I am receiving a huge amount of traffic on my WAN port, but it isn't showing up on any of the LAN ports. The main LAN port is Port 1, and the WAN port is Port2:
I'm using drop-packet-capture and don't see much there. I'm using iftop from Advanced Shell and don't see much there. The brief drop around 12:55 is when I disconnected the modem from the WAN port (Port2). I've done a tcpdump (Advanced shell) for traffic not meant for the WAN public IP and only see a handful of BGP traffic. Logs (Firewall, Web filter, etc) don't show anything much. Nothing much in live connections. Nothing much if I jump on the most-heavily-used machines and check their network traffic displays.
I do have a 6in4 tunnel, but that's not getting much traffic. (And I'm not sure how/if I could shut it off from my end. Does deleting the tunnel stop the other end from trying to send, or does it just stop my end?)
So this is a mystery to me. A week ago, the ISP had an issue where another customer was spewing data onto their network and I was able to see this in drop-packet-capture, but perhaps only because the other customer's router's internal IP address was the same as mine, so Sophos was rejecting the traffic for spoofing. I'd like to be able to say where this traffic is coming from and avoid the ISP's (semi-legitimate) "we can't help you debug your BYOD router since you're not using our router". But I can't prove that this traffic isn't some kind of crazy download from my network directly. (I can only see that there'a a ton of traffic on Port2 that doesn't then show up on other Ports to actually get somewhere.)
Update: The flow dropped off at 2:20, and I calculate about 120GB of data I can't account for was "received" by Port2 (WAN). I've discovered the bwmon command which might've been helpful and also ethertool and ip. (The latter is how I confirmed the 120GB number,)
This thread was automatically locked due to age.
