Where is incoming traffic coming from?

Florian Diesch diesch at spamfence.net
Sat Aug 1 17:29:26 UTC 2009


"Amedee @ Ubuntu" <amedee-ubuntu at amedee.be> writes:

> On Sat, August 1, 2009 00:13, Florian Diesch wrote:
>> "Amedee @ Ubuntu" <amedee-ubuntu at amedee.be> writes:
>>
>>> On Fri, July 31, 2009 01:00, a_puzzeled_newbie(^_^); wrote:
>>>> there are log evaluators you can get online to sort through logs... As
>>>> far
>>>> as i know you would have to go through your traffic logs to see where a
>>>> majority of this is coming from and send it through an analizer of some
>>>> sort. Sorry i cant help out more then that. I myself have ran a few
>>>> ubuntu
>>>> servers but have never ran into something like this unless your
>>>> shorwall
>>>> is
>>>> having constant comunication between it and the server you have
>>>> running.
>>>> Other then that i dont think i can help much.
>>>
>>> Sorry, perhaps I didn't explain well.
>>> Shorewall is running on the same server.
>>> I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
>>> shorewall accounting for all those services, and for the total.
>>> The sum of allowed traffic just doesn't add up to the total amount of
>>> traffic.
>>
>> The incoming traffic is still there, even if you drop the packages.
>
> I know.
> Does ntop see the traffic before or after it is dropped?

Applications only see the filtered traffic. I'd temporary add a logging
rule to the tables that drop the packages to see what gets dropped.



   Florian
-- 
<http://www.florian-diesch.de/>




More information about the ubuntu-users mailing list