Where is incoming traffic coming from?
Amedee @ Ubuntu
amedee-ubuntu at amedee.be
Sun Aug 2 23:24:42 UTC 2009
On Sat, August 1, 2009 19:29, Florian Diesch wrote:
> "Amedee @ Ubuntu" <amedee-ubuntu at amedee.be> writes:
>
>> On Sat, August 1, 2009 00:13, Florian Diesch wrote:
>>> "Amedee @ Ubuntu" <amedee-ubuntu at amedee.be> writes:
>>>
>>>> On Fri, July 31, 2009 01:00, a_puzzeled_newbie(^_^); wrote:
>>>>> there are log evaluators you can get online to sort through logs...
>>>>> As
>>>>> far
>>>>> as i know you would have to go through your traffic logs to see where
>>>>> a
>>>>> majority of this is coming from and send it through an analizer of
>>>>> some
>>>>> sort. Sorry i cant help out more then that. I myself have ran a few
>>>>> ubuntu
>>>>> servers but have never ran into something like this unless your
>>>>> shorwall
>>>>> is
>>>>> having constant comunication between it and the server you have
>>>>> running.
>>>>> Other then that i dont think i can help much.
>>>>
>>>> Sorry, perhaps I didn't explain well.
>>>> Shorewall is running on the same server.
>>>> I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
>>>> shorewall accounting for all those services, and for the total.
>>>> The sum of allowed traffic just doesn't add up to the total amount of
>>>> traffic.
>>>
>>> The incoming traffic is still there, even if you drop the packages.
>>
>> I know.
>> Does ntop see the traffic before or after it is dropped?
>
> Applications only see the filtered traffic.
Apparently when an application has access to the network interface in
promiscuous mode (libpcap), then it sees the traffic before any filtering
is done.
> I'd temporary add a logging
> rule to the tables that drop the packages to see what gets dropped.
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
--
Amedee
More information about the ubuntu-users
mailing list