On 12/4/2013 4:47 AM, Heiko Specht wrote: > hi, > i aggree with mark. > maybe iftop -P would work for you... > and if you can determine a port from iftop you could run lsof -Pn | grep :<Port> to list the daemon which uses this port. > > that is what i would try.. > > Heiko > >>>> <m.roth at 5-cent.us> 03.12.2013 23:15 >>> > Bowie Bailey wrote: >> On 12/3/2013 4:49 PM, m.roth at 5-cent.us wrote: >>> Bowie Bailey wrote: >>>> Since Sunday morning, one of my CentOS servers has been generating a >>>> small spike of outbound traffic every 30 minutes (X:00 and X:30). It's >>>> not enough traffic to really cause any notice except for the fact that >>>> it is a very regular pattern and it started abruptly at midnight >>>> Sunday. >>>> >>>> This server is used for mail (Courier-MTA), and DNS (Bind). I cannot >>>> find anything unusual in either of those logs. I tried grepping >>>> through my firewall logs, but have been unable to find anything useful > there >>>> either. I don't see any cron jobs that would generate network traffic. >>>> >>>> Any suggestions how I can go about tracking this down? >>> Run rkhunter? >>> >>> Actually, if it's that regular, you could run tcpdump when you expect >>> it. >> rkhunter complained about a few files, but "rpm --verify" doesn't flag >> any of them. Other than that, just a few insecure settings and out of >> date programs, which are not ideal, but do not indicate a problem on >> their own. >> >> I could try running tcpdump or wireshark, but that's going to generate a >> lot of data and I'm not sure how to go about filtering it. I know the >> spike happens on the hour and half hour, but my traffic monitor does not >> give me enough detail to see exactly when it starts or exactly how long >> it lasts and I don't know what protocol or port I'm looking for. >> > Dumb idea: run top and see if something spikes. iftop helped me track it down. It was actually starting at :05 and :25. One of my email clients received a 20M email and was having problems downloading it. Every 30 minutes, the pop client would connect, try to download the emails, and then disconnect after 2 minutes. Thanks for the suggestions everyone! -- Bowie