Where is incoming traffic coming from?

Amedee @ Ubuntu amedee-ubuntu at amedee.be
Fri Jul 31 08:10:58 UTC 2009 

On Fri, July 31, 2009 01:00, a_puzzeled_newbie(^_^); wrote:
> there are log evaluators you can get online to sort through logs... As far
> as i know you would have to go through your traffic logs to see where a
> majority of this is coming from and send it through an analizer of some
> sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
> servers but have never ran into something like this unless your shorwall
> is
> having constant comunication between it and the server you have running.
> Other then that i dont think i can help much.

Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.

# shorewall show accounting
Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 10:07:25 CEST 2009

Counters reset Fri Jul 31 00:47:19 CEST 2009

Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source              
destination
4607K 6832M Total      all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
2388K  142M Total      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 6455  511K ssh        tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
12927 3633K ssh        tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:22
 1549  272K smtp       tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:25
 1593  150K smtp       tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:25
  307 19398 imap2      tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:143
  203  686K imap2      tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:143
    3   140 imaps      tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:993
    1    60 imaps      tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:993
24731 2436K www        tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:80
18247   42M www        tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:80
   37  2352 https      tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:443
   36  2163 https      tcp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           tcp spt:443
   16  1364 ping       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
   14  1228 ping       icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0

You see? The largest individual traffic is www with 42M, and that's
*outgoing* traffic - that's normal for a server that is mainly used as a
webserver!
But it just doesn't add up to that 6832M Total. It must be traffic that's
being dropped but I can't find it...

-- 
Amedee

More information about the ubuntu-users mailing list