How do I audit network connections that exceed a certain amount of traffic or bandwidth on Linux?

monitoring linux audit

Solution 1:

You can easily track per-process network statistics using nethogs. There is a precompiled package for Debian.

It works similarly to top:

NetHogs version 0.8.0

  PID USER     PROGRAM                             DEV        SENT        RECEIVED
11951 dawud    /usr/lib64/firefox/firefox          p5p1       4.682       5.502 KB/sec
1145  tomcat   java                                p5p1       0.313       0.560 KB/sec
12411 dawud    /usr/lib64/firefox/plugin-container p5p1       0.027       0.013 KB/sec

TOTAL                                                         5.022       6.075 KB/sec

Check its manpage for further options.

Solution 2:

I would modify your sensu (nagios?) plugin to run a ps or top command and dump the output to a local file. Then go back and correlate your spikes to the ps/top output to figure out what is going on.

If you don't want to or can't do the change, look at sar or atop.

EDIT: Next idea, run tcpdump then review the traffic in wireshark.

Related

Does Amazon CloudFront charge for storage? [closed]
Debian7 and tc qdisc issue : RTNETLINK answers: No such file or directory
How to filter ANY dns requests with tshark
Is there a difference between en_US.utf8 and en_US.UTF-8?
ssmtp won't send cron email
PXE boot with Virtualbox
`psql` expanded mode equivalency for `mysql`
What happens when I delete the first of several AWS EBS snapshots?
Windows Server 2012 R2 Shutdown Event Tracker Details
What causes the error "Could not retrieve catalog from remote server: execution expired" in Puppet
Nginx: Redirect both http and https root to subdirectory
Allow users to log on to computers in a domain