Steve Campbell
2012-Jun-14 17:07 UTC
[CentOS] OT - Is there a package to monitor network traffic
We have a situation here that is a real mystery. Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation. Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate? Thanks for any help. steve campbell
Mike McCarthy
2012-Jun-14 17:13 UTC
[CentOS] OT - Is there a package to monitor network traffic
How about tcpdump? Mike On 06/14/2012 01:07 PM, Steve Campbell wrote:> We have a situation here that is a real mystery. > > Our MRTG on our outgoing router and a firewall server that protects our > web servers is showing a spike every six hours. I can't find the server > behind the firewall that is generating such an extreme amount of > packets, even though I've looked through the crontabs of nearly all > servers, performed "ps" variations, and other types of investigation. > > Is there any type of package I can install that will monitor traffic and > report abnormal, over-threshold packets similar to what wireshark might > do in a manner that would allow me to determine where these packets > might be going or from where they originate? > > Thanks for any help. > > steve campbell > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Les Mikesell
2012-Jun-14 17:40 UTC
[CentOS] OT - Is there a package to monitor network traffic
On Thu, Jun 14, 2012 at 12:07 PM, Steve Campbell <campbell at cnpapers.com> wrote:> We have a situation here that is a real mystery. > > Our MRTG on our outgoing router ?and a firewall server that protects our > web servers is showing a spike every six hours. I can't find the server > behind the firewall that is generating such an extreme amount of > packets, even though I've looked through the crontabs of nearly all > servers, performed "ps" variations, and other types of investigation. > > Is there any type of package I can install that will monitor traffic and > report abnormal, over-threshold packets similar to what wireshark might > do in a manner that would allow me to determine where these packets > might be going or from where they originate?If you can catch it while the event is happening, wireshark can help you analyze the traffic. Do a short capture, then Statistics/Converstation list/ipv4 (or endpoint/ipv4) will give you a sortable list of the bulk of the traffic. If you are monitoring the traffic on all interfaces and switch ports with SNMP (Cacti/OpenNMS etc.) you would probably see it too. OpenNMS generates nightly reports of 'top 20' interface usage although backups sometimes show up there. 'Ntop' is also good at identifying traffic and can summarize in different ways, but you have to run it on the server where the traffic is happening. -- Les Mikesell lesmikesell at gmail.com
Ross Walker
2012-Jun-14 22:44 UTC
[CentOS] OT - Is there a package to monitor network traffic
On Jun 14, 2012, at 1:07 PM, Steve Campbell <campbell at cnpapers.com> wrote:> We have a situation here that is a real mystery. > > Our MRTG on our outgoing router and a firewall server that protects our > web servers is showing a spike every six hours. I can't find the server > behind the firewall that is generating such an extreme amount of > packets, even though I've looked through the crontabs of nearly all > servers, performed "ps" variations, and other types of investigation. > > Is there any type of package I can install that will monitor traffic and > report abnormal, over-threshold packets similar to what wireshark might > do in a manner that would allow me to determine where these packets > might be going or from where they originate?Setup a nettop server and netflow on the routing interfaces and you will find tour culprit. -Ross
Giles Coochey
2012-Jun-15 10:43 UTC
[CentOS] OT - Is there a package to monitor network traffic
On 14/06/2012 18:07, Steve Campbell wrote:> We have a situation here that is a real mystery. > > Our MRTG on our outgoing router and a firewall server that protects our > web servers is showing a spike every six hours. I can't find the server > behind the firewall that is generating such an extreme amount of > packets, even though I've looked through the crontabs of nearly all > servers, performed "ps" variations, and other types of investigation. > > Is there any type of package I can install that will monitor traffic and > report abnormal, over-threshold packets similar to what wireshark might > do in a manner that would allow me to determine where these packets > might be going or from where they originate? > tp://lists.centos.org/mailman/listinfo/centosI used to quite like iptraf for a quick summary view of the traffic use. Don't know if there is a CentOS package for it. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles at coochey.net