Unexplained burst of outgoing activity

kommgroup

Cadet
Joined
Oct 3, 2018
Messages
7
Image attached. If this was your FreeNAS system, what would you be doing to determine what is going on here? i checked the firewall and this is not going out over the internet, so it is something internal, but for the life of me i can't think of what it is.
 

Attachments

  • bandwidth.JPG
    bandwidth.JPG
    29.3 KB · Views: 185
D

dlavigne

Guest
Do you have any cron jobs, replication tasks, etc. running at that time? If not, any activity in /var/log/messages during that time?
 

kommgroup

Cadet
Joined
Oct 3, 2018
Messages
7
thanks for your reply. nothing in cron and basically nothing in messages either... where else could i look? and is there a table that shows bandwidth by destination or any reporting like that?
 

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
Any jails? Any services exposed to the Internet?
You could install something like "nethogs" in a jail, but I don't think that will show data from sources outside the jail. That also wouldn't help if this doesn't repeat.
I think at one time FreeNAS could report network traffic by jail, but I'm not sure offhand if that data is still recorded or available on the web UI.
 

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
Has it happened again? I don't think there are logs you could look at to explain this. Maybe an activity log would show a login over NFS? I don't think it would illuminate the data transfer though. For that I'd just look through /var/log for any messages around that time. I think you'd need to start some other logging or monitoring process and wait for this to happen again.
 

kommgroup

Cadet
Joined
Oct 3, 2018
Messages
7
still happening... i tried disabling some scheduled tasks on servers that use the nfs store, but that didn't solve it... i agree. any ideas? wireshark or something like that?
 

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
If it's consistent this should be relatively easy to track down. I don't have a system at hand to check, but when it's happening you could use tcpdump and wireshark to identify what the traffic is and where it's going. Are you familiar with using those?

The port should be able to be correlated to a running command ( https://www.cyberciti.biz/faq/freeb...ess-pid-listening-on-a-certain-port-commands/ ). The IP should show you where the traffic is going. Either of those on their own might be enough to tell what's going on.
 

kommgroup

Cadet
Joined
Oct 3, 2018
Messages
7
sorry for the delay in responding, but i finally found the culprit (not malicious) and all is well. thanks!
 

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
Can you state what it was? Something you had configured on your machine? A user?
Or detail how you figured out what was going on?
 
Top