On Thu, Jun 14, 2012 at 12:07 PM, Steve Campbell <campbell@xxxxxxxxxxxx> wrote:
> We have a situation here that is a real mystery.
>
> Our MRTG on our outgoing router and a firewall server that protects our
> web servers is showing a spike every six hours. I can't find the server
> behind the firewall that is generating such an extreme amount of
> packets, even though I've looked through the crontabs of nearly all
> servers, performed "ps" variations, and other types of investigation.
>
> Is there any type of package I can install that will monitor traffic and
> report abnormal, over-threshold packets similar to what wireshark might
> do in a manner that would allow me to determine where these packets
> might be going or from where they originate?
If you can catch it while the event is happening, wireshark can help
you analyze the traffic. Do a short capture, then
Statistics/Converstation list/ipv4 (or endpoint/ipv4) will give you a
sortable list of the bulk of the traffic.
If you are monitoring the traffic on all interfaces and switch ports
with SNMP (Cacti/OpenNMS etc.) you would probably see it too. OpenNMS
generates nightly reports of 'top 20' interface usage although backups
sometimes show up there. 'Ntop' is also good at identifying traffic
and can summarize in different ways, but you have to run it on the
server where the traffic is happening.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
