Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful there either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Bowie Bailey wrote:
Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful there either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Run rkhunter?
Actually, if it's that regular, you could run tcpdump when you expect it.
mark
On 12/3/2013 4:49 PM, m.roth@5-cent.us wrote:
Bowie Bailey wrote:
Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful there either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Run rkhunter?
Actually, if it's that regular, you could run tcpdump when you expect it.
rkhunter complained about a few files, but "rpm --verify" doesn't flag any of them. Other than that, just a few insecure settings and out of date programs, which are not ideal, but do not indicate a problem on their own.
I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it. I know the spike happens on the hour and half hour, but my traffic monitor does not give me enough detail to see exactly when it starts or exactly how long it lasts and I don't know what protocol or port I'm looking for.
Bowie Bailey wrote:
On 12/3/2013 4:49 PM, m.roth@5-cent.us wrote:
Bowie Bailey wrote:
Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful
there
either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Run rkhunter?
Actually, if it's that regular, you could run tcpdump when you expect it.
rkhunter complained about a few files, but "rpm --verify" doesn't flag any of them. Other than that, just a few insecure settings and out of date programs, which are not ideal, but do not indicate a problem on their own.
I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it. I know the spike happens on the hour and half hour, but my traffic monitor does not give me enough detail to see exactly when it starts or exactly how long it lasts and I don't know what protocol or port I'm looking for.
Dumb idea: run top and see if something spikes.
mark
hi, i aggree with mark. maybe iftop -P would work for you... and if you can determine a port from iftop you could run lsof -Pn | grep :<Port> to list the daemon which uses this port.
that is what i would try..
Heiko
m.roth@5-cent.us 03.12.2013 23:15 >>>
Bowie Bailey wrote:
On 12/3/2013 4:49 PM, m.roth@5-cent.us wrote:
Bowie Bailey wrote:
Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful
there
either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Run rkhunter?
Actually, if it's that regular, you could run tcpdump when you expect it.
rkhunter complained about a few files, but "rpm --verify" doesn't flag any of them. Other than that, just a few insecure settings and out of date programs, which are not ideal, but do not indicate a problem on their own.
I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it. I know the spike happens on the hour and half hour, but my traffic monitor does not give me enough detail to see exactly when it starts or exactly how long it lasts and I don't know what protocol or port I'm looking for.
Dumb idea: run top and see if something spikes.
mark
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 12/4/2013 4:47 AM, Heiko Specht wrote:
hi, i aggree with mark. maybe iftop -P would work for you... and if you can determine a port from iftop you could run lsof -Pn | grep :<Port> to list the daemon which uses this port.
that is what i would try..
Heiko
m.roth@5-cent.us 03.12.2013 23:15 >>>
Bowie Bailey wrote:
On 12/3/2013 4:49 PM, m.roth@5-cent.us wrote:
Bowie Bailey wrote:
Since Sunday morning, one of my CentOS servers has been generating a small spike of outbound traffic every 30 minutes (X:00 and X:30). It's not enough traffic to really cause any notice except for the fact that it is a very regular pattern and it started abruptly at midnight Sunday.
This server is used for mail (Courier-MTA), and DNS (Bind). I cannot find anything unusual in either of those logs. I tried grepping through my firewall logs, but have been unable to find anything useful
there
either. I don't see any cron jobs that would generate network traffic.
Any suggestions how I can go about tracking this down?
Run rkhunter?
Actually, if it's that regular, you could run tcpdump when you expect it.
rkhunter complained about a few files, but "rpm --verify" doesn't flag any of them. Other than that, just a few insecure settings and out of date programs, which are not ideal, but do not indicate a problem on their own.
I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it. I know the spike happens on the hour and half hour, but my traffic monitor does not give me enough detail to see exactly when it starts or exactly how long it lasts and I don't know what protocol or port I'm looking for.
Dumb idea: run top and see if something spikes.
iftop helped me track it down. It was actually starting at :05 and :25. One of my email clients received a 20M email and was having problems downloading it. Every 30 minutes, the pop client would connect, try to download the emails, and then disconnect after 2 minutes.
Thanks for the suggestions everyone!
On 03.12.2013 22:13, Bowie Bailey wrote:
I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it.
Not necesarily, you just need to look at the packets for 0 and 30, I think this is definitely THE way to go about it. http://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html
In addition jnettop could be helpful as well.
-
Bowie Bailey -
Heiko Specht -
m.roth@5-cent.us -
Nux!