[CentOS] Outbound traffic spike every 30 minutes

Wed Dec 4 09:47:45 UTC 2013

hi,  
i aggree with mark.  
maybe iftop -P would work for you... 
and if you can determine a port from iftop you could run lsof -Pn | grep :<Port> to list the daemon which uses this port. 

that is what i would try.. 

Heiko

>>> <m.roth at 5-cent.us> 03.12.2013 23:15 >>>
Bowie Bailey wrote:
> On 12/3/2013 4:49 PM, m.roth at 5-cent.us wrote:
>> Bowie Bailey wrote:
>>> Since Sunday morning, one of my CentOS servers has been generating a
>>> small spike of outbound traffic every 30 minutes (X:00 and X:30). It's
>>> not enough traffic to really cause any notice except for the fact that
>>> it is a very regular pattern and it started abruptly at midnight
>>> Sunday.
>>>
>>> This server is used for mail (Courier-MTA), and DNS (Bind).  I cannot
>>> find anything unusual in either of those logs.  I tried grepping
>>> through my firewall logs, but have been unable to find anything useful
there
>>> either.  I don't see any cron jobs that would generate network traffic.
>>>
>>> Any suggestions how I can go about tracking this down?
>> Run rkhunter?
>>
>> Actually, if it's that regular, you could run tcpdump when you expect
>> it.
>
> rkhunter complained about a few files, but "rpm --verify" doesn't flag
> any of them.  Other than that, just a few insecure settings and out of
> date programs, which are not ideal, but do not indicate a problem on
> their own.
>
> I could try running tcpdump or wireshark, but that's going to generate a
> lot of data and I'm not sure how to go about filtering it.  I know the
> spike happens on the hour and half hour, but my traffic monitor does not
> give me enough detail to see exactly when it starts or exactly how long
> it lasts and I don't know what protocol or port I'm looking for.
>
Dumb idea: run top and see if something spikes.

       mark

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos