FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
474 views 6 comments
by anonymous

I am trying to figure out the source of high data usage coming from somewhere on the LAN and saturating the LTE bandwidth at one location.

RUTX11 on firmware 7.04.2 7.04.3

I notice that (see screenshot below) many connections are listed where both the SOURCE and DESTINATION are on the public internet. That doesn't seem possible or valid? What tool is being used to generate this data? Maybe it is being parsed incorrectly? Also, this list would be much better if it could be sorted and/or filtered.

Is there a way I can view this data directly from the console/CLI instead? I prefer that for many reasons. Or do I have to install darkstat? Some other package?

Thank you

by anonymous
Noting that the strange src/destination behavior is still happening on 7.04.3.

1 Answer

0 votes
by anonymous

Hello,

  

This menu utilizes a Linux utility called NetStat.

Via the CLI you can access this data by running the command netstat -l

Currently in v7.4.x there seems to be an issue with this menu window, where some of the data is displayed incorrectly. It is supposed to look like this:

The blurred addresses (except the one on the right) are the WAN address of the device in question. 

NetStat also has a few different arguments to differentiate the data source and the activity of the connection.

Let me know if any additional information is needed.

  

Best regards,
DaumantasG

by anonymous
Hello,

  

As mentioned, there are some issues with the current version. Could you try v7.5 of RutOS when it comes out and contact me if the issue persists?

  

Best regards,
DaumantasG
by anonymous
Sure of course I will test 7.5. I still wonder where does this data come from (since obviously not netstat)
by anonymous

Hello,

  

The traffic is most likely coming from one of the LAN devices. To find out from which, you can run this command via the CLI:

cat /proc/net/nf_conntrack | grep <port_number>

This will show the LAN IP of the device where the traffic is originating from.

However, I noticed that this port is reported to be used by some Trojans (source), so I'd recommend performing a security scan on the device in question.

Let me know if you have any further questions.

  

Best regards,
DaumantasG

by anonymous

The output in LuCI made no sense to me, obviously broken. So I wrote my own parser in awk (thank you for the tip about nf_conntrack)

Maybe this will be useful for others...

https://github.com/luckman212/rut-conntrack-parser

by anonymous
This is awesome! Great alternative until the fix is released for the original firmware.

Thank you!

  

Best regards,
DaumantasG