some of these other things that come up is toggling dark theme. I wish it defaulted to dark theme. It does not, but nonetheless, that's how you change it over to dark theme. We're going to change this to expert view and just run through the settings real quick. Here are all the different settings. For example, if you have any specific interfaces that you want her to ignore post that destination. If you have a couple more customized use case, you can go through these. I do not, but I do want to change the time series data down here, host time series, enable full host time series creation, full limit to bytes, score, light, or turn it off. We're going to go ahead and go full right here and we're going to go ahead and leave this one fine. So toggle creation of layer seven application created time series per application requires more disk and IO. It's generally not needed, but if you want to keep adding as long as your system is fast enough to do so, you can actually turn a few more of these things on to get a little bit deeper into the traffic. I'm going to leave that one at none, but we will turn on VLANs because I have some I want to make sure I separate out some of that data that it may have related to those. Autonomous systems toggle the creation and application for the ASN system. We can go ahead and do that countries. I'm not raid by any of the internals and we're going to hit save alerts. I don't use the alert system in here. Maybe you'll find it more useful. I don't care as much about the alert data because I'm not monitoring this actively for alerts. But if you want to get more advanced, which is out of scope of this video, there's even ways to have these alerts that it does find. If it finds what it thinks as an anomaly through the series of tools that has built in here, you can be alerted of some of that data and it's got ways to get those alerts external way out of scope of this video and it's not even something I really use. So I'm not likely to do a video on it, but you can go to their site for more documentation on it. Now the next setting we can change if we want is active discovery of the network. You can actually kick this off manually or you can tell it right here to say every 15 minutes, go ahead and run an active network discovery up to you. If you want this running on your network, it will automatically find things as they flow, but it's not actively looking at things that just happen to exist on the network. So if they have traffic going through PF sense, it discovers them and finds them. This is a way to find everything right now and start looking at your local network. Well, on the interval that you said here, that's really the last setting. I'll go ahead and turn it on to show you that you can, but honestly, doing it right here is easier. Like right now, I'm going to dismiss this right here. We're going to switch to LAN. Make sure we're on the right interface. We'll go to dashboard and then you just go network discovery and you just hit refresh and it will actually go ahead and start discovering the local devices on this network of which there's only a couple. So it found the Win10 lab and the Debian lab, which there's not going to be a lot of data because we just turned this on. So it sees the different connections that this computer is making, things it may have going on and even a Windows computer idle, certain amounts of Microsoft connections are kind of to be expected like Windows update and things like that. What I want to do now is pivot to showing you where I have a little bit more data by logging into the one at my home, which I've been running for longer. So it's had time to collect more and there's things like Netflix and other fun stuff that's been being used at my house. So we have more data to actually see. All right. So we're logged into my house so I can take a look at the different traffic flows and what's going on there. So we have some data to play with here. This page isn't that great. This is just your standard traffic dashboard page. The application page is a little bit more interesting, but as I mentioned earlier, so many things are encrypted now that a lot of it just falls under the unknown traffic because this is not doing full SSL inspection. It's not unwrapping the traffic to be able to give the details. So some of it just throws up the unknown, but unknown is just a classification that it's missing. It doesn't mean we don't know where it's going, which can offer us other insight. That's where you go down here to the flows. So if we click on flows, this will give us a little bit more insight to where the data is going. And you can see there's several pages here. So I can take and dive into any one of these devices and say, where is that traffic going? Go to page three, page four, page five, it's going to go on and on. If I actually connected to here to the office, I think it's like nine or 10 pages long because there's just more connections and more things happening in here. Now for any one of these, and I'll use this one as an example, because this is Google's DNS, we can click on this and it brings us to a page for this particular IP address and any data we have on this external IP address. We know it belongs to Google. It's remote. It's a DNS server. We can click on virus total. It'll open up a new window and let us know if this IP was ever flagged as malicious. So we have quit a bit of data that we can gather on this. Now please note, these are ephemeral and disappear. So the flows that are going to it now are because they're active, but after a set period of time, which you can customize a bit, those flows will expire and this IP address will fall off of this. It only keeps longer term data for internal IPs unless otherwise dated where you want to modify it not to do that, which generally speaking, you'll run out of space if you try to track every IP that every computer ever connected to, not really the purpose of the way the end top NG program works here. But at least we can look through and see the different traffic, TCP, UDP, how much, what peers it's attaching to, Chromecast Ultra, Google Nest Mini, couple devices on my network that are talking directly to it. We can look at the flows themselves. And this is nice because now you're starting from an external IP and looking at what internal things are talking to it. So we have one, two devices talking to it. Now let's go over actually to the hosts themselves. So if we look at the hosts, and let's pivot a little bit differently, let's take a look and find something in my host list here that is pulling a lot of data and you can pivot from that way. Now these, and we'll just take like dot 90 right here, I can look at this one and say, all right, here's the traffic. Here's all the flows connecting. This one, you notice looks a little bit different because we have this right here, where we have a home and because this is a local IP, it's going to retain the data, including all the way over here, where we can say a time slice of when this was using data. I'll actually set it to one week. I've only had this firewall a couple of days at my house, and I don't know how long this particular device has been on. So we have a couple of days of data. So on different dates, you can see that you have the different traffic. Let's pivot again to one that I know has a lot of traffic. This particular address is the Chromecast in my living room, where there's a lot of TV being watched, probably a few movies. So if we look at this one, we'll see there's 17 gigs of data since we started tracking this. So like I said, it's probably only been on for roughly maybe less than a week that I've had this turned on. If we look at the flow, we can see what it's doing right now. So probably not much, no one's really watching TV. So we only see a little bit. There was more on here, obviously when something's being watched on Amazon on Hulu or whatever this Chromecast is connected to, you'll be able to see that data flow. If we look at this, this is where you can really dive in and see when we may have watched some movies. So bytes sent on each day, each one of these time slices as you go through, min, max. So yeah, 1228 when we started last is one four, that's actually today. And the total traffic is 17 to and you can dive into going, all right, this is when we were clearly watching maybe a movie here, or maybe some streaming going on here, and maybe another one here. And you kind of get the idea where you're getting some of the data on here. Let's look at it from an application standpoint. It does understand it's easier to understand DPI data for things that are application based when it comes to like watching Amazon or YouTube. So you can see that Amazon video was 70% Hulu was 7.9. And then YouTube right here at 17.9. It's actually not as much on Netflix as I thought. Netflix is only kilobits probably just browsing through a few things. But Hulu is definitely where we watched quite a bit more. And then Amazon video three gigs right here, then you can click on Amazon video. And now you're looking at it from what did Amazon video do in the last week. So we filtered it for a little bit more and that narrows it down to just Amazon video. This is what's kind of cool is you can get these pivot points back and forth to kind of understand some of the data flow. A few other things you can get in here, list of MAC addresses, host pools, networks, looking at the different slices of networks that are on here. You can get the top hosts. This is kind of a neat slow graph, but it will show you where the traffic's going and who's pulling what traffic as it goes through here. Then you can also go to the more fun as long as you've updated that GUIP database. What IP addresses are these going to based on the GUIP database, which is funny because it's not recognizing a couple of them that it should, that should be right here in the Detroit area where I'm located. So occasionally, as I said, the GUIP database can be a little bit inaccurate. So it doesn't even seem to see that. But for some reason, I'm certainly connecting to a few of them over here. Interesting. And what are we doing overseas here? Scroll out and oh boy, we have a few different IPs and you can click these IPs again. And they're going to bring you to pivot to there that particular one has been purged and timed out. You'll see that from time to time because if they're only temporary connections were a ping or something was sent, you're going to get a timeout on it. Now, of note for those of you wondering, and this is one of the reasons you may do this, if you were doing some type of torrenting traffic, especially when you need to seed all of those different ISOs for different Linux distributions, I do recommend putting that over a VPN. And I've got a video on that topic. This will allow you to do a traffic dashboard on your open VPN connections as well. It will then show all the hosts that you're connecting through through there. And you can be able to dive into traffic. Matter of fact, if we look back at the traffic dashboard here, and we look at from an application standpoint, much of it's unknown, but then 9% of it's some bit torn. Also, if we went through GUIP on this specific one right here, we look that majority of them appear to be over here in Europe, which is also because it does in my video as I just demoed PIA Swiss, PIA Swiss is the private internet access tied to a Swiss connection. So you're going to get some more European connections out of there. And apparently, a few from Australia and places like that. So if you're interested in NtopNG, it's great to install on PF Sense, certainly gives you a lot more insight into where your date is coming from, where your date is going, and can give you just a lot of fun or maybe a rabbit hole of, oh my gosh, I can't believe I pinged something in Russia type of information. Now, as I said, depending on how you're configured things, you can start at least understanding what on your network is going where. And those little links to virus total are actually very helpful. So you can look up some IP reputations. But of course, don't just stop there, go over to greynoise.io and start looking it up there and looking it up and show Dan. And I hope this whole thing sends you just on a rabbit hole of fun, of learning networking and where everything's connecting to and gives you some insight into the traffic when you cross your PF Sense. Links to the other videos I mentioned down below and thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.