I'm running a CentOS 5 with plesk 10 and problems with slow website loading, now my provider tells me i'm excedding my bandwith.
I've been monitoring the bandwith with iftop and it showed me some connections consuming lots of bandwith.
Now how do i go on about checking what those requests were about? i've got the ip and they are HTTP request probably, should i just start wireshark before and then analize the ip's i found?
Or is there an easyer way?
Thank you.
Have a look through the access logs for each of your sites. If you know the IPs, grep through them and have a look for requests for large files.
By default, Apache uses the 'combined' log format (see http://httpd.apache.org/docs/2.0/mod/mod_log_config.html) - you can check if this is the case by looking at the configuration for your Apache install (and any virtual hosts) - the relevant line is this:-
CustomLog /path/to/access.log combined
If you are, each log entry in the access log has the amount of bytes transferred as the 7th field (excluding any HTTP headers), so in this example:-
127.0.0.1 - - [05/Feb/2012:23:09:25 +0000] "GET /somefile HTTP/1.1" 200 128 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7"
...the file /somefile was served up and the request transferred 128 bytes.
