Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

vnstat records

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

vnstat records

#1 Post by CwF »

To anyone's knowledge can any program/utility/hack/trojan or anything send or receive data that is NOT recorded by vnstat.

Back story:
I'm arguing with the provider about data usage. They were nice and gave me more data without addressing the question of who's using the data. That was yesterday I had ~2 more gigs. In the early dawn today their recored show I sucked it all up. Today my point was their timestamps show a transfer rate I never achieve with my little hotspot, 514MB in ten minutes. Nope... Anyway, my machines show totals and times that match their detailed billing except these multiple odd timed massive transfers. This morning was my 34MB verses their 2GB!
More, the hotspot does not log much useful info but DOES show the usage, and it has all been an UPLOAD.
So I basically ask them to prove it, provide me the mac that made the transfer, don't know if I'll get an answer.
Yes, I'm aware of how to keep someone from connecting. I'm asking if I am solid in my assertion my computer nest did not use the data? Is vnstat complete in it's stats?

Segfault
Posts: 993
Joined: 2005-09-24 12:24
Has thanked: 5 times
Been thanked: 17 times

Re: vnstat records

#2 Post by Segfault »

To anyone's knowledge can any program/utility/hack/trojan or anything send or receive data that is NOT recorded by vnstat.
Yes.

When a rootkit is installed nothing in that box is trustworthy any more. Your tools may deceive you, even ps and top may not show the malicious process.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: vnstat records

#3 Post by bw123 »

I've been using vnstat a long time now, probably 3 yrs or so, it's pretty good. I would reckon, yeah it's possible to bypass it. Do you have any vulnerability? Have you installed any "program/utility/hack/trojan" pkgs?
More, the hotspot does not log much useful info but DOES show the usage, and it has all been an UPLOAD.
yeah, I've never really understood whether tx applies to the data cap on my hotspot at all. I would probably supect some cloud app or something (which I don't use) in a case like that... did you back up something to the internet? That's data, and it's transfered, so I would guess a cap would apply.

The weakness I have found in using vnstat is just what you're experiencing. I don't know how to aggregate all the machines, and the hotpost device is dumb as a rock.
resigned by AI ChatGPT

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: vnstat records

#4 Post by dilberts_left_nut »

For it to capture everything, it must be running on the gateway device.
AdrianTM wrote:There's no hacker in my grandma...

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: vnstat records

#5 Post by CwF »

Thanks all.

The wifi is eth0 wired on the router all to one box. Extra boxes maybe temp from time to time, not now.
The BOX:
hypervisor, itself does no internet, no browser even installed, only upgrades are direct to this OS.
4-6 VM's have internet through the host. Each records its own traffic, and it sums well with the report from the hypervisor, so no discrepancy there.

A few months back there was a firmware update that wiped the settings, and I did not put it back as tight. I did now limit user count and whitelisted macs. It appears someone hooked up with a phone or something, sure the most likely answer. However I find it strange that as I've started to catch on and watching, up until yesterday there were only 5 suspect tranfers over the course of a month. Then, when I'm giving more data, it was sucked up that night? Suggest some knowledge there... But more unusual is the speed they claim I sucked it up = simply not possible. The tech had me do a transfer test while on the line and it did 2Gb/s for about 2 seconds, then fell off over a few seconds to zero. That's actually a realistic result being at 1 bar, that's an old and known issue. I can only say I've never seen 500MB in ten minutes, ever.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: vnstat records

#6 Post by dilberts_left_nut »

Wut?
AdrianTM wrote:There's no hacker in my grandma...

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: vnstat records

#7 Post by CwF »

I forgot I have another record to review, the wrt router. So the router answered my question, it's month of use matches the hypervisors vnstat. Only the hotspot shows the excess traffic, so it's not my machines.

If I didn't clarify, cell hotspot > wifi'd to the wrt router > wired to debian box.

I managed to catch some excess traffic on the 'alcatel' hotspot while it reported only one connection, the wrt. While watching the wrt router reporting nothing, as was my box. Of course the monitoring traffic itself was from a vm ip easy to filter out.

Something has the capability of logging into the hotspot unreported, no ip or host name - invisible. But is does log traffic.

While that is going on it slows my box to time out. Upon a reset of the hotspot, it shows no extra traffic and I'm 'fast' again...

As far as I can tell, the hypervisors vnstat is seeing all traffic. So the question is unanswered, or no...

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: vnstat records

#8 Post by CwF »

Very interesting. Some higher level port stealing. I geared up the analysis. Now I have no bill and many gigs more and it was just to easy. Immediate offer to my explanation once I got to someone who knew what a MAC was. They know it's not my equipment. There's an issue out there in telecom world...

Post Reply