Sometimes you really need to know what computers on your network were doing yesterday at noon, because you get a nastygram from the MPAA about bittorrent demanding that you do something — but bittorrent is notoriously hard to block.
You can try installing BandwidthD on your Pfsense router, to see who’s using a bunch of bandwidth at that time, and you can look back through DHCP or WiFi logs to see who was connected at the time, but the complaint letter tells you the exact time and port number used. Wouldn’t it be cool if you could log that?
Here’s what I came up with. Download the Cron package for Pfsense, and add a new Cron job:
Command: pfctl -ss | egrep '(>.*>|<.*<)' | logger
The firewall states (who is connected to what) will now dump to your system log every hour — kinda noisy, but also kinda effective for tracking long downloads on random ports.