Last night the activity light on my aDSL modem started flashing and kept flashing for hours. I pulled the ethernet cable out of my Fedora Core 3 box and the activity stopped. Put the cable back in a minute later and the activity quickly resumed. This morning it was still flickering away. I rebooted. Activity ceased for a couple of minutes but has resumed now.

I'm wondering what tools I should/could use to determine what all this activity is???

A who list showed only me logged in. I ran a ps -A list but there are many entries and I don't know what's normal and what's not -- except that I did expect to see: httpd, mysqld, nfs (but no authorised host is currently active), vsftp and sshd because those are the services I set up explicitly. Here is the ps output:

[mark@Koala ~]$ ps -A
PID TTY TIME CMD
1 ? 00:00:01 init
2 ? 00:00:00 ksoftirqd/0
3 ? 00:00:00 events/0
4 ? 00:00:00 khelper
5 ? 00:00:00 kacpid
16 ? 00:00:00 kblockd/0
17 ? 00:00:00 khubd
26 ? 00:00:00 pdflush
27 ? 00:00:00 pdflush
29 ? 00:00:00 aio/0
28 ? 00:00:00 kswapd0
102 ? 00:00:00 kseriod
178 ? 00:00:00 kmirrord/0
187 ? 00:00:00 kjournald
1000 ? 00:00:00 udevd
1247 ? 00:00:00 kjournald
1614 ? 00:00:00 dhclient
1648 ? 00:00:00 syslogd
1652 ? 00:00:00 klogd
1680 ? 00:00:00 portmap
1700 ? 00:00:00 rpc.statd
1728 ? 00:00:00 rpc.idmapd
1798 ? 00:00:00 nifd
1808 ? 00:00:00 smartd
1818 ? 00:00:00 acpid
1862 ? 00:00:00 sshd
1873 ? 00:00:00 xinetd
1892 ? 00:00:00 rpc.rquotad
1896 ? 00:00:00 nfsd
1897 ? 00:00:00 nfsd
1898 ? 00:00:00 nfsd
1899 ? 00:00:00 nfsd
1900 ? 00:00:00 nfsd
1901 ? 00:00:00 nfsd
1902 ? 00:00:00 lockd
1903 ? 00:00:00 rpciod
1904 ? 00:00:00 nfsd
1905 ? 00:00:00 nfsd
1909 ? 00:00:00 rpc.mountd
1936 ? 00:00:00 vsftpd
1949 ? 00:00:00 safe_mysqld
1973 ? 00:00:00 mysqld
1994 ? 00:00:00 gpm
2005 ? 00:00:00 httpd
2015 ? 00:00:00 crond
2044 ? 00:00:00 httpd
2045 ? 00:00:00 httpd
2046 ? 00:00:00 httpd
2047 ? 00:00:00 httpd
2048 ? 00:00:00 httpd
2049 ? 00:00:00 httpd
2050 ? 00:00:00 httpd
2051 ? 00:00:00 httpd
2052 ? 00:00:00 xfs
2062 ? 00:00:00 smbd
2066 ? 00:00:00 nmbd
2076 ? 00:00:00 winbindd
2081 ? 00:00:00 winbindd
2096 ? 00:00:00 atd
2106 ? 00:00:00 dbus-daemon-1
2119 ? 00:00:01 hald
2128 tty1 00:00:00 mingetty
2129 tty2 00:00:00 mingetty
2130 tty3 00:00:00 mingetty
2131 tty4 00:00:00 mingetty
2132 tty5 00:00:00 mingetty
2133 tty6 00:00:00 mingetty
2556 ? 00:00:00 smbd
2575 ? 00:00:00 sshd
2577 ? 00:00:00 sshd
2578 pts/0 00:00:00 bash
2604 pts/0 00:00:00 ps
[mark@Koala ~]$

ethereal is a web traffic analyzer. Its easy to setup and can give you detailed information about your web traffic. That should help.

Thanks alphaproject.

That solved the problem. I found that the activity was http requests. The IP of the requester was in California. I then looked in the http logs to find that it is web-bots, particularly Yahoo looking through my whole tree, including all the apache manual html files, etc.

So I put a robots.txt file in my root that included:
User-agent: *
Disallow: /manual/
Disallow: ... cgi-bin & some other sub-directories ...

Thanks. Cheers, Mark.