So every day at 10:30-10:35am we're reporting our full bandwidth usage up to 10Mb/s. I ran tcpdump and captured all of the traffic from 9:59-10:36am (complete packets).
Looking at the traffic in Wireshark I found that at this time the most common IP address I could find.
I made a packet rule to:
any > any > badIP = drop
and
badIP > any > any = drop.
Both set to log traffic.
I'm still getting usage spikes. Going to run another tcpdumpp today to figure out if it's the same IP, but I'm not finding that IP in any packet filter logs. Did I do something wrong? I would assume that by setting it to "log traffic" I would see the violations in the packet filter logs.
Thanks for any help
This thread was automatically locked due to age.
