traffic analysis

Erik Norgaard norgaard at locolomo.org
Tue Feb 21 02:30:00 PST 2006 

Robin Becker wrote:
> Our freeBSD 6.0 host is not yet in production, but appears to have 
> outgoing traffic of around 140Mb/day; the http logs say 16 hits etc. The 
> host provider said this
> 
> "The server is on a /20-network, and this leads to high amounts of
> background traffic (ARP, broadcast, etc.). These traffic types are
> likely to be the reason for most of your outbound traffic."
> 
> I'm not sure I follow this argument. Does this mean I'm responding to 
> large number of spurious requests? The provider's analysis of the input 
> volume is pretty small (0Mb).
> 
> Is there a tool that can give me some reasonable data on this sort of 
> problem? Perhaps I need to close down some services etc.

Is your server reachable from the Internet? does it have a firewall?

140MB a day sounds a lot to me, and your host should not contribute a 
lot to this kind of "background traffic":

ARP packets are sent on the local network only, ARP is used to maintain 
the arp table which matches hardware (MAC) addresses and ip addresses. 
An entry normally expires after one minute with no traffic.

Usually your host would only send arp requests to a very few hosts, the 
servers it connects to and the default router.

Broadcast not very common either, most traffic is unicast.

If your host's firewall does not drop packets to closed ports then it 
will send a response packet. It is common to see probes for example for 
port 137 for vulnerable windows machines.

This may explain the traffic.

You can run snort for 15 minutes and sum up what the traffic amounts to 
over 24 hs. or just enable your firewall with pass all and view the 
statistics to see.

Snort will also tell you the amount of traffic on other protocols such 
as ARP not reported by your firewall.

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9

More information about the freebsd-questions mailing list