[lug] wild activity, don't know why.
Holshouser, David
dholshou at ball.com
Thu Aug 9 10:12:43 MDT 2001
I have a machine on an @home cable modem at my brothers house (since I can't
get a big pipe in my area and my apt faces the wrong direction for
wireless).
My brother called yesterday to inform me that the activity light has been
solid for the last few days.
I unshared all web content that might have been causing the activity (mp3).
Everything seemed ok.
This morning I got another call with the same message.
I guess my main questions are:
1) What are 4-8 commands that I can use to determine activity - destination
- usage?
1) netstat (any better/more options than those used below?)
2) ps -aux
3) tcpdump
4) manually view the logs. ie. /var/log/* (any other places?)
5) top
2) What cli command will show me current bandwidth usage?
3) What software can I use to monitor bandwidth consumption (attach to cron,
run with script, leave running) so that I can see what I'm consuming now and
over the long run?
==========================
INFO/DETAILS
==========================
tcpdump shows a large amount of arp requests but I wouldn't consider this a
big hit. Almost 100% of tcpdump is arp requests.
I don't know why linuxconf would have been started or what the rc is, in the
following snippet of /var/log/messages, so you get to see it.
Is this part of my ssh connection to the machine?
============= /var/log/messages =================
<snip>
Aug 9 06:52:14 secundo rc: Starting sshd succeeded
Aug 9 06:52:15 secundo xfs: xfs startup succeeded
Aug 9 06:52:15 secundo xfs: Warning: The directory
"/usr/share/fonts/default/TrueType" does not exist.
Aug 9 06:52:15 secundo xfs: Entry deleted from font path.
Aug 9 06:52:16 secundo rc: Starting linuxconf succeeded
<snip>
=================================================
FYI: I'm the ssh connection. IP addresses modified.
[root at secundo]~/# netstat -apn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:6010 0.0.0.0:* LISTEN
796/sshd
tcp 0 20 65.7.135.152:22 162.18.179.168:885
ESTABLISHED 796/sshd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
778/X
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
688/sshd2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
647/httpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
661/smbd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
508/inetd
udp 0 0 0.0.0.0:177 0.0.0.0:*
771/gdm
udp 0 0 192.168.0.1:138 0.0.0.0:*
670/nmbd
udp 0 0 192.168.0.1:137 0.0.0.0:*
670/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:*
670/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:*
670/nmbd
udp 0 0 0.0.0.0:67 0.0.0.0:*
522/dhcpd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
522/dhcpd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
-
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
-
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name
Path
unix 1 [ ] STREAM CONNECTED 823 779/gdm
@00000038
unix 0 [ ACC ] STREAM LISTENING 675 595/gpm
/dev/gpmctl
unix 1 [ ] STREAM CONNECTED 837 784/gdmlogin
@0000003a
unix 0 [ ] STREAM CONNECTED 257 1/init [5]
@0000002b
unix 0 [ ACC ] STREAM LISTENING 820 778/X
/tmp/.X11-unix/X0
unix 6 [ ] DGRAM 494 455/syslogd
/dev/log
unix 0 [ ACC ] STREAM LISTENING 766 732/xfs
/tmp/.font-unix/fs-1
unix 0 [ ] DGRAM 911 796/sshd
unix 1 [ ] STREAM CONNECTED 838 778/X
/tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 828 778/X
/tmp/.X11-unix/X0
unix 0 [ ] DGRAM 769 732/xfs
unix 0 [ ] DGRAM 735 688/sshd2
unix 0 [ ] DGRAM 584 536/lpd
unix 0 [ ] DGRAM 554 522/dhcpd
unix 0 [ ] DGRAM 506 464/klogd
More information about the LUG
mailing list