I have a webserver that has almost 4mbps of sustained traffic on the localhost interface. How can I tell what is causing that?
Asked
Active
Viewed 33 times
1 Answers
2
Assuming this is a linux system, you can perform a packet capture on your lo interface via something like:
$ sudo tcpdump -i lo
EEAA
- 109,363
- 18
- 175
- 245
-
and if tcpdump isn't available or allowed to be installed, you can insert an iptables rule to log all new connections on `lo`. That will show you the uid/gid. `iptables -I INPUT -i lo -m state --state NEW -m limit --limit 1/s -j LOG --log-prefix="LOOPBACK_LOG: " --log-ip-options --log-level 7` Use `iptables-save|grep LOOP` to see your rule and later delete with `-D` instead of `-I`. This will go to syslog. – Aaron Jul 29 '16 at 19:32