I would suggest using something like 'iftop'. You can also see what type of traffic it is using tcpdump.

'tcpdump -i eth0 -c 1000 not port 22'

Usually, when you see this type of traffic and CPU spike it's an indication that your system is compromised and being used for nefarious purposes. I'm not saying that it's definitely the case…but probable.

Would you pastebin the output of tcpdump?

-Tim

Hi,

I am continuously monitoring through iftop command in my working hours, but traffic outbound traffic is high at midnight that's why i can not found what happen on server.

I have created shell script last night and run through cron every 15 min. if traffic goes high above 1 mbps it will notify me and run tcpdump command and store o/p in one file.

Right now traffic is normal so i can not find out problem.

Below is my script.

!/bin/bash

warn=vnstat -tr | grep Mbit | tr -s ' ' '|' | cut -d "|" -f3 | head -n 1 | cut -d "." -f1

if [ $warn > 1 ]

then

tcpdump -w /root/script/tc.pcap -c 20 -n -tttt -i eth0 port 80

tcpdump -c 20 -n -tttt -i eth0 port 80 >> /root/script/tc

else

echo " " >/dev/null 2>&1

fi

Thanks,

Bhavin

Hi Tim,

Here is my tcpdump output

http://privatepaste.com/5123a22f07