[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] unknown income traffic

  • To: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
  • From: Jingyun He <jingyun.ho@xxxxxxxxx>
  • Date: Thu, 24 Dec 2009 14:36:56 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 24 Dec 2009 05:37:41 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pJI1+bDqavcmIhunMio1Oyagzqph3lUUti07fT0p4xHik4Hr/x5bUAcqYWSdQC/fUI jwNUrErmgO45LZxIkOamghSTdvcgCb75uG6FDuZ56YpN8DXL5rbhm6SY69SMdtAtq820 NTeW8m5yKT7G5nmnbeDnTtLM5Lrx1QIJaJi0Q=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
Hi, this does not happen every minute, about 2-3 times a day, and
every time, it lasts only a few minutes.
I just run tcpdump for a few hours, and finally catch the following log,

Note:
xx.xx.198.137 is the ip of the vps I monitored.
xx.xx.*.* are the IPs of other VPS in the same node.


20:58:32.989397 IP xx.xx.211.92.http > 117.72.30.40.20552: P
5841:6688(847) ack 0 win 6432
20:58:32.989542 IP xx.xx.211.92.http > 123.12.61.82.ms-olap3: .
2785:6961(4176) ack 628 win 222
20:58:32.991347 IP 60.183.107.50.rfio > xx.xx.211.92.http: . ack 204 win 65126
20:58:33.035922 IP xx.xx.198.132.http > 120.195.63.68.50868: F
387410363:387410363(0) ack 1511956329 win 64
20:58:33.161251 IP 78.140.135.88.http > xx.xx.198.143.46752: FP
8760:10804(2044) ack 1 win 14
20:58:33.161761 IP 58.35.202.245.50457 > xx.xx.198.144.http: . ack 1 win 16560
20:58:33.161837 IP 120.84.138.36.3981 > xx.xx.211.90.http: P
281:552(271) ack 18274 win 65535
20:58:33.161925 IP 58.35.202.245.50457 > xx.xx.198.144.http: P
1:587(586) ack 1 win 16560
20:58:33.162031 IP 218.9.169.49.ndm-server > xx.xx.198.132.http: . ack
159 win 65377
20:58:33.162133 IP 58.35.202.245.50454 > xx.xx.198.144.http: . ack 146 win 16524
20:58:33.162235 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http:
. ack 2881 win 17280
20:58:33.162343 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http:
. ack 4321 win 17280
20:58:33.164652 IP 121.235.117.181.64640 > xx.xx.211.92.http: . ack
30002 win 16560
20:58:33.164723 IP 114.223.45.164.46063 > xx.xx.211.68.http: . ack
11520 win 5760
20:58:33.164778 IP 117.40.139.233.gsi > xx.xx.198.132.http: P
4140074179:4140074716(537) ack 383888910 win 63532
20:58:33.164836 IP 58.246.152.142.52171 > xx.xx.198.164.http: . ack
204 win 64565
20:58:33.164993 IP 72.247.74.110.https > xx.xx.198.143.24135: P
29614:32534(2920) ack 898 win 1940
20:58:33.165494 IP 72.247.74.110.https > xx.xx.198.143.24135: P
32534:41294(8760) ack 898 win 1940


On Thu, Dec 24, 2009 at 1:55 PM, Fajar A. Nugraha <fajar@xxxxxxxxx> wrote:
> On Thu, Dec 24, 2009 at 5:28 PM, Jingyun He <jingyun.ho@xxxxxxxxx> wrote:
>> so I used tcpdump to monitor the traffic in that vps, and found that
>> these unknown incoming traffic belonged to other VPS.
>
> What kind? arp? ICMP? UDP? TCP?
>
> If you use bridged setup, linux bridge should be smart enough to act
> as smart L2 switch so that most traffic will only go to the correct
> port/interface. However, some traffic (like arp, broadcast, or
> multicast) will go to all ports, and there's not much you can do about
> that.
>
> --
> Fajar
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.