Bowie Bailey wrote: > On 12/3/2013 4:49 PM, m.roth at 5-cent.us wrote: >> Bowie Bailey wrote: >>> Since Sunday morning, one of my CentOS servers has been generating a >>> small spike of outbound traffic every 30 minutes (X:00 and X:30). It's >>> not enough traffic to really cause any notice except for the fact that >>> it is a very regular pattern and it started abruptly at midnight >>> Sunday. >>> >>> This server is used for mail (Courier-MTA), and DNS (Bind). I cannot >>> find anything unusual in either of those logs. I tried grepping >>> through my firewall logs, but have been unable to find anything useful there >>> either. I don't see any cron jobs that would generate network traffic. >>> >>> Any suggestions how I can go about tracking this down? >> Run rkhunter? >> >> Actually, if it's that regular, you could run tcpdump when you expect >> it. > > rkhunter complained about a few files, but "rpm --verify" doesn't flag > any of them. Other than that, just a few insecure settings and out of > date programs, which are not ideal, but do not indicate a problem on > their own. > > I could try running tcpdump or wireshark, but that's going to generate a > lot of data and I'm not sure how to go about filtering it. I know the > spike happens on the hour and half hour, but my traffic monitor does not > give me enough detail to see exactly when it starts or exactly how long > it lasts and I don't know what protocol or port I'm looking for. > Dumb idea: run top and see if something spikes. mark