I have a PC which is being used by several people for Internet browsing. It also has its own pf running, but has
I recently used
Code:
pass out on re0
tcpdump -nettt -i re0 port 80 to get a list of traffic on the external-facing NIC. The results were a bit horrifying, even though the browser has the script/flash blocking addons.- When I had firefox open, I saw traffic to both akamaihd.net and facebook.com, even though I was not logged in to facebook. I saw a good number of other unauthorized packets as well, even though I ran tcpdump for just around 60 seconds. How can one get this problem under control? I don't see how privoxy for example could deal with this, as there does not seem to be a way to tell the difference between legitimate use and "data mining". Is cookie-bashing the solution?
- For other "strange traffic", what options other than IP blacklisting in pf.conf? privoxy could help and treat the blacklist like advertising sites (redirect to lo0), but that requires manual editing as well. Maybe a list of phishing, malware and other crap sites that is periodically refreshed to the DNS resolver (similar to http://pgl.yoyo.org/adservers/)?
- For the future, I'd like to place the results of tcpdump IP's in a list, then have the second column display the whois information for rapid analysis. I have looked at ntop and darkstat but I don't feel either is what I'm looking for (It's possible I don't fully understand them yet). How can I get a real-time or at least a delayed-refresh readout for traffic source/destination by domain name?