I'm not sure if the trafic showed by munin graphics is normal or not because it seems it jumps to 2mbps in the morning and after few hours drops down to .5mbps
I don't host any storage websites, which should have lots of uploads, just normal websites, maybe a total of 10000 unique visitors/day on all accounts (I estimate this as I don't know how to find out exactly the number of visitors on all websites hosted on this server - 182 accounts)
My question is how can I see what exactly is making that trafic, maybe using a netstat command to see what processes are using the bandwidth. Any info on how I can see some usefull information is appreciated.
With iptables you can check which IPs are sending more traffic, I guess after that you could just list the processes associated with the particular VM and find out what is causing that bandwidth usage.
You can add two iptable forward rules for each IP. Then just count the traffic when you're done.
I'm assuming you have a different IP for each website though, if that's not the case this won't work of course.
No, I don't have an different IP for each of the 182 websites hosted on that server, I only have 2 websites which have a unique IP, and the other websites are hosted on the same IP. I use 3 of 5 available IP's on my server.
I should understand there is no simple way/command to sort IP's or processes by the traffic volume?
Your traffic looks pretty normal to me. Are you running separate IPs for each site you host? Is your traffic predominantly web traffic? If so, you can get Apache to log bandwidth usage for each request and then use an analysis tool such as Analog on the log files (or just write a quick script to produce a bandwidth count for each user.
as I see the trafic comes on 25,26 ports. I found conections on 26 with more than 50.000.000 bytes, even 100.000.000 bytes. Anyway the trafic in munin logs is maintaining at 2mbit even if there ware no active conection on port 25 and 26, and I didn't see any :80 trafic comming in.
Now I'm almoust sure that the trafic is caused by users who are sending emails when they arive at work, but I'm not convinced 100% it's still weird that is maintaining at that speed even if there are no 26 conections.
I tried to install iftop using yum install iftop but it didn't work:
yum -y install iftop
Setting up Install Process
Setting up repositories
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Excluding Packages in global exclude list
Parsing package install arguments
No Match for argument: iftop
Nothing to do
I know what ports 25 and 26 are for, bouth are used for SMTP, in romania we have few internet providers which blocked port 25, I dont know why, and few clients could not send emails anymore, I told them to use the port 26 and it's ok.
My server requires SMTP autentification.
I have installed iftop, and it seems nice, for what I needed it's better than iptraf, you see the bandwidth usage better.
I'll wait till next monday to check up the trafic, because in weekends the trafic is normal, only in work days, in the morning, I get lot of trafic coming in to the server.