If you are getting any alerts from nagios ( Bandwidth Monitoring using Nagios ) or from the check_bandwidth script ( Bandwidth Monitoring script ) , regarding high bandwith usage of your server then you should find the cause . To my experience the following two commands can help you lots to dig on this issue. ( personally i will prefer iftop 😉 )
vnStat is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s). However, it isnât a packet sniffer.
The traffic information is analyzed from the proc and sys filesystems depending on availability. That way vnStat can be used even without root permissions on most systems.
# yum install vnstat
Calculate how much traffic goes through the selected interface during the given time seconds. The time will be 5 seconds
Show traffic for days.
Show traffic for the last 24 hours
Show traffic for months.
You can change the default interface using the option ” vnstat -u -i eth2 ” , Also to keep the database updated you can use the following script on crontab
*/5 * * * * if [ -x /usr/bin/vnstat ] && [ `ls /var/lib/vnstat/ | wc -l` -ge 1 ]; then /usr/bin/vnstat -u; fi
( If you’re not satisfied with the appearance of vnStat’s command-line interface, you can install Bjorge Dijkstra’s PHP-based Web front end for vnStat ( http://www.sqweek.com/sqweek/files/vnstat_php_frontend-1.5.1.tar.gz ), which takes the data collected by the command-line vnStat and displays it in tables and graphically in your browser. The front end requires a Web server configured with PHP (and php-gd installed) )
2 ) iftop
iftop listens to network traffic on a named interface, or on the first interface it can find which looks like an external interface if none is specified, and displays a table of
current bandwidth usage by pairs of hosts. iftop must be run with sufficient permissions to monitor all network traffic on the interface; see pcap(3) for more information, but on
most systems this means that it must be run as root.
By default, iftop will look up the hostnames associated with addresses it finds in packets. This can cause substantial traffic of itself, and may result in a confusing display.
You may wish to suppress display of DNS traffic by using filter code such as not port domain, or switch it off entirely, by using the -n option or by pressing R when the program
By default, iftop counts all IP packets that pass through the filter, and the direction of the packet is determined according to the direction the packet is moving across the
interface. Using the -F option it is possible to get iftop to show packets entering and leaving a given network. For example, iftop -F 10.0.0.0/255.0.0.0 will analyze packets
flowing in and out of the 10.* network
# yum install iftop
# iftop -i eth0
While iftop is running, you can press any one of the following keys to display more output.
S – display source port
D – display destination port
n – show IP instead of host name
1/2/3 – sort by the specified column
< – sort by source name
> – sort by dest name
P – pause display ( else it will be often updated to show the current status )
j/k – scroll display
? – for help
To configure sms alert configuration for nagios refer here : Nagios sms alert configuration
You can refer more about iftop here : http://www.ex-parrot.com/~pdw/iftop/