Figuring out what process is eating bandwidth?

Charles Curley charlescurley at charlescurley.com
Sat Jan 28 15:17:19 MST 2006 

On Sat, Jan 28, 2006 at 02:20:30PM -0700, Byron Clark wrote:
> On Sat, Jan 28, 2006 at 02:13:40PM -0700, Charles Curley wrote:
> > On Sat, Jan 28, 2006 at 12:35:57PM -0700, Steve wrote:
> > > Doh!  Yeah, ok so I did miss the point.
> > > 
> > > On 1/28/06, Byron Clark <byron at theclarkfamily.name> wrote:
> > > > On Sat, Jan 28, 2006 at 12:22:18PM -0700, Steve wrote:
> > > > > I'm curious as to whats wrong with netstat for this purpose?
> > > > > Or am I missing the point?
> > > >
> > > > I believe the original poster wanted to find how much bandwidth was
> > > > being used by a process.  While netcat will show you which ports a
> > > > process is bound to, it will not show how much data is being sent over
> > > > those ports.
> > > >
> > 
> > Not necessarily. Could you write a script to crunch Ethereal data and
> > use netstat to divide the packets up by processes?
> 
> Yes, as long as all the connections you care about are present in the
> netstat output when you process the pcap data.  That sure sounds like a
> race to me.  It may be good enough if you only care about long lived
> connections, but I don't think it's possible to get a completely
> accurate count of bandwidth usage with this method.
> 

There are three things you can do about this.

  You could run netstat from time to time while you collect packets
  with Ethereal, and collate the results. That should get most of the
  connections.

  Perhaps gathing statistics with netstat over a period of time would
  get you what you want. I have't tried it.

  Nothing.

Ross was looking for a way to see which processes were eating up his
bandwidth. I suspect that those processes would keep their connections
open long enough to be detected.

On the other tentacle, what if the bandwidth hog is using UDP? Netstat
will detect sockets running over UDP, but I don't think it will detect
pure UDP packet operations like the time protocol.

Since UDP is not a good idea for large amounts of data (unless the
program does its own connection maintenance on top of UDP, as SMB used
to do), a lot of UDP traffic might suggest a rootkit. So maybe an
Ethereal only exercise might be worthwhile.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20060128/75c49031/attachment.bin

More information about the PLUG mailing list