Help finding causes of high broadcast traffic on solaris

ginda · 09-17-2012, 03:13 AM

We have a solaris 10 server that had a period of high network broadcast traffic for some unknown reason a few week back, could someone please advise what I could check to find the cause

Thanks in advance

tronayne · 09-17-2012, 07:58 AM

You might want to start with the logs; messages, secure, syslog, access_log, error_log (those two from your Apache installation), possibly mail, cron and NTP (if you log it). Probably not going to find much from a few weeks ago but it might be worth a shot. Look though any other logs you may have while you're at it.

A good tool to install for monitoring network traffic is NTOP (http://www.ntop.org/). 'Course that would be after the horse already left the barn but for the future, eh? NTOP will show you graphically what's going on now (and what's been going on over time) that might point you in a direction.

If there's no records to look at and it only happened once and hasn't happened again, well, chalk it up to the ghosts in the machine -- but more likely a user being naughty or somebody trying to hack you, hopefully unsuccessfully.

Hope this helps some.

ginda · 09-17-2012, 09:24 AM

Thanks for your reply, i am not able to install any new tools such as dtrace or ntop. The issue is still happening, its basically high broadcast traffic. Need a way to identify what is causing the high traffic

jlliagre · 09-17-2012, 04:22 PM

Quote:

Originally Posted by ginda

Thanks for your reply, i am not able to install any new tools such as dtrace or ntop.

dtrace is not a tool you need to install, it's part of the base OS.

Quote:

The issue is still happening, its basically high broadcast traffic. Need a way to identify what is causing the high traffic

How do you measure this high broadcast traffic and where ?

snoop is the basic Solaris tool to capture network traffic and start investigating it.