# Traffic logging?



## oliver@ (Feb 19, 2013)

Hi,

I noticed, that I hade an accumulated traffic yesterday on one of my IPs of 10GB which is huge. I normaly are around 40MB traffic per day.

I daily reset ipfw statistics as I use the counter of ipfw to count the traffic. The high traffic continued today so I was able to find out that at least until the high traffic stopped today, it was all port 80 concerned.

I checked all apache access and error log but they are indicating only low traffic around my usual 40 MB.

The strange thing is, that i have incomming and outgoing traffic more or less exactly the same size, so it feels like all what happend was just forwarding data - fetching and pusing something.

All I see for today is:
- around 400MB of data was received and sent via [IP] 
- both incomming and outcomming data was accumulated together (800MB) with the single "in" rule for port 80
Can someone explain this what could cause this? 400 incomming, 400 outgoing, but 800 incomming on port 80?


```
00104 10610333 426926167 count ip from any to [IP] in via re0
00105 10597634 438655193 count ip from [IP] to any out via re0
[...]
00606 21140545 857999844 allow tcp from any to [IP] dst-port 80 in via re0 setup keep-state
[...]
```

The "ipfw show" output from yesterday is not preserved.

Is there any chance to see what happend yesterday? If not, what should be done so I can see what happend if something like this happens again? Do you log all your traffic?


----------



## SirDice (Feb 19, 2013)

Would it be possible for the web application to get hacked? It wouldn't be uncommon to see a sudden rise in bandwidth usage once the bad guys get a hold of the server.


----------



## oliver@ (Feb 19, 2013)

There isn't much running to be hacked, but wouldn't apache log the stuff in access_log?


----------



## SirDice (Feb 19, 2013)

oliver@ said:
			
		

> There isn't much running to be hacked, but wouldn't apache log the stuff in access_log?



It depends. Not if it's some broken script that accepts POST data. The call to the script would be logged but not the data.

You can always take a peek at the traffic with tcpdump(1) of course.


----------



## oliver@ (Feb 19, 2013)

Ah OK - so POST data is not loggged through access_log - good to know. But at least I should see a large amount of calls to a specific script/page, shouldn't I?

And - I still do not get how this ipfw statistics can be explained. 400MB in, 400MB out but 800 MB in on port 80


----------



## SirDice (Feb 19, 2013)

oliver@ said:
			
		

> Ah OK - so POST data is not loggged through access_log - good to know. But at least I should see a large amount of calls to a specific script/page, shouldn't I?


If one of them is vulnerable, yes, I would expect to see that.



> And - I still do not get how this ipfw statistics can be explained.


Can't really help there, I don't use ipfw(4).


----------



## oliver@ (Feb 19, 2013)

OK, but there are no unusual amount of pages accessed. I wonder if it could be explained by something local accessing the IP.

Do you log all your traffic completly? I only log the denied stuff.


----------



## SirDice (Feb 19, 2013)

oliver@ said:
			
		

> Do you log all your traffic completly? I only log the denied stuff.


I mainly only log the apache access logs. I don't care too much about port scans or anything else. But in your case it might be worthwhile to keep a tcpdump(1) running and analyzing it. Without seeing what's really going on it's going to involve a lot of guesswork.


----------



## oliver@ (Feb 19, 2013)

OK, but the trafic is already "gone" since 3 hours so there is nothing I could dump right now. Thats why I'm up to guesswork. If the traffic would still be generated, tcpdump would be my first choice of course


----------

