On Jun 14, 2012, at 6:44 PM, Ross Walker <rswwalker at gmail.com> wrote: > On Jun 14, 2012, at 1:07 PM, Steve Campbell <campbell at cnpapers.com> wrote: > >> We have a situation here that is a real mystery. >> >> Our MRTG on our outgoing router and a firewall server that protects our >> web servers is showing a spike every six hours. I can't find the server >> behind the firewall that is generating such an extreme amount of >> packets, even though I've looked through the crontabs of nearly all >> servers, performed "ps" variations, and other types of investigation. >> >> Is there any type of package I can install that will monitor traffic and >> report abnormal, over-threshold packets similar to what wireshark might >> do in a manner that would allow me to determine where these packets >> might be going or from where they originate? > > Setup a nettop server and netflow on the routing interfaces and you will find tour culprit. Nettop -> ntop -Ross