David Brodbeck gull at
Wed Jan 5 18:25:40 UTC 2011

On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox at> wrote:
> On 5 January 2011 10:47, Jerry Bell <jerry at> wrote:
>> There could be reasons you
>> aren't seeing a spike, such as you're only looking at traffic processed by
>> the MTA, or it simply doesn't show as a material increase on a graph of
>> traffic on the network interface if the server is busy.
> Those are good points and to go a little further regarding looking at
> traffic...
> To really see what your machine is doing, consider taking a look at
> the network flows. pfflowd, netflowd, ipaudit and a host of others can
> get you flow data with mostly minimal overhead.

Also, keep in mind that depending on how badly the machine has been
compromised, you may not be able to trust the output of utilities
running on the machine itself.  You may have to resort to capturing
its network traffic on another machine for analysis.

More information about the freebsd-questions mailing list