Spike in outbound traffic- where to look?
 

Just wondering, when you detect a sudden big spike in traffic, are there ways to find out, whether in real time or afterwards what the culprit might be? Not sure what to type in ssh. Checked the logs, including mail, but don't see anything suspicious.

Thx,

In realtime, immediately fireup tcpdump and capture packets to get an idea of the type of traffic and destination. For a more friendly interface, try using ethereal. Using the top command can often provide you with some insight in determining which process is creating loads of traffic. Trying to identify it in hindsight is a little more difficult. Probably the best way is to use iptables to log abnormal or excessive outbound traffic. You can then use something like logwatch or syslog-ng to pull out the iptables messages and send you a summary alert.

Thanks. It seems it's a little more complicated than I expected :) I tried running top, though didn't seem anything. Will running netstat using something like:

netstat -an|grep :80|awk '{print $5}'|sort |more

help if I change the port to ones often used by outbound traffic? If so what ports should I be monitoring?

Thanks much,

Netstat isn't really going to provide you much information on the relative amounts of traffic. So you couldn't really distinguish between 1 packet and 1 million packets. Top is only going to be informative if the process sending packets is CPU intensive. Something sending a few packets per second likely would not show up, but something like a udp flooder which is sending out as many packets as possible likely would.

If you really want to do realtime monitoring, use ethereal. It can show you amounts of packets captured, perform tcp stream re-assembly, and decode packet payloads. It's a great tool. If you want to long term traffic monitoring, you might want to look at an intrusion detection system (IDS) that has an traffic anomaly detection feature. SPADE and even Nagios might be useful.