FedoraThis forum is for the discussion of the Fedora Project.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My system is being bogged down something fierce. Can someone tell me of a program that I can install that will allow me to monitor what IP address is soaking up the bandwidth?
Thanks in advance for any suggestions and comments on this matter.
Hi, Jimbo. Thanks again for the quick advice. The installation went smooth. I’m studying all the parameters. I don’t use GUI and couldn’t get the wireshark command to function. It complains about the gtk display (Gtk-WARNING **: cannot open display). First study gave me the tshark.
I’m still experimenting.
Would you have a quick method to type in a few commands and get the most active IP’s sorted to the top? Any suggestions you might have in helping me to get started with is appreciated. I’m sure I’ll be in for a long haul learning all the features. It looks like a very powerful utility.
For a check of what is happening on your box for a 30 second window the following can be used:
Code:
tshark -i eth0 -a duration:30 -f "tcp and not port 22"
I told it to skip port 22 because I was connected to the box via SSH and didn't want that traffic cluttering the output. At the time I was connected to port 80 via telnet and had issued GET / HTTP1.1. The (incomplete) output was:
If you're not using X, but have ncurses installed I recommend iptstate. The screenshots page will give you an idea whether it will do what you want though.
Distribution: Debian and Fedora Core in equal measure
Posts: 264
Rep:
Whoops, Sorry Larry!
I made the unjustified assumption that you would have a GUI running, just because its my practice to do so even on my Servers. However, I see Gilead has come up with a better way of running wireshark for your environment, and iptstate looks more than a bit interesting, so we both benefited...Thanks Gilead
I made the unjustified assumption that you would have a GUI running, just because its my practice to do so even on my Servers. However, I see Gilead has come up with a better way of running wireshark for your environment, and iptstate looks more than a bit interesting, so we both benefited...Thanks Gilead
I had mentioned that I was running the tshark. My question was some type of parameter or method to sort the output in such a way as to display the IP's on top that's hogging the most bandwidth.
I guess if there isn't anything obvious that I'm missing, I will presume that the only way of knowing the amount of bandwidth going to an IP is to count the IP's and tally up the "len="'s. Almost all of the IP's are "0". My system get's bogged down a few times a day. I haven't caught it happening since the installation of the wireshark program (thought looking at the logs it did happen a couple of times for a few minutes at a time when I wasn't at the system.
I'm still at the drawing board. If there isn't any standard methods the people are already using to sort the output, then again, I'm continuing to study and figure things out with time.
By the way, I notice lots of input options that wireshark has. So, initially, I thought one would use tcpdump (or the tshark output), then use the utility to analyze it.
By the way, thanks Gilead for chiming in. When you use tshark, do you have some routine for sorting out the output?
Distribution: Debian and Fedora Core in equal measure
Posts: 264
Rep:
Could be a broadcast storm...
Quote:
Originally Posted by Larry James
Almost all of the IP's are "0".
The IP Addresses in the packet (source and destination) should be real addresses in the majority. If you are seeing lots of IP addresses set to "0", this could indicate excessive broadcast activity, either from a broken NIC, a mis-configured interface, or possibly malware activity
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.