View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Spikes in traffic every 6 hours - how do I log them?
Log in to Ask a Question

Spikes in traffic every 6 hours - how do I log them?

networking

My server is seeing regular spikes in traffic every 6 hours

~~![](<URL url=)http://i.imgur.com/twMiY.png" />.

This has been going on for some months now, regular as clockwork -

~~![](<URL url=)http://i.imgur.com/vkESm.png" />

I'm trying to find out what it is, but there is nothing in the website logs (apache).

It's not a cron job (not one of mine anyway)

How can I log this network traffic?

Thanks

William~~~~

7 Replies

I wouldn't exactly call that a spike, it looks a lot due to the scale on the graph but it's still very low. However to log it ntop is a nice tool it logs traffic in/out and where it's coming from/going to.

Thanks. Couldn't get much detail from ntop, but added some logging in the iptables and found a whole bunch of traffic from a couple of canonical servers. Obviously some ubuntu updates or something happening every 6 hours…

it's not package updates, the spikes wouldn't be so uniform in height, i would look into it further.

Do you have cron apt installed that would check the repos for updates and if some are available and it downloaded them that would explain the peaks.

@cwt99:

Thanks. Couldn't get much detail from ntop, but added some logging in the iptables and found a whole bunch of traffic from a couple of canonical servers. Obviously some ubuntu updates or something happening every 6 hours…
It's probably doing the equivalent of "apt-get update" to refresh the repo data.

@obs:

Do you have cron apt installed that would check the repos for updates and if some are available and it downloaded them that would explain the peaks.

@chesty:

it's not package updates, the spikes wouldn't be so uniform in height, i would look into it further.

@sweh:

It's probably doing the equivalent of "apt-get update" to refresh the repo data.

Thanks for the pointers. Yes, the traffic is coming from 91.189.91.28 and 91.189.92.181 which are the ubuntu repos. And the files in /var/lib/apt/lists were updated at around the same time as the traffic (actually a few minutes earlier)

There is a cron.daily job for apt, but haven't figured out why it would be happening every 6 hours. I haven't set any periodic options in /etc/apt/apt.conf.d

It might be update-motd, it updates apt to show you the packages updated in the motd

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct