How to detect "strange traffic" source?

Hi guys,

I've bee using Cacti to see the most important graphs for our server (bandwidth, processes, load, memory, ...) Unfortunately Cacti shows overall resources usage and I'm unable to find details about user's accounts or processes resources usage. "top" via ssh is ok but doesn't show anything about bandwidth which is what concerns me now. It only shows that load is mostly generated by httpd (only small amount of clicks). I've checked emails queue too, it's empty so it's probably not spammer.

I'm copying my Cacti graphs below, please note the unusual bandwidth that started after 03:30.

Click image for larger version.  Name: 20060222-1520-traffic.png  Views: 84  Size: 6.4 KB  ID: 9239

Click image for larger version.  Name: 20060222-1520-processes.png  Views: 65  Size: 4.1 KB  ID: 9240

Click image for larger version.  Name: 20060222-1520-load.png  Views: 72  Size: 5.5 KB  ID: 9241

I'm getting worried that something bad is happening and I'm unable to check it and stop it.

Is there any way I can determine the source of this traffic? At least which domain is transferring the data or causing any of the "anomalies" on the graphs above?

Thanks VERY MUCH guys, all your help is very much appreciated.
Best regards,
Motyl

 

 

 

 

Top