Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Lynn on July 29, 2002, 06:18:31 PM
-
My home E-smith box is configured as a private gateway with no email services, and I'm seeing the lights on my cable modem flashing constantly. Something is either being sent or received.
The data light on the modem flashes, and doesn’t stay on constantly - so it's not a huge amount of data like you'd see during a file download/upload.
I know it’s coming from the e-smith server because I can put the cable modem into standby mode (basically off), and the ethernet connection to the external nic on the e-smith keeps flashing.
The activity doesn't occur on the internal LAN at all - it’s coming from the e-smith server to the WAN only.
It happens when all internal PCs are turned off, in fact.
No public access is allowed for ssh, FTP, or telnet. The FTP and a few other unneeded services are enabled - think I'll try turning stuff off at this point.
The following services are always kept turned off: Mac file & print service, mail retrieval, mail transport, and webmail. So its not those.
I use that contributed add-on that lets you turn off individual services from the server-manager.
Any idea what's going on? All help appreciated...
-
This traffic you are seeing is probably ARP/RARP requests, Broadcasts, DNS updates, etc. This is common on a cable modem network, as bandwidth on a cable modem network is shared. If you power down your server (depending on the cable modem you have) you will continue to see the broadcast traffic. There really isn't anything you can do about this.
Hope this helped,
Nathan
-
Hi Nathan,
I have a similar issue with a client's ADSL connection. However, in this case, something chewing up the bandwith because all access to the internet slows to a crawl. The ISP confirms that the bandwith is being used up but was not helpful enough to tell us if the connections / transfers were incoming or outgoing (as I'm trying to see if it's a case of DOS attack).
Can you suggest a program to install (or if there's already on in there) that can tell me :-
1. if there is any inbound / outbound activity and how much of it.
2. if outbound, is it coming from SME itself or is a workstation on the LAN initiating the outbound connection(s) and which workstation it is
3. If inbound, the source of the inbound connection
Something like ntop or something else that's not too complicated to install / use ?
Thanks.
Kelvin
-
I use bwm
http://rpmfind.net/linux/RPM/contrib/libc6/i386/bwm-1.1.0-dag.1.i386.html
A very simple util that will tell you what the traffic is (every second or whatever you like) on your various interfaces - eth0, eth1, ppp0 ipsec0 etc.
It is trivial to install (just download it, rpm -Uvh the_rpm.rpm) and then bwm runs it.
Otherwise, how about NetTop?
http://freshmeat.net/projects/nettop/?topic_id=152
Haven't used it, but it' will apparently show you the various protocols in use, and the % of bandwidth they are using...
Enjoy,
G
-
Just tried NetTop - nice!
It creates a graphical (albeit text based) tree of where the bandwitdh is allocated... sex-y....
on 5.12, first need libpcap :
wget ftp://ftp.rpmfind.net/linux/redhat/updates/7.1/en/os/i386/libpcap-0.6.2-11.7.1.0.i386.rpm
then
rpm -Uvh libpcap-0.6.2-11.7.1.0.i386.rpm
then the rpm from the freshmeat listing for nettop :
wget http://freshmeat.net/redir/nettop/7101/url_rpm/nettop-0.2.3-1.i386.rpm
then
rpm -Uvh nettop-0.2.3-1.i386.rpm
sweet.
-
Kelvin, use tcpdump:
/sbin/tcpdump not broadcast and not tcp port 22 and not tcp port 23
You can analyze the incoming traffic information for possible attacks. Hope this helped.
Nathan
-
Holy Crap. nettop owns. Good job Guck Puppy, that is awesome!
Thanks,
Nathan
-
Kelvin wrote:
> 1. if there is any inbound / outbound activity and how much
> of it.
> 2. if outbound, is it coming from SME itself or is a
> workstation on the LAN initiating the outbound connection(s)
> and which workstation it is
> 3. If inbound, the source of the inbound connection
"netstat -Mn" will tell you most of that information, and is already available. It won't tell you how much bandwidth is being used, except that for outbound connections, the packet backlog will give you a little hint. Other than that, you have source and destination information.
Charlie
-
Hi and many thanks Charlie, Nathan and Guck Puppy,
All good suggestions and will try them next time the ugly beast shows itself.
Kelvin
-
Guess I didn't make it clear - the activity is from the e-smith box to the cable modem and out into the world.
It's the firewall that's causing the traffic.
It's not from the WAN/cable network to the e-smith.
-
http://www.stickit.nu/nettop
I loved nettop, however I was disappointed with it's inability to redirect to a file. I wanted to redirect the contents to a file without appending to that file (it would be huge!) so I could look at that file for any given time and see the current snapshot of bandwidth and protocol usage. After searching for many alternatives with no luck I decided to modify the source code directly. By doing so you can now look at a single file and see basically what you would in a 'GUI'.
[root@inet01 /webapps]# nettop -?
Usage: nettop [-s|-p] [-l] [-t [-h]] [-i dev] [-d delay] [-n num] [-?]
-s Sort by size
-p Sort by number of packets
-l Supress tree lines
-t Output plain text
-h Show table header
-i device Select interface [eth0, eth1, etc]
-o file (assumes -t -h -l) Output display to [file]
-d delay Delay in seconds between updates
-n number Number of updates to run before stopping
-? This screen
The command you would want to run would be:
nettop -s -o /tmp/nettop.log -i eth1 -d 15 > /dev/null &
This would background the program and you can at anytime "cat /tmp/nettop.log" and get your current snapshot.
Hope this helped,
Nathan
-
Hi Nathan,
Can you direct me to a place where I can read all about nettop?
Regards,
guestHH
-
According to nettop, the traffic being generated are arp packets.
Its constant, and about 90% of the traffic on my external nic.
A constant 1k, up to 2.8k bit/s
Is this normal? What is arp exactly?
ipv4 follows at about 9% usuage, followed by the rest.
Is it possible I have some worm or trojan running? I just read that OpenSSH has a trojan:
http://www.theinquirer.net/?article=4754
-
It's well worth noting that there isn't really a trojan in OpenSSH.
Yes, there was an issue that while compiling OpenSSH on FreeBSD a connection was made to an IRC server somewhere, but as the article says, pre-compiled binaries are fine.
E-Smith's OpenSSH is surely NOT affected.
For original coverage, see :
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
G
PS. ARP = http://whatis.techtarget.com/definition/0,,sid9_gci213780,00.html