[gentoo-user] {OT} Mystery network traffic

[gentoo-user] {OT} Mystery network traffic

[Grant]

I was watching cbm on one of my machines and it showed a lot more
traffic going in and out over lo than over both of the two real
interfaces.  Is that normal?  One of those two real interfaces is
completely unused and shows zeros in cbm all the time.

- Grant

[gentoo-user] Re: {OT} Mystery network traffic

[Ian Zimmerman]

On 2016-09-29 12:47, Grant wrote:

> I was watching cbm on one of my machines and it showed a lot more
> traffic going in and out over lo than over both of the two real
> interfaces.  Is that normal?  One of those two real interfaces is
> completely unused and shows zeros in cbm all the time.

If I were motivated to investigate this, I'd start with netstat to learn
what ports are active on the interface, then I'd load iptables rules
that pass all traffic on such ports but log it.

Or just use tcpdump?  That may by too blunt a tool, though.

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Why does the arrow on Hillary signs point to the right?

Re: [gentoo-user] {OT} Mystery network traffic

[J. Roeleveld]

On September 29, 2016 9:47:27 PM GMT+02:00, Grant <emailgrant@gmail.com> wrote:
>I was watching cbm on one of my machines and it showed a lot more
>traffic going in and out over lo than over both of the two real
>interfaces.  Is that normal?  One of those two real interfaces is
>completely unused and shows zeros in cbm all the time.
>
>- Grant

Yes, I would consider this normal.

What is running on that machine?

'lo' is used for all traffic between localhost and localhost.

IOW, all internal communications, like apache talking to the database if both running on the same host.
Or postfix to amavis to postfix before mail gets delivered.

--
Joost

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] {OT} Mystery network traffic

[Grant]

>>I was watching cbm on one of my machines and it showed a lot more
>>traffic going in and out over lo than over both of the two real
>>interfaces.  Is that normal?  One of those two real interfaces is
>>completely unused and shows zeros in cbm all the time.
>>
>>- Grant
>
> Yes, I would consider this normal.
>
> What is running on that machine?
>
> 'lo' is used for all traffic between localhost and localhost.
>
> IOW, all internal communications, like apache talking to the database if both running on the same host.
> Or postfix to amavis to postfix before mail gets delivered.


I had no idea.  Thank you Joost.

- Grant

Re: [gentoo-user] {OT} Mystery network traffic

[Mick]

[-- Attachment #1: Type: text/plain, Size: 954 bytes --]

On Friday 30 Sep 2016 04:17:29 Grant wrote:
> >>I was watching cbm on one of my machines and it showed a lot more
> >>traffic going in and out over lo than over both of the two real
> >>interfaces.  Is that normal?  One of those two real interfaces is
> >>completely unused and shows zeros in cbm all the time.
> >>
> >>- Grant
> >>
> > Yes, I would consider this normal.
> > 
> > What is running on that machine?
> > 
> > 'lo' is used for all traffic between localhost and localhost.
> > 
> > IOW, all internal communications, like apache talking to the database if
> > both running on the same host. Or postfix to amavis to postfix before
> > mail gets delivered.
> 
> I had no idea.  Thank you Joost.
> 
> - Grant

Some services will listen to localhost network sockets, others may listen to 
unix sockets by default.  Some services can be configured to use either.  
netstat, lsof, ss, will show you both.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]