WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] unknown income traffic

To: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Subject: Re: [Xen-users] unknown income traffic
From: Jingyun He <jingyun.ho@xxxxxxxxx>
Date: Thu, 24 Dec 2009 14:36:56 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 24 Dec 2009 05:37:41 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=5oAsjrMEyvx8xIEPndXwWVzTAp2iowFAUA2el6gI+dI=; b=fwuK3TjMdQ5ntrWbmQUKCUxQBpCwxblRAN0X+U0cEL9ac5Eyy9Dox6XQphKwIGnyl3 06PyeyJE4No1mu5nqQrVBpqFX3IUlURQ5T6Cjt5W6k+WCanrfmkveZQgSwmKOyIAUDtK 3FX8cmnZLEghLyIcezpZjmUCJHDEWOIUwEqIY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pJI1+bDqavcmIhunMio1Oyagzqph3lUUti07fT0p4xHik4Hr/x5bUAcqYWSdQC/fUI jwNUrErmgO45LZxIkOamghSTdvcgCb75uG6FDuZ56YpN8DXL5rbhm6SY69SMdtAtq820 NTeW8m5yKT7G5nmnbeDnTtLM5Lrx1QIJaJi0Q=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <7207d96f0912240455h5f01716bn9a62ae8b69ad723@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <2f88f10c0912240228v758ec9l7a4675338de1ac77@xxxxxxxxxxxxxx> <7207d96f0912240455h5f01716bn9a62ae8b69ad723@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi, this does not happen every minute, about 2-3 times a day, and
every time, it lasts only a few minutes.
I just run tcpdump for a few hours, and finally catch the following log,

Note:
xx.xx.198.137 is the ip of the vps I monitored.
xx.xx.*.* are the IPs of other VPS in the same node.


20:58:32.989397 IP xx.xx.211.92.http > 117.72.30.40.20552: P
5841:6688(847) ack 0 win 6432
20:58:32.989542 IP xx.xx.211.92.http > 123.12.61.82.ms-olap3: .
2785:6961(4176) ack 628 win 222
20:58:32.991347 IP 60.183.107.50.rfio > xx.xx.211.92.http: . ack 204 win 65126
20:58:33.035922 IP xx.xx.198.132.http > 120.195.63.68.50868: F
387410363:387410363(0) ack 1511956329 win 64
20:58:33.161251 IP 78.140.135.88.http > xx.xx.198.143.46752: FP
8760:10804(2044) ack 1 win 14
20:58:33.161761 IP 58.35.202.245.50457 > xx.xx.198.144.http: . ack 1 win 16560
20:58:33.161837 IP 120.84.138.36.3981 > xx.xx.211.90.http: P
281:552(271) ack 18274 win 65535
20:58:33.161925 IP 58.35.202.245.50457 > xx.xx.198.144.http: P
1:587(586) ack 1 win 16560
20:58:33.162031 IP 218.9.169.49.ndm-server > xx.xx.198.132.http: . ack
159 win 65377
20:58:33.162133 IP 58.35.202.245.50454 > xx.xx.198.144.http: . ack 146 win 16524
20:58:33.162235 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http:
. ack 2881 win 17280
20:58:33.162343 IP 113.143.59.197.fxaengine-net > xx.xx.198.166.http:
. ack 4321 win 17280
20:58:33.164652 IP 121.235.117.181.64640 > xx.xx.211.92.http: . ack
30002 win 16560
20:58:33.164723 IP 114.223.45.164.46063 > xx.xx.211.68.http: . ack
11520 win 5760
20:58:33.164778 IP 117.40.139.233.gsi > xx.xx.198.132.http: P
4140074179:4140074716(537) ack 383888910 win 63532
20:58:33.164836 IP 58.246.152.142.52171 > xx.xx.198.164.http: . ack
204 win 64565
20:58:33.164993 IP 72.247.74.110.https > xx.xx.198.143.24135: P
29614:32534(2920) ack 898 win 1940
20:58:33.165494 IP 72.247.74.110.https > xx.xx.198.143.24135: P
32534:41294(8760) ack 898 win 1940


On Thu, Dec 24, 2009 at 1:55 PM, Fajar A. Nugraha <fajar@xxxxxxxxx> wrote:
> On Thu, Dec 24, 2009 at 5:28 PM, Jingyun He <jingyun.ho@xxxxxxxxx> wrote:
>> so I used tcpdump to monitor the traffic in that vps, and found that
>> these unknown incoming traffic belonged to other VPS.
>
> What kind? arp? ICMP? UDP? TCP?
>
> If you use bridged setup, linux bridge should be smart enough to act
> as smart L2 switch so that most traffic will only go to the correct
> port/interface. However, some traffic (like arp, broadcast, or
> multicast) will go to all ports, and there's not much you can do about
> that.
>
> --
> Fajar
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users