# Netstat output question



## jem (Feb 17, 2011)

I rent a dedicated server from a hosting company upon which I run FreeBSD.  I'm concerned that the hosting company's network seems to be sending traffic to my host that isn't destined for it.

If I watch tcpdump output, I see many packets that have neither a source or a destination address matching my server's IP address(es) and which aren't broadcast packets either.  I'm wondering if they have something misconfigured on their network.

Given that my hosting package has a monthly data allowance, and that they measure this at the switch ports, I'm worried that it is being used up by traffic that has nothing to do with my host.

What I want to do is set up some RRD graphs seperately showing total bytes received by the interface and bytes received for my IP addresses to highlight the difference and wonder if the following netstat command can tell me this:

`# netstat -biI bge0`

That gives the following output:


```
Name    Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll
bge0   1500 <Link#1>      00:1e:c9:fe:1b:e0  2219963     0     0  511067854   633802     0  310133794     0
bge0   1500 (netaddr1)    beastie             575776     -     -  347168026   633797     -  301260426     -
bge0   1500 (netaddr2)    alias1                 922     -     -      62309        0     -          0     -
bge0   1500 (netaddr3)    alias2                  13     -     -        564        0     -          0     -
bge0   1500 (netaddr4)    alias3                  14     -     -        636        0     -          0     -
```

Am I correct in thinking that the first line for <Link#1> is showing the total number of packets received by the physical interface, while the (netaddr[1234]) lines are showing the counts for packets destined specifically for my host's IP addresses?

If this is the case, this would seem to be evidence of the large difference between total traffic received and that which is destined for my host and I'll need to raise it with the hosting company.  If I can show them some shiny graphs, it might make it easier to convince them something is not right.


----------



## SirDice (Feb 17, 2011)

jem said:
			
		

> If I watch tcpdump output, I see many packets that have neither a source or a destination address matching my server's IP address(es) and which aren't broadcast packets either.  I'm wondering if they have something misconfigured on their network.


It's possible the switch you are connected to is in a "fail-open" state. It does this when it's CAM table is flooded and it basically turns a switch into a hub.


----------



## DutchDaemon (Feb 17, 2011)

Or you're actually on a hub


----------



## aragon (Feb 18, 2011)

The traffic might be multicast too.  Many switches treat multicast the same as broadcast...


----------

