TurnKey Linux Virtual Appliance Library

Strange Mystery Bandwidth Spike 8 gigs total at reboot

I have been getting HUGE mystery bandwidth spikes here and there (about 5 in total over a 2 month period). I've just verified it happened yesterday on two micro LAMP instances (extremely low traffic, development only).

It is a 4 GB in, 4 GB out spike (or slightly lower, 3.7-4.0). It occurs on the graph in the hub interface as happening in exactly the 5 minute interval on the graph (zero just before and zero just after).

This morning I saw it on the graphs for yesterday, so I started poking through some logs and found that it occurred exactly when I rebooted both servers.

Any thoughts on what might be causing this? There is only a slight blip on the CPU and I/O for the reboots (about 60% CPU and about 89 MB Read, 8 MB Write for I/O), which to me simply represents the activity of the reboots)

Since every single time the whole 8 GB (4 in and 4 out) happen all within the one 5 minute timeslice, I'm assuming it is all happening within much less than the 5 minutes.

PLEASE HELP. other than the cost implications ($1 to reboot a server? haha), this is a security mystery, a setup mystery, a certain amount of doubt about the accuracy of the reporting, and a blip this size makes the last 2 weeks of bandwidth completely unreadable (other than the blip, everything else shows up as zero because it's so relatively low)

I've just rebooted both servers in question to try to reproduce the behavior, but everyting looks totally normal on stats.

Thanks!

Rick 

Chris Musty's picture

Strange

Micro instances have network attached storage (essentially - the specifics are probably slightly different) so when you reboot you are creating network traffic.

In saying that 8GB is simply huge. Is it Bytes or bits? Either way it wold be at least 1 Giga Byte which is still allot.

You really need to find out whats going on here and personally I like iptraf.
You will have to install it first

apt-get install iptraf

and then just type

iptraf -i eth0

to run it. It is capable of a ton of things but obviously your desired option is to watch traffic.

There are a million traffic monitors out there, the point is find one you like and watch what happens.
I know allot of people use iftop also which is like top for monitoring memory.

Chris Musty

Director

Specialised Technologies

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)