Topic: sysmon show lots of outgoing traffic afterhours

[Jáder]

Sympathetic shoulder and ideas man that's me;~)
Fixing issues that's bugzilla.

Great

Personally I wouldn't mess with the crontab directly
as it is template driven (usual comments yah dah).
Just put the dar2 stuff into manual with the control
panel and that does not bypass templates. You'll
get the proper restart actions done too. While you
are in the system manager's control panel double
check the settings for all the backups ~ particularly
the target or destination for each backup.

I do not mess with crontab file as far I can. I just copy it to show it´s disabled.
I have dar2 + rsync installed... but both disabled.
Also are nightly backups disabled.

I just discovered my own server is doing a affa backup to target server starting 11pm (had forgot about it... I love you AFFA).  So I think this is the problem. I just couldn´t see it because I was thinking the traffic I was seeing was ssh (naive!).
I´ll stop affa job for tonight and see if do not have graphic shaped 11pm.

The affa job just backup ONE 155MB file (.mbd)... so I don´t think it should take 6 hours... but that´s another problem. For this matter... I think case is closed. Sorry to be borring you all this time! :$


Jáder

[piran]

FWIW the CPU max issue I made for myself was
using backuppc but it was my fault (backuppc is
a good solid product I just got initially confused).

I use dar2 permanently for the server stuff and
swear by (in a good way) the amazing AFFA for
my data all over the intranet (thanks Michael).
AFFA is so good it's almost seamless in operation
which is probably why you forgot about it!
Perhaps you should set its admin email for each
day to remind you, the data it provides is useful.

You haven't been boring, this is how things go;~)
We should all hope that our 'scares' are benign.
As for the other stuff... AFFA has a kill job command
which can be used if you find it necessary, I find
that using HTOP will show me which and what is
running that apparently needs stopping. That one
155MB file should not take 6hrs! 155GB maybe but
not MB. Maybe it is an 'open' file or perhaps some
M$ bug/feature sent to mess us up (normal).

[piran]

A thought: .mbd - windows - are you using the
cygwin thing... If you are then that is probably
at the root of the stuck backup. That cygwin
is practically poison to my w2k workstations.
I use AFFA in a mapped drive mode to back
up the M$ boxes on to SME. Utterly reliable.

[Stefano]

[OT]
Piran, can I ask you how do you format your posts?
[/OT]

[CharlieBrady]

see /var/log/message :

What exactly in /var/log/messages were you concerned about? I don't see any references to 207.46.x.y.

[Jáder]

Hi Charlie

What exactly in /var/log/messages were you concerned about? I don't see any references to 207.46.x.y.

I was scared because my server was showing root task running 11pm , I could track a lot of connections to 207.46.x.y.  AND had a outgoing traffic shapped at total bandwidth for all night!

I discovered they have all different explanations and have learned a lot in process:

I had a lot of outgoing traffic starting at 11pm because my server was attempting to do a backup (using affa for this server). Disabled affa to be 100% sure. Later fixed issues (open files) to allow a quick backup.

I had a lot of connections to M$ because computers were trying to download updates to Windows.
The connections were dying because I had a infected M$ computer on LAN opening thousands of connections to Russia. I disconnected infected computer from LAN!

The dying connections were staying for too long time up/connected because WRT54g had default config (512 connections and timeout = 3600) and getting too busy (95/97% of possible connections open). Change for 1024 connections with timeout=120 (2 min) helped a lot.

When WRT54g was busy and w/high number of connections it started to drop connections... and internet access got unreliable.

oh God... so much thing happened in a few days... and a lot of things happened simultaneously...but it´s all fixed now.