On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wil...@gmail.com> wrote: > On 5 January 2011 10:47, Jerry Bell <je...@nrdx.com> wrote: > >> There could be reasons you >> aren't seeing a spike, such as you're only looking at traffic processed by >> the MTA, or it simply doesn't show as a material increase on a graph of >> traffic on the network interface if the server is busy. > > Those are good points and to go a little further regarding looking at > traffic... > > To really see what your machine is doing, consider taking a look at > the network flows. pfflowd, netflowd, ipaudit and a host of others can > get you flow data with mostly minimal overhead.
Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
