I would consider this a learning opportunity to instal/learnl packetbeat, Elasticsearch, and kibana, rather than using tcpdump or wireshark… Probably setup logging from the network devices to go there too. Might be able to correlate behaviors that would be harder with the disparate tools. > On Feb 10, 2020, at 11:48, Jeff Chapin <chapinjeff at gmail.com> wrote: > > >> There is enough granularity in the graph so that it is possible to determine > times and to get an idea as to the volume of packets (that part isn't > as precise). > > > That's what I am asking about -- if you are talking 1 packet, it would be nearly impossible to detect if it was masked by legitimate usage, unless the legitimate usage is '0' packets. If it was 1TB/night, that would be easily seen. > > On Mon, Feb 10, 2020 at 11:45 AM o1bigtenor <o1bigtenor at gmail.com <mailto:o1bigtenor at gmail.com>> wrote: > On Mon, Feb 10, 2020 at 11:34 AM Jeff Chapin <chapinjeff at gmail.com <mailto:chapinjeff at gmail.com>> wrote: > > > > How big was the 'spike' overnight? Is it small enough that it's just masked by normal usage? > > > Operator of said device(s) is not on the network during the daytime. > > There is enough granularity in the graph so that it is possible to determine > times and to get an idea as to the volume of packets (that part isn't > as precise). > > The spikes on the 'wired' services are about 3 per every 2 hours and > that's around the clock. > If its ms google (or for that matter any other of the nutty 5) being a > 'x'itch well - - - - she > can just ride her broom on out of here (LOL). > > Thanks for the assistance!!! > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org <mailto:tclug-list at mn-linux.org> > http://mailman.mn-linux.org/mailman/listinfo/tclug-list <http://mailman.mn-linux.org/mailman/listinfo/tclug-list> > > > -- > Jeff Chapin > President, CedarLug, retired > President, UNIPC, "I'll get around to it" > President, UNI Scuba Club > Senator, NISG, retired > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20200210/0b405777/attachment.htm>