[GLLUG] Occasional Excessive Traffic Query

Leo McHugh quickfixmassage-contact at yahoo.co.uk
Sat Jul 27 14:25:42 UTC 2013 

Hi 
Please let me know if this isn't an appropriate topic for the mailing list. 
I was looking at my network traffic history (I use BitMeter) and I came across 
some anomalies that I don't understand and are potentially concerning. 
Between the end of March and now there is an occasional excessively high 
upload amount. So between the end of March and now I have had the following 
peaks in upload traffic (in order of size rather than in the order they 
happened): 
148.19GB
24.50GB 
8.09GB
4.45GB
4.15GB
The thing is that they are generally at the weekend and look to me like they 
could be times when I have used Skype for video chatting. It is possible that 
the conversations have gone on for a couple of hours or more, which I figured 
would justify perhaps up to the 8GB but I don't think it would explain the 
25GB and the 150GB upload figures would it? 
Anyway the day of the 150GB was the 15th June and my router logs stretch back 
that far so I had a look. I'm going to give you the commands that I used to 
get the results just encase there are any errors in those that I haven't 
spotted. 
To collect the data for Saturday I used the following command and got the 
following results: 
grep -r '15 Jun' /Router/Logs/ | awk -F'ALLOW:|]' '{print$2}' | sort | uniq -c 
| sort -nr > /Router/Logs/Textfile_Sat.txt
Count 	Website
215 
203 		s.youtube.com 
116 		l.yimg.com 
103 		www.youtube.com 
19 		www.facebook.com

These are the top 4 results and I put the Facebook one in just to give an idea 
of a website that was more representative of the average that day. 
I think the blanks may be from the router logs only being able to hold so much 
information. From looking at them before, when there is too much information, 
sections are either cut off or lost. 
Looking directly at the router logs there did seem to be a lot of gstatic.com 
entries but they were as follows: 
83 t3.gstatic.com 
83 t2.gstatic.com 
78 t1.gstatic.com 
78 t0.gstatic.com
These are some statistics regarding the counts for websites across all router 
logs (I.e. not confined to 15th June): 
grep -r ALLOW /Router/Logs/ | awk -F'ALLOW:|]' '{print$2}' | sort | uniq -c | 
sort -nr > /Router/Logs/textfile.txt 
3489 t3.gstatic.com 
3483 t1.gstatic.com 
3459 t2.gstatic.com 
3386 t0.gstatic.com 
3228 www.google.co.uk 
1900 l.yimg.com 
1584 s.youtube.com 
1287 www.bbc.co.uk 
These are the top 8 websites for that period. 
Nearly all of the requests came from a LAN address that is reserved in the 
router for my main computer. 
The router is always on (and receives wireless connections as well as wired) 
but the computer is not. 
I did look at some other log files, like auth.log, syslog and user.log but 
unfortunately because the 15th June was the last big upload it seems the log 
files have rolled over and over written data that far back. 
So if anyone has any ideas it would be appreciated? 
Thanks

Leo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20130727/414185a5/attachment.html>

More information about the GLLUG mailing list