Where is incoming traffic coming from?

Siggy Brentrup ubuntu at psycho.i21k.de
Fri Jul 31 03:14:38 UTC 2009 

 On Fri, Jul 31, 2009 at 00:53 +0200, Amedee @ Ubuntu wrote:
> Hello,
> 
> I noticed that I got a lot of incoming traffic on my server. Look at vnstat:
> 
> # vnstat -d
> 
>  eth0  /  daily
> 
>     day         rx      |     tx      |  total
> ------------------------+-------------+----------------------------------------
>    02.07.      5.54 GB  |  258.12 MB  |    5.79 GB   %%%
>    03.07.      4.99 GB  |  136.65 MB  |    5.12 GB   %%%
>    04.07.      5.40 GB  |  126.95 MB  |    5.52 GB   %%%
>    05.07.      2.07 GB  |   59.51 MB  |    2.13 GB   %
>    06.07.      8.47 GB  |  326.36 MB  |    8.79 GB   %%%%%%
>    07.07.      9.80 GB  |  391.30 MB  |   10.18 GB   %%%%%%
>    08.07.      8.04 GB  |  348.55 MB  |    8.38 GB   %%%%%
>    09.07.     10.58 GB  |  389.05 MB  |   10.96 GB   %%%%%%%
>    10.07.     19.15 GB  |   17.26 GB  |   36.41 GB  
> %%%%%%%%%%%%%::::::::::::
>    11.07.     14.92 GB  |    3.34 GB  |   18.26 GB   %%%%%%%%%%::
>    12.07.     13.91 GB  |    2.23 GB  |   16.14 GB   %%%%%%%%%::
>    13.07.     14.42 GB  |    2.08 GB  |   16.50 GB   %%%%%%%%%%:
>    14.07.     20.49 GB  |    1.50 GB  |   21.99 GB   %%%%%%%%%%%%%%:
>    15.07.     16.14 GB  |    1.61 GB  |   17.76 GB   %%%%%%%%%%%:
>    16.07.     14.86 GB  |    1.10 GB  |   15.96 GB   %%%%%%%%%:
>    17.07.     17.26 GB  |    1.20 GB  |   18.46 GB   %%%%%%%%%%%:
>    18.07.     13.49 GB  |    1.26 GB  |   14.74 GB   %%%%%%%%%:
>    19.07.     12.97 GB  |  980.82 MB  |   13.93 GB   %%%%%%%%:
>    20.07.     13.81 GB  |    1.01 GB  |   14.82 GB   %%%%%%%%%:
>    21.07.      8.44 GB  |  704.84 MB  |    9.13 GB   %%%%%%
>    22.07.     10.88 GB  |    0.99 GB  |   11.86 GB   %%%%%%%:
>    23.07.      9.01 GB  |  980.68 MB  |    9.97 GB   %%%%%:
>    24.07.      7.39 GB  |  583.17 MB  |    7.96 GB   %%%%%
>    25.07.      6.23 GB  |  484.04 MB  |    6.70 GB   %%%%
>    26.07.      8.19 GB  |  395.95 MB  |    8.58 GB   %%%%%
>    27.07.     12.87 GB  |  883.55 MB  |   13.73 GB   %%%%%%%%:
>    28.07.      8.83 GB  |  762.62 MB  |    9.57 GB   %%%%%%
>    29.07.      8.65 GB  |  631.73 MB  |    9.27 GB   %%%%%%
>    30.07.      8.76 GB  |  587.09 MB  |    9.34 GB   %%%%%%
>    31.07.         0 kB  |       0 kB  |       0 kB
> ------------------------+-------------+----------------------------------------
>  estimated       --     |      --     |      --
> 
> 
> The tx values seem about right to me, but the rx values are totally
> absurd! It should only be a few hunderd megabytes per day, maximum!
> 
> I have installed shorewall and I'm only accepting ping, ssh, http, https,
> smtp, imap2 and imaps. Everything else is dropped.

Anything particular on 10.07.?  It's the only day where rx/tx ratio
approaches 1.  

I don't know what exactly vnstat counts.  In an argument with my ISP I
once was told that they count all traffic, even the one dropped
resp. rejected by my firewall, but even then numbers seem to be
extrodinary high.  Counters below don't tell much since they don't
cover a full day.  You might save counter values every hour and
look what after a possible pattern.
 
> I have also configured accounting in shorewall, but I'm not seeing
> anything out of the ordinary:
> 
> # shorewall show accounting
> Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 00:52:58 CEST 2009
> 
> Counters reset Fri Jul 31 00:47:19 CEST 2009
> 
> Chain accounting (3 references)
>  pkts bytes target     prot opt in     out     source              
> destination
>  1257  437K Total      all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
>  1285  501K Total      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
>   411 26732 ssh        tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:22
>   311  269K ssh        tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:22
>    37  5756 smtp       tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:25
>    33  3374 smtp       tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:25
>    44  3132 imap2      tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:143
>    35 65563 imap2      tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:143
>     0     0 imaps      tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:993
>     0     0 imaps      tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:993
>   104 16439 www        tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:80
>    71 94136 www        tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:80
>     0     0 https      tcp  --  eth0   *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:443
>     0     0 https      tcp  --  *      eth0    0.0.0.0/0           
> 0.0.0.0/0           tcp spt:443
>     4   336 ping       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
>     4   336 ping       icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0
> 
> 
> How can I find out where the incoming traffic is coming from?

Even with windoze broadcasts you're dropping the numbers seem
exceedingly high, you have to provide more data.  Next time
please come with a URL, these tables make mails way too big.

Just my 2ยข
  Siggy
-- 
Please don't Cc: me when replying, I might not see either copy.
               bsb-at-psycho-dot-informationsanarchistik-dot-de
               or:                bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090731/7c408663/attachment.sig>

More information about the ubuntu-users mailing list