vnstat records

Kernels & Hardware, configuring network, installing services

vnstat records

Postby CwF » 2018-09-28 22:48

To anyone's knowledge can any program/utility/hack/trojan or anything send or receive data that is NOT recorded by vnstat.

Back story:
I'm arguing with the provider about data usage. They were nice and gave me more data without addressing the question of who's using the data. That was yesterday I had ~2 more gigs. In the early dawn today their recored show I sucked it all up. Today my point was their timestamps show a transfer rate I never achieve with my little hotspot, 514MB in ten minutes. Nope... Anyway, my machines show totals and times that match their detailed billing except these multiple odd timed massive transfers. This morning was my 34MB verses their 2GB!
More, the hotspot does not log much useful info but DOES show the usage, and it has all been an UPLOAD.
So I basically ask them to prove it, provide me the mac that made the transfer, don't know if I'll get an answer.
Yes, I'm aware of how to keep someone from connecting. I'm asking if I am solid in my assertion my computer nest did not use the data? Is vnstat complete in it's stats?
CwF
 
Posts: 132
Joined: 2018-06-20 15:16

Re: vnstat records

Postby Segfault » 2018-09-28 23:12

To anyone's knowledge can any program/utility/hack/trojan or anything send or receive data that is NOT recorded by vnstat.


Yes.

When a rootkit is installed nothing in that box is trustworthy any more. Your tools may deceive you, even ps and top may not show the malicious process.
Segfault
 
Posts: 735
Joined: 2005-09-24 12:24

Re: vnstat records

Postby bw123 » 2018-09-28 23:16

I've been using vnstat a long time now, probably 3 yrs or so, it's pretty good. I would reckon, yeah it's possible to bypass it. Do you have any vulnerability? Have you installed any "program/utility/hack/trojan" pkgs?

More, the hotspot does not log much useful info but DOES show the usage, and it has all been an UPLOAD.


yeah, I've never really understood whether tx applies to the data cap on my hotspot at all. I would probably supect some cloud app or something (which I don't use) in a case like that... did you back up something to the internet? That's data, and it's transfered, so I would guess a cap would apply.

The weakness I have found in using vnstat is just what you're experiencing. I don't know how to aggregate all the machines, and the hotpost device is dumb as a rock.
User avatar
bw123
 
Posts: 3416
Joined: 2011-05-09 06:02
Location: TN_USA

Re: vnstat records

Postby dilberts_left_nut » 2018-09-28 23:20

For it to capture everything, it must be running on the gateway device.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4887
Joined: 2009-10-05 07:54
Location: enzed

Re: vnstat records

Postby CwF » 2018-09-29 00:02

Thanks all.

The wifi is eth0 wired on the router all to one box. Extra boxes maybe temp from time to time, not now.
The BOX:
hypervisor, itself does no internet, no browser even installed, only upgrades are direct to this OS.
4-6 VM's have internet through the host. Each records its own traffic, and it sums well with the report from the hypervisor, so no discrepancy there.

A few months back there was a firmware update that wiped the settings, and I did not put it back as tight. I did now limit user count and whitelisted macs. It appears someone hooked up with a phone or something, sure the most likely answer. However I find it strange that as I've started to catch on and watching, up until yesterday there were only 5 suspect tranfers over the course of a month. Then, when I'm giving more data, it was sucked up that night? Suggest some knowledge there... But more unusual is the speed they claim I sucked it up = simply not possible. The tech had me do a transfer test while on the line and it did 2Gb/s for about 2 seconds, then fell off over a few seconds to zero. That's actually a realistic result being at 1 bar, that's an old and known issue. I can only say I've never seen 500MB in ten minutes, ever.
CwF
 
Posts: 132
Joined: 2018-06-20 15:16

Re: vnstat records

Postby dilberts_left_nut » 2018-09-29 00:23

Wut?
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4887
Joined: 2009-10-05 07:54
Location: enzed

Re: vnstat records

Postby CwF » 2018-09-29 17:15

I forgot I have another record to review, the wrt router. So the router answered my question, it's month of use matches the hypervisors vnstat. Only the hotspot shows the excess traffic, so it's not my machines.

If I didn't clarify, cell hotspot > wifi'd to the wrt router > wired to debian box.

I managed to catch some excess traffic on the 'alcatel' hotspot while it reported only one connection, the wrt. While watching the wrt router reporting nothing, as was my box. Of course the monitoring traffic itself was from a vm ip easy to filter out.

Something has the capability of logging into the hotspot unreported, no ip or host name - invisible. But is does log traffic.

While that is going on it slows my box to time out. Upon a reset of the hotspot, it shows no extra traffic and I'm 'fast' again...

As far as I can tell, the hypervisors vnstat is seeing all traffic. So the question is unanswered, or no...
CwF
 
Posts: 132
Joined: 2018-06-20 15:16

Re: vnstat records

Postby CwF » 2018-10-02 03:47

Very interesting. Some higher level port stealing. I geared up the analysis. Now I have no bill and many gigs more and it was just to easy. Immediate offer to my explanation once I got to someone who knew what a MAC was. They know it's not my equipment. There's an issue out there in telecom world...
CwF
 
Posts: 132
Joined: 2018-06-20 15:16


Return to System configuration

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable