You are not logged in.
I am having an issue reconciling what I am seeing on my box and what my ISP is reporting that I am using for bandwidth consumption.
For a sample hour, they report the following usage:
Usage: 0.240 GiB In / 0.374 GiB Out
Which if I am reading this correctly is 240MB in and 374 MB out.
However, when I use a utlility called vnstat I am getting:
112 MB In / 247 MB Out
Question: what other tools should I be trying to use to identify the discrepency. I thought I could be hacked, but I'm pretty sure I have not been compromised (not 100% though). I run very few services (ssh / http / smtp / pop3 / imap), run osiris on it nightly and various rootkit detection scripts.
The CPU utilization is about what I expect; I just don't understand the wide differences in the bandwidth consumption.
I realize this is a pretty broad question, even a pointer where I can learn more about how to analyze network issues would be appreciated.
Thanks,
Chris....
Offline
for network monitoring you could check "ntop" and "iftop"
Offline
ok - I'm official outside my comfort zone. I took a tcp dump and analyzed in wireshark (the sniffer previously known as ethereal). I am seeing a lot of ARP packets that originzate from my ISP's routers.
Couple of questions for those who know more.
1. What is a lot of ARP traffic? I am seeing 220K packets & 15MB over a 10 minute span. I would think this is a bit excessive. Is it realated to the size of their network. At my last provider, I saw total inbound traffic during quite periods (late at night) of around 10MB per _hour_, so that is my limited comparision point.
2. Can I safely block this traffic in iptables? Some of it if it is not directed at my MAC address? Or should I just not worry about it and filter it out of my network reports when looking for problems.
Thanks,
Chris....
Offline
ARP usuallly should only be used initialy when you first connect before your IP is known. I am no expert, but seeing a lot of ARP traffic like that usually signifies malicious behavior (ARP Spoofing/Poisoning).
Check out wikipedia for some better background info if you haven't already. They cover networking stuff pretty well.
Offline