LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-19-2005, 03:22 AM   #1
htmlcoder
LQ Newbie
 
Registered: Feb 2005
Posts: 9

Rep: Reputation: 0
Spike in outbound traffic- where to look?


Just wondering, when you detect a sudden big spike in traffic, are there ways to find out, whether in real time or afterwards what the culprit might be? Not sure what to type in ssh. Checked the logs, including mail, but don't see anything suspicious.

Thx,
 
Old 03-19-2005, 10:27 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
In realtime, immediately fireup tcpdump and capture packets to get an idea of the type of traffic and destination. For a more friendly interface, try using ethereal. Using the top command can often provide you with some insight in determining which process is creating loads of traffic. Trying to identify it in hindsight is a little more difficult. Probably the best way is to use iptables to log abnormal or excessive outbound traffic. You can then use something like logwatch or syslog-ng to pull out the iptables messages and send you a summary alert.

Last edited by Capt_Caveman; 03-19-2005 at 10:29 AM.
 
Old 03-19-2005, 01:11 PM   #3
htmlcoder
LQ Newbie
 
Registered: Feb 2005
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks. It seems it's a little more complicated than I expected I tried running top, though didn't seem anything. Will running netstat using something like:

netstat -an|grep :80|awk '{print $5}'|sort |more

help if I change the port to ones often used by outbound traffic? If so what ports should I be monitoring?

Thanks much,
 
Old 03-19-2005, 03:13 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Netstat isn't really going to provide you much information on the relative amounts of traffic. So you couldn't really distinguish between 1 packet and 1 million packets. Top is only going to be informative if the process sending packets is CPU intensive. Something sending a few packets per second likely would not show up, but something like a udp flooder which is sending out as many packets as possible likely would.

If you really want to do realtime monitoring, use ethereal. It can show you amounts of packets captured, perform tcp stream re-assembly, and decode packet payloads. It's a great tool. If you want to long term traffic monitoring, you might want to look at an intrusion detection system (IDS) that has an traffic anomaly detection feature. SPADE and even Nagios might be useful.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
outbound web traffic load balancing across multiple nics univaco Linux - Networking 5 01-21-2009 01:25 PM
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 02:32 PM
Avoid the firewall for outbound traffic on locally-defined virtual IP address? ariebs Linux - Networking 1 08-19-2004 12:05 PM
snort logging all outbound traffic as port-scan? Pcghost Linux - Security 3 04-20-2004 01:12 PM
Force outbound reply traffic to reuse inbound non-gw NIC? Jon- Linux - Networking 2 03-05-2002 04:50 PM


All times are GMT -5. The time now is 07:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration