Network Activity Monitoring
Monitor network traffic and activity on your Pimeleon router
Network Activity Monitoring
Monitor and analyze network traffic, bandwidth usage, and connected devices on your Pimeleon router. This guide covers tools and techniques for understanding your network activity.
Quick Start
Check current network activity in real-time:
# View active connections
ssh pi@your-router-ip "ss -tuanp"
# Monitor bandwidth by interface
ssh pi@your-router-ip "iftop -i eth1"
Overview
Pimeleon router provides multiple methods to monitor network activity:
- Real-time Traffic Monitoring - Live bandwidth and connection tracking
- Connection Tracking - Active connections and sessions
- Bandwidth Analysis - Usage patterns and statistics
- Device Tracking - Connected clients and their activity
- DNS Query Logs - Domain resolution patterns
Real-Time Traffic Monitoring
Monitor Interface Traffic
View live traffic on specific interfaces:
# Monitor LAN interface (eth1)
iftop -i eth1
# Monitor WiFi interface (wlan0)
iftop -i wlan0
# Monitor WAN interface (eth0)
iftop -i eth0
Key Controls in iftop:
t- Toggle display mode (two-line, one-line, one-line with bars)n- Toggle name resolutionp- Show portsq- Quit
Bandwidth by Process
Identify which processes are using bandwidth:
# Show bandwidth usage by process
nethogs eth1
# Monitor all interfaces
nethogs
Network Load Overview
Display overall network statistics:
# Interactive network monitor
nload
# Show traffic on specific interface
nload eth1
# Monitor multiple interfaces
nload eth1 wlan0
Connection Tracking
Active Connections
View all active network connections:
# Show all TCP and UDP connections
ss -tuanp
# Show only established TCP connections
ss -t state established
# Show listening ports and services
ss -tlnp
Understanding ss output:
State- Connection state (ESTAB, LISTEN, etc.)Recv-Q- Data waiting to be readSend-Q- Data waiting to be sentLocal Address:Port- Your router's addressPeer Address:Port- Remote connectionProcess- Program using the connection
Connection Statistics
# Connection summary by state
ss -s
# Count connections by IP
ss -tan | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
# Show connections per interface
conntrack -L
Bandwidth Analysis
Traffic Statistics
View cumulative traffic statistics:
# Interface statistics
ip -s link show
# Detailed interface stats
ifconfig eth1
Key metrics:
RX bytes- Received dataTX bytes- Transmitted dataRX packets- Received packetsTX packets- Transmitted packetserrors- Transmission errorsdropped- Dropped packets
Historical Traffic Data
Track bandwidth usage over time:
# Install vnstat if not present
sudo apt-get install vnstat
# View daily statistics
vnstat -d
# View monthly statistics
vnstat -m
# View live traffic
vnstat -l
Device Tracking
Connected Devices
List all devices connected to your network:
# Show DHCP leases (devices with assigned IPs)
cat /var/lib/dhcp/dhcpd.leases
# Active ARP entries (recently seen devices)
arp -n
# Scan LAN subnet
nmap -sn 192.168.76.0/24
# Scan WiFi subnet
nmap -sn 192.168.77.0/24
Device Activity
Monitor specific device activity:
# Track connections from specific IP
tcpdump -i eth1 host 192.168.76.100
# Monitor traffic to/from device
iftop -f "host 192.168.76.100"
# Show connections for specific device
conntrack -L | grep 192.168.76.100
DNS Query Monitoring
DNS filter Query Logs
View DNS queries if DNS filter is installed:
# Real-time query log
tail -f /var/log/pihole.log
# Recent queries
pihole -t
# Query statistics
pihole -c
DNS Query Analysis
Analyze DNS query patterns:
# Top queried domains
awk '{print $6}' /var/log/pihole.log | sort | uniq -c | sort -nr | head -20
# Queries by client IP
awk '{print $5}' /var/log/pihole.log | sort | uniq -c | sort -nr
# Blocked queries
grep "blocked" /var/log/pihole.log | tail -20
Packet Capture
Basic Packet Capture
Capture packets for detailed analysis:
# Capture 100 packets on LAN interface
tcpdump -i eth1 -c 100
# Capture with timestamps and port numbers
tcpdump -i eth1 -tttt -nn
# Save capture to file
tcpdump -i eth1 -w /tmp/capture.pcap
# Read capture file
tcpdump -r /tmp/capture.pcap
Filtered Captures
Capture specific traffic:
# Capture HTTP traffic only
tcpdump -i eth1 port 80
# Capture DNS queries
tcpdump -i eth1 port 53
# Capture traffic to/from specific host
tcpdump -i eth1 host 192.168.76.100
# Capture by protocol
tcpdump -i eth1 tcp
tcpdump -i eth1 udp
Network Performance Metrics
Latency Testing
Test network latency:
# Test latency to gateway
ping -c 10 192.168.76.1
# Test latency to internet
ping -c 10 8.8.8.8
# Detailed route testing
mtr --report 8.8.8.8
Throughput Testing
Test network throughput:
# Install iperf3
sudo apt-get install iperf3
# Run server mode on router
iperf3 -s
# From another device, run client mode
iperf3 -c router-ip
Monitoring Best Practices
Regular Checks
- Daily Monitoring
- Check active connections for unusual activity
- Review bandwidth usage patterns
- Monitor connected device count
- Weekly Analysis
- Review top bandwidth consumers
- Analyze DNS query patterns
- Check for connection anomalies
- Monthly Review
- Compare bandwidth trends
- Identify usage patterns
- Plan capacity adjustments
Setting Baselines
Establish normal activity baselines:
# Capture typical traffic patterns
ss -s > /tmp/baseline-connections.txt
vnstat -d > /tmp/baseline-bandwidth.txt
arp -n > /tmp/baseline-devices.txt
Compare current activity against baselines to identify anomalies.
Troubleshooting
High Bandwidth Usage
If experiencing unexpectedly high bandwidth usage:
- Identify top consumers:
nethogs eth1 iftop -i eth1 - Check for unauthorized devices:
arp -n nmap -sn 192.168.76.0/24 - Review active connections:
ss -tuanp | grep ESTAB
Connection Issues
If devices have connection problems:
- Check interface statistics for errors:
ip -s link show eth1 - Look for dropped packets:
netstat -i - Verify DHCP is working:
systemctl status isc-dhcp-server cat /var/lib/dhcp/dhcpd.leases
Slow Network Performance
To diagnose slow performance:
- Test latency:
ping -c 100 192.168.76.1 - Check for bandwidth saturation:
iftop -i eth1 nload eth1 - Analyze connection states:
ss -s conntrack -C # Show connection count
Security Monitoring
Detect Suspicious Activity
Monitor for potential security issues:
# Unusual number of connections
ss -tan | wc -l
# Check for port scanning
dmesg | grep DROP
# Monitor authentication attempts
grep "Failed password" /var/log/auth.log
# Check firewall rules and statistics
nft list ruleset -a
Connection Rate Limiting
Monitor connection rates to detect attacks:
# Connections per IP address
ss -tan | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
# New connections per minute
watch -n 60 'ss -tan | wc -l'
Web-Based Monitoring
DNS filter Dashboard
If DNS filter is installed, access web dashboard:
http://your-router-ip/admin
Dashboard Features:
- Total DNS queries
- Queries blocked
- Percentage blocked
- Top permitted/blocked domains
- Client activity
- Query types
Automated Monitoring
Create Monitoring Scripts
Example daily traffic report:
#!/bin/bash
# /opt/pirouter/bin/daily-traffic-report.sh
echo "=== Daily Network Traffic Report ==="
echo "Date: $(date)"
echo ""
echo "=== Interface Statistics ==="
ip -s link show | grep -A2 "eth0\|eth1\|wlan0"
echo ""
echo "=== Active Connections ==="
ss -s
echo ""
echo "=== Top Bandwidth Users ==="
conntrack -L | awk '{print $7}' | sort | uniq -c | sort -nr | head -10
echo ""
echo "=== Connected Devices ==="
arp -n | grep -v incomplete | wc -l
echo " devices currently connected"
Make executable and schedule:
chmod +x /opt/pirouter/bin/daily-traffic-report.sh
# Add to crontab for daily 6 AM execution
echo "0 6 * * * /opt/pirouter/bin/daily-traffic-report.sh > /var/log/daily-traffic.log" | crontab -
Related Documentation
- Firewall Architecture - Firewall design and traffic filtering
- Network Troubleshooting - Resolve network issues
Support
For questions or issues:
- Documentation: docs.pimeleon.com
- Community Forum: community.pimeleon.com
- Discord: Join our support channel