Where is incoming traffic coming from?
Amedee @ Ubuntu
amedee-ubuntu at amedee.be
Thu Jul 30 22:53:28 UTC 2009
Hello,
I noticed that I got a lot of incoming traffic on my server. Look at vnstat:
# vnstat -d
eth0 / daily
day rx | tx | total
------------------------+-------------+----------------------------------------
02.07. 5.54 GB | 258.12 MB | 5.79 GB %%%
03.07. 4.99 GB | 136.65 MB | 5.12 GB %%%
04.07. 5.40 GB | 126.95 MB | 5.52 GB %%%
05.07. 2.07 GB | 59.51 MB | 2.13 GB %
06.07. 8.47 GB | 326.36 MB | 8.79 GB %%%%%%
07.07. 9.80 GB | 391.30 MB | 10.18 GB %%%%%%
08.07. 8.04 GB | 348.55 MB | 8.38 GB %%%%%
09.07. 10.58 GB | 389.05 MB | 10.96 GB %%%%%%%
10.07. 19.15 GB | 17.26 GB | 36.41 GB
%%%%%%%%%%%%%::::::::::::
11.07. 14.92 GB | 3.34 GB | 18.26 GB %%%%%%%%%%::
12.07. 13.91 GB | 2.23 GB | 16.14 GB %%%%%%%%%::
13.07. 14.42 GB | 2.08 GB | 16.50 GB %%%%%%%%%%:
14.07. 20.49 GB | 1.50 GB | 21.99 GB %%%%%%%%%%%%%%:
15.07. 16.14 GB | 1.61 GB | 17.76 GB %%%%%%%%%%%:
16.07. 14.86 GB | 1.10 GB | 15.96 GB %%%%%%%%%:
17.07. 17.26 GB | 1.20 GB | 18.46 GB %%%%%%%%%%%:
18.07. 13.49 GB | 1.26 GB | 14.74 GB %%%%%%%%%:
19.07. 12.97 GB | 980.82 MB | 13.93 GB %%%%%%%%:
20.07. 13.81 GB | 1.01 GB | 14.82 GB %%%%%%%%%:
21.07. 8.44 GB | 704.84 MB | 9.13 GB %%%%%%
22.07. 10.88 GB | 0.99 GB | 11.86 GB %%%%%%%:
23.07. 9.01 GB | 980.68 MB | 9.97 GB %%%%%:
24.07. 7.39 GB | 583.17 MB | 7.96 GB %%%%%
25.07. 6.23 GB | 484.04 MB | 6.70 GB %%%%
26.07. 8.19 GB | 395.95 MB | 8.58 GB %%%%%
27.07. 12.87 GB | 883.55 MB | 13.73 GB %%%%%%%%:
28.07. 8.83 GB | 762.62 MB | 9.57 GB %%%%%%
29.07. 8.65 GB | 631.73 MB | 9.27 GB %%%%%%
30.07. 8.76 GB | 587.09 MB | 9.34 GB %%%%%%
31.07. 0 kB | 0 kB | 0 kB
------------------------+-------------+----------------------------------------
estimated -- | -- | --
The tx values seem about right to me, but the rx values are totally
absurd! It should only be a few hunderd megabytes per day, maximum!
I have installed shorewall and I'm only accepting ping, ssh, http, https,
smtp, imap2 and imaps. Everything else is dropped.
I have also configured accounting in shorewall, but I'm not seeing
anything out of the ordinary:
# shorewall show accounting
Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 00:52:58 CEST 2009
Counters reset Fri Jul 31 00:47:19 CEST 2009
Chain accounting (3 references)
pkts bytes target prot opt in out source
destination
1257 437K Total all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1285 501K Total all -- * eth0 0.0.0.0/0 0.0.0.0/0
411 26732 ssh tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
311 269K ssh tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:22
37 5756 smtp tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
33 3374 smtp tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:25
44 3132 imap2 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
35 65563 imap2 tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:143
0 0 imaps tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 imaps tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:993
104 16439 www tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
71 94136 www tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:80
0 0 https tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 https tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:443
4 336 ping icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 336 ping icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
How can I find out where the incoming traffic is coming from?
--
Amedee
More information about the ubuntu-users
mailing list