I noticed that according to /proc/net/dev I am constantly receiving around 6Kb/s on my wireless usb interface. But I can't account for anything even close to that with the individual connections that I get with iptraf, iftop, and nethogs. Investigations with netstat, lsof, and tcpdump didn't help either. So, what else could contribute to /proc/net/dev values? I can speculate that, while only IP based traffic is reported by the applications I mentioned, /proc/net/dev probably accounts for other link-layer/internet-layer stuff too (arp? icmp? wireless management stuff?). Or maybe other transport/application protocols. Can anyone confirm this? How else would you proceed to find out: through what sockets are the 6Kb/s coming through? What processes are receiving the traffic? --- [EDIT] The 2 consistent results across all the tools: 1. the totals of Rx are around a few Kb/s - confirmed with /proc/net/dev, dstat, bmw-ng, cbm, iptraf, ifstat, gnome-system-monitor 2. no connection/packet stream justifies that - confirmed with netstat, tcpdump, iftop, nethogs, iptraf All of this with a Netgear WDNA 4100 wireless usb adapter using a custom driver from some git (the only way I got it to work). I asked the devs about it [here](https://github.com/ashaffer/rt3573sta/issues/9) . This might be malware, but I suspect the driver is simply reporting wrong totals. Nevertheless, I cannot explain what's going on for sure.

My scenario: I have two machines: 1. 192.168.1.1 2. 192.168.1.2 Machine 2 has a ssh server and I created a tunnel in machine 1 such as: ssh -CfND 7777 mohsen@192.168.1.2 -4 I ran above command in machine 1
It works fine.I tested via firefox
Now I want to send any traffic to 127.0.0.1:7777 Not a one application, All of my traffic.
Then my tunnel send my packets to 192.168.1.1 My algorithm is: IF DST PORT IS NOT 7777 THEN ROUTE MY TRAFFIC TO 127.0.0.1:7777 ELSE DO NOT ROUTE TO 127.0.0.1:7777 I used the following rule, but it didn't work: iptables -t nat -A PREROUTING -i enp0s31f6 -p udp ! --dport 7777 -j REDIRECT --to-ports 7777 How can I implement it?

I have a dedicated server with Ubuntu 14.10 installed. The server should connect to an OpenVPN server and the traffic should only go through the VPN, except for SSH traffic. My idea is to implement this with iptables, but I am not a specialist. What exactly should be handled with iptables? Supposing below are the basic conditions: 1. Allow only traffic through VPN. When my server loses connection to the VPN, there should be no traffic leak. 2. Allow SSH without VPN. I want to connect to my server with SSH and its normal IP from the server provider (but only SSH traffic). 3. Since I am not the only user of the VPN, I want to hide my server in the VPN from other computers. I started to create my iptables rules but it always blocks all my connections: # flush old rules iptables -F # accept SSH traffic with non vpn connection iptables -A INPUT -d X.X.X.X -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -s X.X.X.X -p tcp --sport 22 -j ACCEPT # block everything except my rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # allow loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow vpn iptables -A INPUT -j ACCEPT -p udp -s Y.Y.Y.Y --sport 1194 iptables -A OUTPUT -j ACCEPT -p udp -d Y.Y.Y.Y --dport 1194 X.X.X.X is the server IP from the provider. Y.Y.Y.Y is the IP of the VPN server. The rules always kick me out of my current SSH connection and I can't create new SSH connection, although it should accept traffic through the port 22.

We routinely use netcat (nc) to read data from UDP ports. For example:

-shellsession
user@host ~$ nc -luv 57303
Listening on [0.0.0.0] (family 0, port 57303)
NAV 2024/12/05 12:09:56.326365 DPS112 $GPZDA,121003.35,05,12,2024,,*63NAV 2024/12/05 12:09:56.422294 DPS112 $GPGGA,121003.00,3251.764736,N,07957.683827,W,2,12,0.8,21.38,M,-32.34,M,11.0,1007*72NAV 2024/12/05 12:09:56.470322 DPS112 $GPGLL,3251.764736,N,07957.683827,W,121003.00,A,D*71NAV 2024/12/05 12:09:56.518252 DPS112 $GPVTG,292.37,T,,M,0.0,N,0.0,K,A*30NAV 2024/12/05 12:09:57.302279 DPS112 $GPZDA,121004.33,05,12,2024,,*62NAV 2024/12/05 12:09:57.398194 DPS112 $GPGGA,121004.00,3251.764735,N,07957.683825,W,2,12,0.8,21.38,M,-32.34,M,12.0,1007*77NAV 2024/12/05 12:09:57.446220 DPS112 $GPGLL,3251.764735,N,07957.683825,W,121004.00,A,D*77NAV 2024/12/05 12:09:57.478284 DPS112 $GPVTG,63.00,T,,M,0.0,N,0.0,K,A*08NAV 2024/12/05 12:09:58.310157 DPS112 $GPZDA,121005.33,05,12,2024,,*63NAV 2024/12/05 12:09:58.390253 DPS112 $GPGGA,121005.00,3251.764738,N,07957.683824,W,2,12,0.8,21.37,M,-32.34,M,13.0,1007*74^C

Is it possible to do the same with a serial port, e.g. /dev/ttyUSB0? So far I haven't seen the appropriate options to do this, ending up with errors like this one:

-shellsession
user@host:~/tmp$ nc -lv 127.0.0.1:/dev/ttyUSB0
nc: getaddrinfo: Servname not supported for ai_socktype
user@host:~/tmp$ nc -lv 127.0.0.1:ttyUSB0
nc: getaddrinfo: Servname not supported for ai_socktype

This is on an Ubuntu installation.

I have a docker acting as VPN server in a host. Then, the traffic passes trhough the eth0 of the host from a VPN client, then encrypted traffic, and finally arrives to the tun0 in the docker. What I want is to forward the dencrypted traffic to the host again. How could I do it? Traffic flow: > VPN client > --encrypt(traffic)--eth0(host)--encrypt(traffic)--tun0(docker)--traffic--interface(host)

I have a camera that creates RTSP traffic. I connected it to a Linux PC via Ethernet, configured the network and access. But when I tried to apply QoS rules, the tc statistics showed that too few bytes were sent. After some research, I found that HTTP, SSH and RTSP (connection) traffic from the camera was displayed correctly in the statistics. However, tc seems to work differently with RTP traffic. Video in VLC was playing, nft and tcpdump showed traffic. I tried using Debian 12, Ubuntu 24.04, Manjaro - it still didn't work. Imitating RTP with FFMPEG also did not bring success. This seems really weird and I didn't know what could cause the problem or what else to try.

I am unable to capture **unicast** traffic on the br0 (**linux bridge**) interface using the command tcpdump -nni any -vvv. Broadcast traffic, however, is captured as expected. Interestingly, unicast traffic is captured if I open another terminal and run tcpdump -nni br0 -vvv to capture traffic specifically on the br0 interface simultaneously. I've noticed that this behavior is present with tcpdump version *4.9.3* (libpcap version 1.8.1), where the tcpdump -nni any -vvv command does not capture br0 unicast traffic. However, using tcpdump version *4.99.5* (*libpcap version 1.10.5 with TPACKET_V3*) works correctly and captures the unicast traffic on br0. I know that br0 get the all traffic which flow into the linux bridge device, see also Anatomy of a Linux bridge . > In cases where the destination MAC address of the incoming frame is multi- or broadcast, the bridge device is set to receive all traffic, or the address is matches one of the local interfaces, a clone of the frame is also delivered upwards in the local network stack by calling the br_pass_frame_ up function. The function updates the bridge device statistics, and passes the incoming frame up the network stack by calling the device independent netif_receive_skb function I suspect that I'm seeing may be related to the version of tcpdump or its parameters, but I can't confirm this. Could you help explain the reason for this behaviour?

I recently setup a new server with Ubuntu 22.04. No web server, no no FTP server, no mail server; just a freshly installed Ubuntu Server where I did not much except installing some extras like nethogs and btop. Since about two weeks ago I've noticed that for some reason every day there is incoming traffic of 2-6 GB. I don't know what produces that much traffic, as the only thing which could create some incoming traffic should be unattended updates, but that many updates per day sounds strange to me. So I installed nethogs and I can see very strange connections to random IPs. There are no connection attempts (at least no successful ones), I installed fail2ban, I disabled ssh root login, I changed ssh port). nethog shows this:

PID USER     PROGRAM                                  DEV         SENT      RECEIVED
 33870 myuser   sshd: myuser@pts/2                       eno1        0.148       0.059 KB/sec
     ? root     SERVERIP:2096-65.49.20.118:50513                     0.011       0.012 KB/sec
     ? root     SERVERIP:82-185.224.128.43:57350                     0.000       0.000 KB/sec
     ? root     SERVERIP:51580-162.216.149.14:57199                  0.000       0.000 KB/sec
     ? root     SERVERIP:33126-162.142.125.134:15363                 0.000       0.000 KB/sec
     ? root     unknown TCP                                          0.000       0.000 KB/sec

Examining the IP addresses shows this:

for ip in 65.49.20.118 185.224.128.43 162.216.149.14 162.142.125.134; do printf '%s\t%s\n' "$ip" "$(dig +short -x "$ip" | xargs)"; done

65.49.20.118    118.64-26.20.49.65.in-addr.arpa. scan-17m.shadowserver.org.
185.224.128.43
162.216.149.14  14.149.216.162.bc.googleusercontent.com.
162.142.125.134 scanner-01.ch1.censys-scanner.com.

I am trying to set up a network scenario in which there is a variable delay between two nodes. Netem allows to set up a fixed delay and add a jitter according to some probabilistic distribution. However I would like to achieve a delay that vary according to a similar law: Is there a way to get this using netem or similar softwares?

I am looking at a virtual server tariff that has limited outgoing traffic for a month, with billing if the traffic is exceeded. I would like to track the outgoing traffic automatically somehow, so that I can automatically can stop the service if the limit is being approached. What tool can I use for this in Linux? Thanks!

I have a Rhel 8.7 machine with 2 NICs in different subnets. Let's say eth1-IP:10.10.10.4/24 ,gateway:10.10.10.1. This gateway is also the default gateway for this vm, and a second NIC: eth2, IP:10.10.20.2 , gateway:10.10.20.254. **Situation** : This machine already has multiple static routes configured, and my guess is, present in the main routing table, routes I don't want to somehow break. There is a specific IP (10.10.30.33)that needs to connect via ssh (icmp also is allowed, and used for testing) on both nics. As I have the default gateway on eth1, this IP which is in a different subnet entirely can connect to the eth1 Ip :10.10.10.4 but not on eth2:10.10.20.2 without any modification. When I set up a static route to switch response packets to go through eth2 gateway instead of default gateway, there is reachability but connection is no longer possible on the interface with the default gateway , the connection that before the static route was added worked. **GOAL**: Route-only response traffic for specific IP based on the incoming interface. If 10.10.30.33 tries to reach 10.10.10.4 response should be sent on eth1, if it tries 10.10.20.2 it should send on eth2 response packets. Basically, I want both these machine interfaces to be accessible for 10.10.30.33 at the same time.

I am trying to limit the download (ingress) rate for a certain app within a cgroup. I was able to limit the upload (egress) rate successfully by marking app's OUTPUT packets in iptables and then set a tc filter to handle that marked packets. However, when I did the same steps for ingress it didn't work. ------------------ steps I followed to limit **upload**: 1. Mark OUTPUT packets by their cgroup

$ sudo iptables -I OUTPUT -t mangle -m cgroup --path '/user.slice/.../app-firefox-...scope'\
  -j MARK --set-mark 11

2. filter by fw mark (11) on the root qdisc

$ tc qdisc add dev $IFACE root handle 1: htb default 1 
$ tc filter add dev $IFACE parent 1: protocol ip prio 1 handle 11 fw \
  action police rate 1000kbit burst 10k drop

This limited the upload rate for firefox to 1000kbit successfully. -------------- steps I followed trying to limit **download**: 1. Mark INPUT packets by their cgroup

$ sudo iptables -I INPUT -t mangle -m cgroup --path '/user.slice/.../app-firefox-...scope'\
  -j MARK --set-mark 22

2. filter by fw mark (22) on the ingress qdisc

$ tc qdisc add dev $IFACE ingress handle ffff:
$ tc filter add dev $IFACE parent ffff: protocol ip prio 1 handle 22 fw \ 
  action police rate 1000kbit burst 10k drop

------- I am able to block app's download successfully with iptables:

$ sudo iptables -I INPUT -t mangle -m cgroup --path '/user.slice/.../app-firefox-....scope' -j DROP

So it seems like iptables is marking cgroup's input packets but for some reason, tc can't filter them or maybe the packets are being consumed before tc filter takes effect? if so, then what is the use of marking input packets? If there is a way to block cgroup's input packets then there must be a way to limit them, right?

How to separate the traffic of 3 network interfaces on Ubuntu 22.04

eno1: flags=4163  mtu 1500
        inet 192.168.1.48  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::8276:83ab:72d6:1287  prefixlen 64  scopeid 0x20
        ether 9c:53:22:48:77:19  txqueuelen 1000  (Ethernet)
        RX packets 7797  bytes 1129504 (1.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6828  bytes 593700 (593.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp8s0: flags=4163  mtu 1500
        inet 192.168.0.101  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::b875:1df4:ff5e:9f09  prefixlen 64  scopeid 0x20
        ether d8:5e:d3:01:84:ed  txqueuelen 1000  (Ethernet)
        RX packets 135512185  bytes 8949006996 (8.9 GB)
        RX errors 0  dropped 237  overruns 235  frame 0
        TX packets 365038054  bytes 534261499563 (534.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xfa800000-fa81ffff  

enp9s0: flags=4163  mtu 1500
        inet 192.168.1.36  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2403:6200:89a6:d09d:5606:aae2:c339:9eb1  prefixlen 64  scopeid 0x0
        inet6 2403:6200:89a6:d09d:d5ac:2515:913e:e2be  prefixlen 64  scopeid 0x0
        inet6 fe80::272a:26bd:9d12:e881  prefixlen 64  scopeid 0x20
        ether d8:5e:d3:01:84:ee  txqueuelen 1000  (Ethernet)
        RX packets 274876935  bytes 23805585708 (23.8 GB)
        RX errors 0  dropped 1956  overruns 0  frame 0
        TX packets 740203694  bytes 1081935809783 (1.0 TB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp8s0 already works separately by default, connected through 192.168.0.1 It has been working smoothly with enp9s0 which connected through 192.168.1.1 Then I added eno1 and the problem occurred. All the network interfaces are connected to different routers which are of 3 different ISPs eno1 is of additional LAN pcie card while enp8s0 and enp9s0 are of onboard LAN slot Here is my ip route result

default via 192.168.1.1 dev enp9s0 proto dhcp metric 100 
default via 192.168.0.1 dev enp8s0 proto dhcp metric 102 
default via 192.168.1.1 dev eno1 proto dhcp metric 103 
169.254.0.0/16 dev enp8s0 scope link metric 1000 
192.168.0.0/24 dev enp8s0 proto kernel scope link src 192.168.0.101 metric 102 
192.168.1.0/24 dev enp9s0 proto kernel scope link src 192.168.1.36 metric 100 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.48 metric 103

Since enp9s0 connected to ISP1, enp8s0 connected to ISP2 and eno1 connected to ISP3 I want the traffics of these 3 to go out separately according to their ISP. When I curl they gone separately

money@money:~$ curl --interface enp8s0 ifconfig.me
101.108.144.237
money@money:~$ curl --interface enp9s0 ifconfig.me
14.207.43.37
money@money:~$ curl --interface eno1 ifconfig.me
171.100.22.228

But when I use rclone to upload files it stuck This happened before when I first added enp8s0, before that I only had 1 network interface which is enp9s0 now I had to

sudo ip route add 192.168.0.0/24 dev enp8s0 src 192.168.0.101 table rt2
sudo ip route add default via 192.168.0.1 dev enp8s0 table rt2
sudo ip rule add from 192.168.0.101/32 table rt2
sudo ip rule add to 192.168.0.101/32 table rt2

and solved it Now I added eno1 and had the forementioned problem again So I tried both

sudo ip route add 192.168.1.0/24 dev eno1 src 192.168.1.48 table rt2
sudo ip route add default via 192.168.1.1 dev eno1 table rt2
sudo ip rule add from 192.168.1.48/32 table rt2
sudo ip rule add to 192.168.1.48/32 table rt2

and

sudo ip route add 192.168.1.0/24 dev eno1 src 192.168.1.48 table rt3
sudo ip route add default via 192.168.1.1 dev eno1 table rt3
sudo ip rule add from 192.168.1.48/32 table rt3
sudo ip rule add to 192.168.1.48/32 table rt3

But still can't make it through Additional information when ip route list table

money@money:~$ ip route list table rt2
default via 192.168.0.1 dev enp8s0 
192.168.0.0/24 dev enp8s0 scope link src 192.168.0.101 
192.168.1.0/24 dev eno1 scope link src 192.168.1.48 
money@money:~$ ip route list table rt3
default via 192.168.0.1 dev enp8s0 
192.168.0.0/24 dev enp8s0 scope link src 192.168.0.101 
192.168.1.0/24 dev eno1 scope link src 192.168.1.48

When cat /etc/iproute2/rt_tables

#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
1 rt2
1 rt3

ip a result

2: enp9s0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d8:5e:d3:01:84:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.36/24 brd 192.168.1.255 scope global dynamic noprefixroute enp9s0
       valid_lft 9272sec preferred_lft 9272sec
    inet6 2403:6200:89a6:d09d:5606:aae2:c339:9eb1/64 scope global temporary dynamic 
       valid_lft 581671sec preferred_lft 62705sec
    inet6 2403:6200:89a6:d09d:d5ac:2515:913e:e2be/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 863871sec preferred_lft 431871sec
    inet6 fe80::272a:26bd:9d12:e881/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp8s0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d8:5e:d3:01:84:ed brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic noprefixroute enp8s0
       valid_lft 63271sec preferred_lft 63271sec
    inet6 fe80::b875:1df4:ff5e:9f09/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: eno1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 9c:53:22:48:77:19 brd ff:ff:ff:ff:ff:ff
    altname enp10s0
    inet 192.168.1.48/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 82853sec preferred_lft 82853sec
    inet6 fe80::8276:83ab:72d6:1287/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Comparing 3 interfaces when uploading with rclone. First one going through enp9s0 without adding --bind option so the connection gone through default line, this one doesnt have problem

money@money:~$ rclone move --verbose --transfers 2 --checkers 6 --bwlimit 1G --contimeout 120s --timeout 600s --retries 6 --low-level-retries 20 --buffer-size 128M --drive-chunk-size 128M --stats 1s /media/cache/vipx3 up:
2023/03/11 18:31:15 INFO  : Starting bandwidth limiter at 1Gi Byte/s
2023/03/11 18:31:16 INFO  : 
Transferred:   	          0 B / 74.568 GiB, 0%, 0 B/s, ETA -
Checks:                 0 / 1, 0%
Transferred:            0 / 1, 0%
Elapsed time:         1.0s
Checking:

Transferring:
 * plot-k32-c7-2023-03-11…8a61bb6c66fc76752.plot:  0% /74.568Gi, 0/s, -

2023/03/11 18:31:18 INFO  : 
Transferred:   	   52.871 MiB / 74.568 GiB, 0%, 20.327 MiB/s, ETA 1h2m33s
Checks:                 0 / 1, 0%
Transferred:            0 / 1, 0%
Elapsed time:         3.0s
Checking:

Transferring:
 * plot-k32-c7-2023-03-11…8a61bb6c66fc76752.plot:  0% /74.568Gi, 20.327Mi/s, 1h2m33s

This one going through enp8s0 (192.168.0.101) also gone through after added the ip route rule mentioned eariler

money@money:~$ rclone move --bind 192.168.0.101 --verbose --transfers 2 --checkers 6 --bwlimit 1G --contimeout 120s --timeout 600s --retries 6 --low-level-retries 20 --buffer-size 128M --drive-chunk-size 128M --stats 1s /media/cache/vipx3 up:
2023/03/11 18:28:39 INFO  : Starting bandwidth limiter at 1Gi Byte/s
2023/03/11 18:28:40 INFO  : 
Transferred:   	          0 B / 74.568 GiB, 0%, 0 B/s, ETA -
Checks:                 0 / 1, 0%
Transferred:            0 / 1, 0%
Elapsed time:         1.0s
Checking:

Transferring:
 * plot-k32-c7-2023-03-11…8a61bb6c66fc76752.plot:  0% /74.568Gi, 0/s, -

2023/03/11 18:28:42 INFO  : 
Transferred:   	   51.184 MiB / 74.568 GiB, 0%, 21.965 MiB/s, ETA 57m54s
Checks:                 0 / 1, 0%
Transferred:            0 / 1, 0%
Elapsed time:         3.0s
Checking:

Transferring:
 * plot-k32-c7-2023-03-11…8a61bb6c66fc76752.plot:  0% /74.568Gi, 21.965Mi/s, 57m54s

This is the last network interface (eno1) I added which couldnt upload right now

money@money:~$ rclone move --bind 192.168.1.48 --verbose --transfers 2 --checkers 6 --bwlimit 1G --contimeout 120s --timeout 600s --retries 6 --low-level-retries 20 --buffer-size 128M --drive-chunk-size 128M --stats 1s /media/cache/vipx3 up:
2023/03/11 18:27:52 INFO  : Starting bandwidth limiter at 1Gi Byte/s
2023/03/11 18:27:53 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Elapsed time:         1.0s

2023/03/11 18:27:54 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Elapsed time:         2.0s

2023/03/11 18:27:55 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Elapsed time:         3.0s

2023/03/11 18:27:56 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Elapsed time:         4.0s

How do I make eno1 traffic going through its own gateway like enp8s0? This line has its own router connected to its own separated ISP. Now it seems to be sharing 192.168.1.1 with enp9s0

first of all I want to clear up that I'm not a network expert and just trying to understand things. I hope I can find help here and get a bit smarter.. I'm hosting a service on a Ubuntu 22.04 vps. That service is behind a reverse proxymanager and can be reached through the internet. After checking /var/log/syslog I could see that many different IP adresses are trying to connect to my server using TCP or UDP on random Ports. e.g: Feb 27 15:38:24 srv-ub kernel: [241679.951328] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=x.163.125.213 DST=xx.xx.xx.231 LEN=44 TOS=0x08 PREC=0x20 TTL=242 ID=14405 PROTO=TCP SPT=42436 DPT=21297 WINDOW=14600 RES=0x00 SYN URGP=0 Feb 27 15:39:09 srv-ub kernel: [241686.038366] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=x.49.149.1 DST=xx.xx.xx.231 LEN=36 TOS=0x00 PREC=0x00 TTL=245 ID=19849 DF PROTO=UDP SPT=4086 DPT=123 LEN=16 Feb 27 15:39:27 srv-ub kernel: [241703.765119] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=x.136.225.9 DST=xx.xx.xx.231 LEN=44 TOS=0x00 PREC=0x00 TTL=109 ID=0 PROTO=TCP SPT=62985 DPT=9300 WINDOW=29200 RES=0x00 SYN URGP=0 **There are many more attempts from different Ips and different countries like China Bulgaria Cyprus etc. (I checked using whois)** My UFW rules are following: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 443 ALLOW IN Anywhere 8080 ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 21/tcp DENY IN Anywhere 22 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6) 8080 (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 21/tcp (v6) DENY IN Anywhere (v6) My question is: is this normal traffic or is somebody trying to get access to my server? is there anything I should do against it? Thank y'all for your time.

I have a Raspberry Pi 4 with the latest build of (Debian) raspberry pi OS. I am trying to configure iptables to redirect all traffic coming from the Pi (with ) to another machine (lets say with an IP address ). This is to test the other machine which will host a DNS based captive portal and I want to forward all traffic to that captive portal machine (IP B). If I could keep the SSH connection unforwarded that would be great because I like my headless setup. I have already tried this set of rules on the NAT table (iptables). I realise what I already tried only tries to forward UDP traffic from IP A to IP B. This didn't work.

root@pi4:/home/pi# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 7 packets, 1155 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  *      *                             udp dpt:53 to:

Chain INPUT (policy ACCEPT 7 packets, 1155 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Any help or pointers are much appreciated.

In a system with nothing running (at least nothing I know of). Listening of incoming and outgoing traffic prints this output: 192.168.1.1 => all-systems.mcast.net 0b 26b 19b 224.0.0.251 128b 26b 19b <= 0b 0b 0b (sometimes it doesn't show just 26b or 128b, but instead jumps to big numbers like there's actual information being sent) ---------- What is the meaning of this? 192.168.1.1 is the gateway, my router 192.168.1.2 is me, my machine But who is all-systems.mcast.net?? Also who is 224.0.0.251?? And more importantly, why there are packets being sent? Found this: https://davidsimpson.me/2015/11/16/why-is-my-machine-contacting-all-systems-mcast-net/ But I'm running no DLNA server. So who am I broadcasting to? One last (and also important question) is: I can understand 192.168.1.2 contacting with something, and I can understand 192.168.1.1 contacting with me, but I can't understand why I am seeing 192.168.1.1 in contact with all-systems.mcast.net, so how is it possible that monitoring my machine shows traffic from my router that is not being sent to me? I shouldn't be able to see that, right? The utility I am using is: iftop - display bandwidth usage on an interface by host Utilities tcptrack and netstat show nothing at all. Therefore the only plausible explanation is that this utility is the one responsible of that traffic?? ------------------- **Question UPDATE** So there's this multicast stuff apparently integrated in the kernel of my system and also in my router with a very rudimentary system of question&answer, a timer, once every 60 seconds. I don't quite understand why, and after some good people has tried to explain it to me, I don't think I ever will. So I would like to turn it off. Is it possible?

I am currently sending ~9mpps, each packet is 72bytes large, and is a UDP DNS request. The packets are being sent to a Dell server I have using an intel i40e interface. The server is using all of its 32 queues and has a queue size of 4096 per queue. All client source packets have random source MAC addresses and random IP addresses in a pool of about 150. Note, that none of the network cards show dropped / discarded packets. I can see all the unicast traffic is arriving to the interface ethtool -S shows rx_unicast at ~9mpps. However rx_packets shows 1.7mpps. The egress interface shows the same amount of packets being processed and sent out the other interface I am forwarding through. Note the far end IP the generated traffic arrives at is just a L3 interface, there are no DNS services listening on it, so the packets are dropped on the far end (this is ok). When I use dropwatch I can see the following messages:

224021 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
235277 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
232467 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
227083 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
228235 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
227216 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
221967 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]
225418 drops at kfree_skb+1e (0xffffffffa33f5cbe) [software]

I tried looking up what 0xffffffffa33f5cbe is in /boot/System.map-$(uname -r) but nothing is listed. I tried looking up what kfree_skb does, but this it frees the sk_buff memory. (not very helpful) I believe this maybe a limitation of the kernel (forwarding, netfilter, etc.), or CPU being able to process so much traffic, however I would like to know why / and demonstrate the reason why packets are being dropped in the Kernel. How can I determine why all traffic is not being sent? **UPDATE** I was able to remove the following modules

nf_conntrack
ip_tables
iptables_filter
x_tables

This increased the speed to processing more, I can see now I am able to send ~4.5mpps, it seems that netfilter is the bottle neck. Will work more with removing other modules. Curious if anyone else have details on why this happens?

I have a setup, one bridge is connected together with 3 ethernet ports eth1,eth2, eth3. How can I block the traffic from a client which is connected to eth1, based on client's MAC at bridge, br0 using ebtables?

At my home I use a wireless router to connect to internet, so every device uses wireless card to use it. In this way using sudo tcpdump -i wlan0 from my pc I should be able to see all the packets going around in the local net (thing that I couldn't do if everyone was connected using ethernet) and it looks it works. Now I tryed sudo tcpdump -i wlan0 host 192.168.1.3 to see only the packets of a specific pc (which is not mine but of another different pc) but I get nothing just: ****@****-pc ~ $ sudo tcpdump -i wlan0 host 192.168.1.3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes So I don't understand, why using sudo tcpdump -i wlan0 I see everything but I can't say to just track one specific flow?

I have a switch in my home lab that I want to run some experiments with, especially with regards to VLANs and some other protocols that I want to better understand. Now, this switch (a [TP-Link 5-port somewhat managed switch](https://www.tp-link.com/lk/business-networking/easy-smart-switch/tl-sg105e/)) allows for port mirroring. This mirrored traffic I want to analyze on my computer with as little "new" traffic introduced from the monitoring machine as possible. How can I accomplish that? I know already, that you have to put the NIC into promiscuous mode in order to receive packets not originally destined for my PC. As this is usually done by Wireshark itself, I don't have to worry about it. However, I wanted to make sure to introduce as little "noise" on the port as possible, in order to really just look at the traffic generated on the other ports. I already found [this answer](https://unix.stackexchange.com/a/190779/193819) that suggests disabling all services running (like DHCP et al), which makes sense. But while this will reduce the noise by a lot, it probably won't be able to prevent ARP resolution or other kernel-based network interactions. I also learned that there are protocols meant specifically for this purpose (like [Cisco's SPAN](https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951)) , but my switch doesn't have that ability. So my question is: how can I use my network interface as read-only as it gets?