Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-19-2005, 04:22 AM
|
#1
|
LQ Newbie
Registered: Feb 2005
Posts: 9
Rep:
|
Spike in outbound traffic- where to look?
Just wondering, when you detect a sudden big spike in traffic, are there ways to find out, whether in real time or afterwards what the culprit might be? Not sure what to type in ssh. Checked the logs, including mail, but don't see anything suspicious.
Thx,
|
|
|
03-19-2005, 11:27 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
In realtime, immediately fireup tcpdump and capture packets to get an idea of the type of traffic and destination. For a more friendly interface, try using ethereal. Using the top command can often provide you with some insight in determining which process is creating loads of traffic. Trying to identify it in hindsight is a little more difficult. Probably the best way is to use iptables to log abnormal or excessive outbound traffic. You can then use something like logwatch or syslog-ng to pull out the iptables messages and send you a summary alert.
Last edited by Capt_Caveman; 03-19-2005 at 11:29 AM.
|
|
|
03-19-2005, 02:11 PM
|
#3
|
LQ Newbie
Registered: Feb 2005
Posts: 9
Original Poster
Rep:
|
Thanks. It seems it's a little more complicated than I expected  I tried running top, though didn't seem anything. Will running netstat using something like:
netstat -an|grep :80|awk '{print $5}'|sort |more
help if I change the port to ones often used by outbound traffic? If so what ports should I be monitoring?
Thanks much,
|
|
|
03-19-2005, 04:13 PM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Netstat isn't really going to provide you much information on the relative amounts of traffic. So you couldn't really distinguish between 1 packet and 1 million packets. Top is only going to be informative if the process sending packets is CPU intensive. Something sending a few packets per second likely would not show up, but something like a udp flooder which is sending out as many packets as possible likely would.
If you really want to do realtime monitoring, use ethereal. It can show you amounts of packets captured, perform tcp stream re-assembly, and decode packet payloads. It's a great tool. If you want to long term traffic monitoring, you might want to look at an intrusion detection system (IDS) that has an traffic anomaly detection feature. SPADE and even Nagios might be useful.
|
|
|
All times are GMT -5. The time now is 04:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|