 So here in PF Sense 232 Release P1, which is up to date as of September 27th, 2016, is a feature that they finally added back and made really good again. So one of the problems you really run into when you're doing firewalls is digging into traffic problems and data problems and trying to figure out where is all the data going. So this is where we get into diagnosing with things like N-top. So let's go over here to the Package Manager. Installed packages is N-top. It's available. It installs fine. It has a few dependencies that it brings with it. Now this was a package that was there before, but it really needed a facelift and also needed some updates because these things were very broken inside of it. So to configure N-top, we go here to N-top Settings. After you go through the install, you just check a box to enable it. You have to set a password, hold the Control key to select all the interfaces. I do recommend selecting all of them. Hit Save. After that, hit Update GOIP Data so it downloads a fresh GOIP that way it can help do some lookups for you. After that, in that same diagnostics is actually going to N-top PNG. The username is gonna be admin and whatever password you chose. So let's start with the dashboard. The dashboard actually starts out and give these little flow talkers. Now a lot of this is all done in real time. All of this is kind of fancy. It's got real time updates here at the bottom so you can kind of drill down and watch the data go back and forth. It is letting me know that there's a new version available. If you download it, you actually have to get in behind the scenes of PF Sense updated. They'll get around updating the package I'm sure so that I'm not gonna cover that for the point of this topic. Now this is a PF Sense firewalled inside of a PF Sense, essentially my test lab. And the reason I'm doing that is because I didn't wanna expose all the details of my network and my public IP addresses and everything that we have on our servers. So anytime you see a .3 network, we're gonna pretend that's public and then everything else is local which is on the .1 network. Now what's pretty cool about this is the way it breaks down all the different ports, the hosts and gives you like really good drill down and real time updates. And I think it's kind of fancy with the graphs update. So if we wanna watch all the flows and that is the flow between the inside and outside world because this is operating on the firewall, it's able to see as things go across it. So it sees the connections, my IP address is this .9. So let's drill in just to my IP address here, 192.168.19. The traffic that mine's producing right now in real time, the packets it's producing. And I'm actually going to run and I got a bunch of things open in another window here just to keep some connections going and flipping through like YouTube stuff just to create traffic flows. So it's creating different traffic flows right now. I'm gonna bring this over and show you what I'm doing. We're gonna run a speed test again. Drag it back over to another window again. So while that's running, this is gonna start updating and you can see like right now it's pulling 51, 55 megs per second. It shows you the port numbers that that's being received on. It's also running this graph here and updating this and we can have this set up to, I just started it on this server, but it's now giving me total traffic that this IP address is pulled, this particular host right here. The active flows, please note this is a active flow. So if you're looking for active data that's going back and forth then we can do active thorough put and the different protocols that are on there. Now this does offer, when you're looking at the flows of the overall, we're gonna go back to the overall, you can filter by application. So we can specifically go, we just wanna see the YouTube and because I'm the only one running YouTube right there, DNS, so it's got one UDP for YouTube and three different TCP connections and it tells you how long the duration is, actual thorough put back and forth that's coming on there. You put noCookie YouTube dash noCookie.com. It's kind of interesting to go through and say what are all these things that it's pulling and be able to really drill down? Now when you're looking up the host, it goes both ways. You can take an external host IP address and see everything that talks to it. So you can take these externals, click on it and then do the same search of what's connecting and what data is traversing, the type of data that's traversing from your network back to that destination. So it's just really cool the way you can go through, drill down and you get a dashboard for each IP address and you can also type in the IP address here. So if you know internally the IP addresses, oh, and it's got a nice little autocomplete and you can type in that IP address and now I'm back to this one. And if I wanna expand it out to this network, which is only the things that I'm on this network, you can click that and it'll narrow it down. So if you have this bridged across multiple networks, you can then do it that way. This is one of the reasons you wanna check the LAN and WAN on ours because we have multiple interfaces on there. We select all the interfaces and then you can jump between networks. Now right now you tell it which interface to listen on, EM1 is actually my external interface which you can switch to internal and you can then look at things a little bit differently from the inside out versus the outside in. So it gives you kind of an inverted way to look at it. Now, this is also kind of neat. It groups together the ASNs and if you're not familiar, the autonomous systems naming is part of the system by which they assign a number to Amazon's block of IP addresses, Twitter's block of IP addresses, MCIs. So then instead of just having one IP address, you can drill down by ASN which is also really cool. So you wanna see all the pieces of Facebook or all the pieces of Google that is being connected to. So we can click on this and then we can see each block of IPs owned by Facebook where it's connecting because you can see 157 is an ASN of Facebook and so do these ones here. So you're kind of seeing how it's dispersed. You also get the local flow matrix but it creates a cross hatch of the different places and the flows between all the IP addresses which is really cool because then you can kind of start picturing in a grid format where all the data is going from where and to where. Now it does do some operating system identification. It does recognize mine as Linux. I've actually found a couple of times where it wasn't as accurate. It was identifying Windows 8 machines even though their server 2012, I don't really know why it did that. So I thought that was kind of weird. I don't know how good the diagnostics are for operating system identification. I don't know how reliable that is. Kind of a neat thing though is you can not only click on the host, you can also click on the port. So when you're looking at the flows and you wanna know exactly what is attaching on that flow, we can actually say okay, we can click on HTTPS, we see layer four, port four, four, three and you can see active connections for that specifically, for that protocol. So here's all the, and I expanded it just to show more so it doesn't paginate and these are all the connections. Of course I'm the only one here behind there but these are all the HTTPS connections on that port and where they're all going. So you can actually start with the protocol port and then filter for which devices are connecting. And then you can go through and do a flow info on specifically this one and drag into where it's going so you can go, okay, what's the actual peak throughput? Client server, client server. What percentages are they? The protocol are using, like I said, you can drill down each individual one. This has been really fascinating to me, it's just back to the filtering so you can look at all the different protocols. This is such a Swiss army knife of tools when you're trying to figure out something about network, you're trying to figure out how much data is being used. You also have, when you're running it on the host, not the flow, flows are active and then the hosts are the ones that show you. You can say, all right, I need breakdowns, I need cumulative traffic and you can see which IP addresses are really pulling a lot of the traffic. So we can look at here and back to my IP address, one of the other ones back here but you can also see the traffic from the other side. And like I said, you can also then click on the ASN and say just show me all the connections that my network has to Google and it breaks them all down right away for you. So this is really great tool. Of course it's free with all the features so you can use it inside of PF Sense, you just load it on there. You can load this on a Linux box but then you have to start passing traffic through it because it is an open source project, you can download direct from them. Great tool though, amazing amount of insight, you can get into your own network and do diagnostics. So I like the interface the way it slides back and forth. I've only loaded it because this is a new server I built just for this demonstration, virtual server but it'll cumulatively gather all that data and give you information historically over so you can leave it running for diagnostics at a client's office and then you can log in remotely and go all right around two o'clock we had a problem so you'll be able to scroll back and forth to two o'clock and say all right show me what was going on then and you can look historically back at all the data it was collecting once you turn this on. As long as you have a fast enough server not super fast but it does have to have some horsepower and some storage and an SSD is fine. You can get a 256 SSDs are so inexpensive now and put one of those in there and you can just grab some of this data that way you can say okay here's this, how much data was being sent at what time and you can go back in time, you can time slice it, you can look at it from here, whether I want TCP or UDP data only. Like I said it gives you an amazing amount of drill down for any of these which is just, it makes it really cool to be able to go through here and go I just want to dig in deep on each one and we've used this to analyze traffic for clients when we're trying to sort things out, trying to figure out why they have a problem with something. This is one of the Swiss Army Knife tools that we get in here and go okay we need to know this, we need to understand what's going on with your network and this just gives you all that information in there. So hopefully that was a video, it gets you started with this, it's fun to play with, if you're just running PF Sense at home and you just want to start digging into things definitely a neat way to do that. I like the way it also makes all the websites clickable so you can jump around and get, because I do have Google Plus open. It also does when it's looking some of the HTTP stuff, does the get and post queries and breaks those down. So that is end top in NetFlow working on top of PF Sense. Hopefully you enjoyed the video and don't forget to like and subscribe. Thank you very much. Oh, reach out to me if you have any questions. I like helping people out with this stuff and I get excited other people get excited about using PF Sense, thanks.