I think i have a process or something somewhere that is copying a TON of data every night to a computer. Is there a way I can search on the entire RHEL server to see if there's a file/script/process/etc containing the computer's name in it which would be doing the copy on a regular basis? the computers IP has changed so i know its not doing it by ip address, has to be by computer name.

check the cronjob, is there any job for databackup
#crontab -e

There's nothing in any of my users crontab's that I can see doing it.

Anyone else have any ideas? what i was thinking is if i could search through all the files for the computer's name, that would tell me if there is a script or something out there that could possibly be being ran.

Have you tried grep and its variants?

But realistically, it maybe some sort of scheduled maintenance program being run on you machine, such as log maintenance, database updates (eg locate), checks for new software updates, etc.
Or maybe you have an open ftp, bittorrent, share service (eg samba), etc?

so far all i've tried was looking in crontabs, not sure where else to go

You really haven't given us any useful information:
"I think" - Evidence please.
"a process or something somewhere" - Evidence please.
"a TON of data" - Evidence please.
"to a computer" - Which computer, on your LAN or the big bad interweb ?

Without more details, we cannot help you.

1 members found this post helpful.

Evidence: from my network monitoring software, I show 100's of GB of data moving from the server to a computer, which is on my lan. The monitoring software cannot narrow down what port the data is going over, only the amount of data going through the server's port on the switch and which direction.

Not sure if that's what you meant by evidence, or what difference all that makes. If it were 500GB or 500MB, something's still sending it, its that something i'm trying to find. Let me try restating the part you quoted with more detail: "100s of GB's of data is being moved off a server to a computer every night. The computer has been wiped and reloaded yet the network traffic still exists between devices, so the workstation is not pulling data, therefore the data must be being sent from the server out to the computer". Not trying to waste anybody's time here with some hypothetical situation, hope I didn't offend you, which i sense I did. I thought it made sense since some people replied with ideas i already tried, maybe not.

I await your response since you can understand my problem now. thanks in advance tredegar.

On any capable client in the LAN you can have:
- an account of which users are active at what time by looking at output of 'last',
- an account of what commands users execute by searching shell history files and system and daemon logs,
- process accounting to see which users execute what commands,
- detailed process statistics (atop, dstat, collectl) for the same,
- client iptables rules that only "-j LOG" traffic,
- tcpdump or wireshark log traffic,
to start with. Gathering nfo will also help answer roy_lt_69's questions. However the interesting phrase "The computer has been wiped and reloaded" suggests you have had trouble before you posed this question. As tredegar indicated: the more information the better. Something that may sound uninteresting, common or trivial to you may hold clues for others. And what is your "network monitoring software" or what does it offer?

Assuming you mean the target system has been wiped/restored, have you checked the src machine's system crontabs. These are not found under the user's names, but usually something under cron eg on my Centos system
note cron.d is a dir.

The timing of these txfrs is important; there is highly likely to be a log file that has recs around that time.

Hi unSpawn. The reason I wiped and reloaded the workstation was nothing more than 1) to eliminate any software/scheduled task/etc on that workstation as the possible culprit. it only takes me 20 minutes to put an image on that workstation, so it wasnt a big deal and instantly eliminated a lot of things that "could" be causing this. The machine was fine, all the hardware checked out ok. It's an XP machine btw, but the server is RHEL.
All the network monitoring software does is show traffic in and out of ports on my switches. So by comparing the charts from the server and this workstation, they match up. I'm just struggling to figure this out because i'm new to Linux. if it was a windows server, I'd be all set figuring this out, and wouldn't be posting on a linux website haha.

Thanks ChrisM. I did a grep -r computername * when i was in /etc and didn't find anything. was that the right way to look?

Wipe 'n restore ops may seem convenient but done w/o prior investigation just shows that it is not efficient.


How would you know exactly?

May I summarise?

1. Network traffic analysis running on a switch shows hundreds of GB per night going from a RHEL server and a similar amount of traffic going to a WXP workstation.
2. The workstation has been rebuilt, presumably to a standard configuration; the phenomenon continues.
3. The OP is new to Linux.

That's it? From 13 posts?!

Why this one workstation? What's special about this one workstation that was special before and after it was rebuilt? The switch port? MAC address? IP address? Name? What happens if some of the things that were the same are changed -- MAC address and switch port, dunno about the others.

On the server side, hundreds of GB per night shouldn't be too hard to spot. Linux has plenty of good tools as already mentioned. Way easier than guessing in the dark and searching files for computer ID strings would be to identify the server processes that are sending all those GB. Makes the needle bigger and the haystack smaller!

Good summarization, and yeah it took 13 posts to get there haha. The workstation was reloaded with a standard load used on a few hundred other machines on the same network. We even replaced the motherboard with on-board NIC on the machine as well, to eliminate a bad NIC.

Wish I knew why it was this one workstation, thats why I keep thinking something on the server is looking for that name. I've given it two different IPs on the same subnet, then moved it to a completely different subnet and the problem still occurred. There's no special software loaded on this computer, we've plugged it into different physical ports on the same switch, then on a different switch (during different subnet tests). The MAC address would be different since the on-board NIC was replaced along with the motherboard. The only thing that I can think of that's stayed the same is the computer name, which is why i was trying to look for it on the server. I tried grep'ing through var/logs and didn't find anything, so i thought maybe greping recursively from / would be an idea. I mean, if something is set to do something to that computer name, grep would have to find it in a file somewhere i would think/hope?

I'm not sure how to identify the processes that could be doing this. I'm going to see if i can get wireshark going today, see if that tells me anything if i let it monitor overnight.