[lug] wild activity, don't know why.

Holshouser, David dholshou at ball.com
Thu Aug 9 10:12:43 MDT 2001


I have a machine on an @home cable modem at my brothers house (since I can't
get a big pipe in my area and my apt faces the wrong direction for
wireless).

My brother called yesterday to inform me that the activity light has been
solid for the last few days.
I unshared all web content that might have been causing the activity (mp3).
Everything seemed ok.
This morning I got another call with the same message.

I guess my main questions are:
1) What are 4-8 commands that I can use to determine activity - destination
- usage?
   1) netstat (any better/more options than those used below?)
   2) ps -aux
   3) tcpdump
   4) manually view the logs. ie. /var/log/* (any other places?)
   5) top

2) What cli command will show me current bandwidth usage?
3) What software can I use to monitor bandwidth consumption (attach to cron,
run with script, leave running) so that I can see what I'm consuming now and
over the long run?



==========================
  INFO/DETAILS
==========================

tcpdump shows a large amount of arp requests but I wouldn't consider this a
big hit. Almost 100% of tcpdump is arp requests.

I don't know why linuxconf would have been started or what the rc is, in the
following snippet of /var/log/messages, so you get to see it.
Is this part of my ssh connection to the machine?
============= /var/log/messages =================
<snip>
Aug  9 06:52:14 secundo rc: Starting sshd succeeded
Aug  9 06:52:15 secundo xfs: xfs startup succeeded
Aug  9 06:52:15 secundo xfs: Warning: The directory
"/usr/share/fonts/default/TrueType" does not exist. 
Aug  9 06:52:15 secundo xfs:          Entry deleted from font path. 
Aug  9 06:52:16 secundo rc: Starting linuxconf succeeded
<snip>
=================================================



FYI: I'm the ssh connection. IP addresses modified.

[root at secundo]~/# netstat -apn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name   
tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN
796/sshd            
tcp        0     20 65.7.135.152:22         162.18.179.168:885
ESTABLISHED 796/sshd            
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN
778/X               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
688/sshd2           
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
647/httpd           
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
661/smbd            
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
508/inetd           
udp        0      0 0.0.0.0:177             0.0.0.0:*
771/gdm             
udp        0      0 192.168.0.1:138         0.0.0.0:*
670/nmbd            
udp        0      0 192.168.0.1:137         0.0.0.0:*
670/nmbd            
udp        0      0 0.0.0.0:138             0.0.0.0:*
670/nmbd            
udp        0      0 0.0.0.0:137             0.0.0.0:*
670/nmbd            
udp        0      0 0.0.0.0:67              0.0.0.0:*
522/dhcpd           
raw        0      0 0.0.0.0:1               0.0.0.0:*               7
522/dhcpd           
raw        0      0 0.0.0.0:1               0.0.0.0:*               7
-                   
raw        0      0 0.0.0.0:6               0.0.0.0:*               7
-                   
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name
Path
unix  1      [ ]         STREAM     CONNECTED     823    779/gdm
@00000038
unix  0      [ ACC ]     STREAM     LISTENING     675    595/gpm
/dev/gpmctl
unix  1      [ ]         STREAM     CONNECTED     837    784/gdmlogin
@0000003a
unix  0      [ ]         STREAM     CONNECTED     257    1/init [5]
@0000002b
unix  0      [ ACC ]     STREAM     LISTENING     820    778/X
/tmp/.X11-unix/X0
unix  6      [ ]         DGRAM                    494    455/syslogd
/dev/log
unix  0      [ ACC ]     STREAM     LISTENING     766    732/xfs
/tmp/.font-unix/fs-1
unix  0      [ ]         DGRAM                    911    796/sshd

unix  1      [ ]         STREAM     CONNECTED     838    778/X
/tmp/.X11-unix/X0
unix  1      [ ]         STREAM     CONNECTED     828    778/X
/tmp/.X11-unix/X0
unix  0      [ ]         DGRAM                    769    732/xfs

unix  0      [ ]         DGRAM                    735    688/sshd2

unix  0      [ ]         DGRAM                    584    536/lpd

unix  0      [ ]         DGRAM                    554    522/dhcpd

unix  0      [ ]         DGRAM                    506    464/klogd 





More information about the LUG mailing list