Hi, I have a xen hosting node, and I found a strange thing that the vps receives about houdreds MB of income traffic everyday even if there is nothing running in that VPS. so I used tcpdump to monitor the traffic in that vps, and found that these unknown incoming traffic belonged to other VPS. Can one explain this? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Can you provide the output which caused you to think this On Thu, Dec 24, 2009 at 3:58 PM, Jingyun He <jingyun.ho@gmail.com> wrote:> Hi, > I have a xen hosting node, and I found a strange thing that the vps > receives about houdreds MB of income traffic everyday even if there is > nothing running in that VPS. > > so I used tcpdump to monitor the traffic in that vps, and found that > these unknown incoming traffic belonged to other VPS. > > Can one explain this? > > Thanks. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- http://www.abhitech.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Dec 24, 2009 at 5:28 PM, Jingyun He <jingyun.ho@gmail.com> wrote:> so I used tcpdump to monitor the traffic in that vps, and found that > these unknown incoming traffic belonged to other VPS.What kind? arp? ICMP? UDP? TCP? If you use bridged setup, linux bridge should be smart enough to act as smart L2 switch so that most traffic will only go to the correct port/interface. However, some traffic (like arp, broadcast, or multicast) will go to all ports, and there''s not much you can do about that. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, this does not happen every minute, about 2-3 times a day, and every time, it lasts only a few minutes. I just run tcpdump for a few hours, and finally catch the following log, Note: xx.xx.198.137 is the ip of the vps I monitored. xx.xx.*.* are the IPs of other VPS in the same node. 20:58:32.989397 IP xx.xx.211.92.http > 117.72.30.40.20552: P 5841:6688(847) ack 0 win 6432 20:58:32.989542 IP xx.xx.211.92.http > 123.12.61.82.ms-olap3: . 2785:6961(4176) ack 628 win 222 20:58:32.991347 IP 60.183.107.50.rfio > xx.xx.211.92.http: . ack 204 win 65126 20:58:33.035922 IP xx.xx.198.132.http > 120.195.63.68.50868: F 387410363:387410363(0) ack 1511956329 win 64 20:58:33.161251 IP 78.140.135.88.http > xx.xx.198.143.46752: FP 8760:10804(2044) ack 1 win 14 20:58:33.161761 IP 58.35.202.245.50457 > xx.xx.198.144.http: . ack 1 win 16560 20:58:33.161837 IP 120.84.138.36.3981 > xx.xx.211.90.http: P 281:552(271) ack 18274 win 65535 20:58:33.161925 IP 58.35.202.245.50457 > xx.xx.198.144.http: P 1:587(586) ack 1 win 16560 20:58:33.162031 IP 218.9.169.49.ndm-server > xx.xx.198.132.http: . ack 159 win 65377 20:58:33.162133 IP 58.35.202.245.50454 > xx.xx.198.144.http: . ack 146 win 16524 20:58:33.162235 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http: . ack 2881 win 17280 20:58:33.162343 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http: . ack 4321 win 17280 20:58:33.164652 IP 121.235.117.181.64640 > xx.xx.211.92.http: . ack 30002 win 16560 20:58:33.164723 IP 114.223.45.164.46063 > xx.xx.211.68.http: . ack 11520 win 5760 20:58:33.164778 IP 117.40.139.233.gsi > xx.xx.198.132.http: P 4140074179:4140074716(537) ack 383888910 win 63532 20:58:33.164836 IP 58.246.152.142.52171 > xx.xx.198.164.http: . ack 204 win 64565 20:58:33.164993 IP 72.247.74.110.https > xx.xx.198.143.24135: P 29614:32534(2920) ack 898 win 1940 20:58:33.165494 IP 72.247.74.110.https > xx.xx.198.143.24135: P 32534:41294(8760) ack 898 win 1940 On Thu, Dec 24, 2009 at 1:55 PM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Thu, Dec 24, 2009 at 5:28 PM, Jingyun He <jingyun.ho@gmail.com> wrote: >> so I used tcpdump to monitor the traffic in that vps, and found that >> these unknown incoming traffic belonged to other VPS. > > What kind? arp? ICMP? UDP? TCP? > > If you use bridged setup, linux bridge should be smart enough to act > as smart L2 switch so that most traffic will only go to the correct > port/interface. However, some traffic (like arp, broadcast, or > multicast) will go to all ports, and there''s not much you can do about > that. > > -- > Fajar >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Dec 24, 2009 at 8:36 PM, Jingyun He <jingyun.ho@gmail.com> wrote:> Hi, this does not happen every minute, about 2-3 times a day, and > every time, it lasts only a few minutes.and that few minutes causes hundreds of MBs? weird.> I just run tcpdump for a few hours, and finally catch the following log, > > Note: > xx.xx.198.137 is the ip of the vps I monitored. > xx.xx.*.* are the IPs of other VPS in the same node. > > > 20:58:32.989397 IP xx.xx.211.92.http > 117.72.30.40.20552: P > 5841:6688(847) ack 0 win 6432Have you asked your hosting provider about this? It seems to me that your provider might have done something to the bridge settings, possibly reducing aging time or something, causing it to lose track quickly of what MACs are on which port/interface. When that happens the bridge would just send the traffic to all ports. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, look at the traffic graph of three vps from the same node. You are right, seems the bridge sent the traffic to all the port. I use gitco pre-compiled xen kernel, and just setup the server in the normal way, nothing special. the xen versions are from 3.3.1 to 3.4.2, all of these servers have this problem. Can you give me more advice to find out the detail of the problem? Thank you very much. On Thu, Dec 24, 2009 at 3:47 PM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Thu, Dec 24, 2009 at 8:36 PM, Jingyun He <jingyun.ho@gmail.com> wrote: >> Hi, this does not happen every minute, about 2-3 times a day, and >> every time, it lasts only a few minutes. > > and that few minutes causes hundreds of MBs? weird. > >> I just run tcpdump for a few hours, and finally catch the following log, >> >> Note: >> xx.xx.198.137 is the ip of the vps I monitored. >> xx.xx.*.* are the IPs of other VPS in the same node. >> >> >> 20:58:32.989397 IP xx.xx.211.92.http > 117.72.30.40.20552: P >> 5841:6688(847) ack 0 win 6432 > > Have you asked your hosting provider about this? It seems to me that > your provider might have done something to the bridge settings, > possibly reducing aging time or something, causing it to lose track > quickly of what MACs are on which port/interface. When that happens > the bridge would just send the traffic to all ports. > > -- > Fajar >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Dec 25, 2009 at 1:29 AM, Jingyun He <jingyun.ho@gmail.com> wrote:> Hi, look at the traffic graph of three vps from the same node. > You are right, seems the bridge sent the traffic to all the port. > > I use gitco pre-compiled xen kernel, and just setup the server in the > normal way, nothing special. > the xen versions are from 3.3.1 to 3.4.2, all of these servers have > this problem. > > Can you give me more advice to find out the detail of the problem? >Since it''s definitely bridge issue, there''s not much more I can help you with. Perhaps the people on Bridge mailing list can help you better, http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#Contact_Info -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thanks any way, you helped me a lot, but I still do not understand, why this only happens two or three times per day. And I can see that every interfaces has many packets dropped, TX packets:14560 errors:0 dropped:6678 overruns:0 carrier:0 On Thu, Dec 24, 2009 at 11:09 PM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Fri, Dec 25, 2009 at 1:29 AM, Jingyun He <jingyun.ho@gmail.com> wrote: >> Hi, look at the traffic graph of three vps from the same node. >> You are right, seems the bridge sent the traffic to all the port. >> >> I use gitco pre-compiled xen kernel, and just setup the server in the >> normal way, nothing special. >> the xen versions are from 3.3.1 to 3.4.2, all of these servers have >> this problem. >> >> Can you give me more advice to find out the detail of the problem? >> > > Since it''s definitely bridge issue, there''s not much more I can help > you with. Perhaps the people on Bridge mailing list can help you > better, http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#Contact_Info > > -- > Fajar >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users