-1

I'm running Centos7 on a VPS with apache and a 1KB php application deployed that i use for tests, the logs don't have any entries other than my own and a couple of bots.

I have vnstat for tracking traffic and it used to be 20MB daily of RX, i'm always on ssh.

After i installed LetsEncrypt ssl with certbot it jumped to Nearly 500MB daily of RX traffic. TX is at 90mb.

I installed nethogs to track traffic on eth0 by application but the higher rx rate comes from ssh and it's only a couple of MB/S after hours.

Update: Tcpdump and tshark output shows dozens of ARP requests per second:

Broadcast ARP 60 Who has X.X.X.X? Tell X.X.X.X

Update2: ARP Packets detailed format:

TIME `MyMAC` (oui Unknown) > `UnknownMAC` (oui Unknown), ethertype IPv4 (0x800), length 87: vps.xxxcloud.com > resolver.dns.xxxx.com PTR someIP.in-addr.arpa (45)

Update3: I'm ignoring ARP packets based on this. vnstat estimated RX transfer for the month is 10.21GB on a testing environment, still a mystery for me.

Community
  • 1
JCoe
  • 1
  • 1

1 Answers1

0

you can use tcpdump to capture and after analyze that capture with wireshark. With wireshark analytics tab can show you the top 10 of bandwidth consumers

Victor José Acosta Domínguez
  • 1
  • 2
  • i updated the post with more details. – JCoe Feb 03 '17 at 04:07
  • can you please check if the source mac address of those packages is your VM's mac. – Victor José Acosta Domínguez Feb 03 '17 at 04:11
  • yes, it looks like it is, here's the format: time (oui Unknown) > , ethertype IPv4 (0x800), length 87: vps.xxxcloud.com > resolver.dns.xxxx.com PTR weirdIP.in-addr.arpa (45) – JCoe Feb 03 '17 at 04:38
  • ok ok , do you know the ip your server is asking for? if you don't use that ip address your server is asking for, you can drop those packages using `arptables`, i just wrote a little how to use arptables http://blog.infratic.com/2017/02/avoid-arp-requests-rhelcentossl/ – Victor José Acosta Domínguez Feb 03 '17 at 05:02
  • There are multiple ips, they are variations of my vps public ip. It's always vps.xxxcloud.xxx.com > resolver.dns.xxxx.com. I'm going to contact the vps support, thanks for the help. – JCoe Feb 03 '17 at 15:44