How to tell what is logging bandwidth

Question

I've been having everything that goes through my NIC logged and I'm not sure how it happened. The last thing I installed was webmin and I'm not sure if that changed a setting or not but as of today there are gigabytes of data that just started being logged.

Here is is snippet:

Apr 19 21:10:57 ubuntu kernel: [822924.492326] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20051 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK URGP=0 
Apr 19 21:10:57 ubuntu kernel: [822924.493889] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20052 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK URGP=0 
Apr 19 21:10:57 ubuntu kernel: [822924.495514] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20053 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK URGP=0 
Apr 19 21:10:57 ubuntu kernel: [822924.497028] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20054 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK URGP=0 
Apr 19 21:10:57 ubuntu kernel: [822924.498597] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20055 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK URGP=0 
Apr 19 21:10:58 ubuntu kernel: [822925.357381] BANDWIDTH_IN:IN=eth0 OUT= MAC=20:cf:30:36:68:d0:60:36:dd:73:4a:2e:08:00 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=20056 DF PROTO=TCP SPT=39080 DPT=22 WINDOW=6158 RES=0x00 ACK PSH URGP=0 
Apr 19 21:10:58 ubuntu kernel: [822925.396046] BANDWIDTH_OUT:IN= OUT=eth0 SRC=xxx.xxx.x.x DST=xxx.xxx.x.x LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=4179 DF PROTO=TCP SPT=22 DPT=39080 WINDOW=249 RES=0x00 ACK URGP=0

And it is lines and lines of this.

How do I find out what is causing this?

No this is not a duplicate. I have googled for some time now and none of the network monitoring tools are running on my system — slayton1213, Apr 20 '13 at 02:40
You said eveything is logged, and everything is a lot of data. — mikewhatever, Apr 20 '13 at 02:42
I am sure nethogs will do it. it will produce which connection taking high BW.Try it. — Raja G, Apr 20 '13 at 02:43
@Jai, you seem to misunderstand the question. He isn't asking how to log, he is asking what is logging ( and how to turn it off ). — psusi, Apr 20 '13 at 19:48

d34dh0r53 · Answer 1 · 2013-04-20T12:16:29.427

0

It looks at first glance like iptables logging. Try running iptables -nvl to see if anything is jumping to LOG. You can remove entries by running something like:

sudo iptables -D INPUT <rule_num>

Assuming that the rule is running on your INPUT chain. Also, I wouldn't make any changes without knowing the ramifications of those changes; iptables can bork your network connectivity rather quickly.

edited Apr 20 '13 at 12:16

answered Apr 20 '13 at 12:11

d34dh0r53

109

1

It is not iptables. I purged iptables and fail2ban and it is still logging. – slayton1213 Apr 20 '13 at 23:21

score 0 · Answer 2 · answered Dec 05 '15 at 00:05

0

The answer is in your use of webmin:

In webmin under Networking -> Bandwidth Monitoring click "Turn Off Monitoring"

http://www.linuxquestions.org/questions/mandriva-30/var-log-problem-it%27s-filling-up-at-lightspeed-437351/page2.html

answered Dec 05 '15 at 00:05

Ken Sharp

991
8
31

How to tell what is logging bandwidth

2 Answers2