> I agree this is strange, because the default TIME_WAIT timeout value is 2 > minutes (you haven't increased this, have you?), therefore this would suggest > that nearly 24000 connections through your firewall were completed during the > past two minutes... This seems unlikely, especially in light of the number > (883) you have in progress right now. yes it's still à 2 min > If you "grep TIME_WAIT /proc/net/ip_conntrack | more", do you see nearly all > entries with the same source and/or destination address? If so, investigate > that machine..... unfortunately not ... > If not, I suggest a network sniffer (eg: ethereal) or some netfilter LOGging > rules to see if you can identify what all this traffic is. how can I do that ? could u help me achieving this ? I've installed tcpdump and logged all connections between 4AM and 6AM but it's not easy to find something ... could it come from the firewall ? thanks for your help
