On Wednesday night 7-8-09, there was an increase in network activity on my main R5.5 KM box.
By coincidence, that was the same night I was loading up R5.5 on a test computer in another part of the house (different IP address, but connected to the same network). I don't think putting a 2nd R5.5 box on the same network would cause this, but just in case, I'm noting it.
Note the graph of network activity.
You can see that an increased amount of traffic started on Wednesday night. I have tried to narrow down the nature of the traffic:
Thus far, I have:
1. rebooted the KM machine to see if the network traffic would go back down - it did not. (time noted in picture)
2. I turned off the Internet modem to stop all traffic between my in-house network and the Internet. (time noted in picture)
3. After turning the Internet modem back on, and seeing no decrease in network activity, I turned off the port forwarding in my Internet router, so the KM box cannot be accessed from outside my in-house network - no change in network activity.
4. looked in the /var/log/auth.log for evidence that I am getting attacked via SSH logins - no evidence of external SSH attacks
From the evidence thus, far, I believe that the KM box is generating the increase in network traffic, rather than responding to any external attacks or external access.
How can I tell what program or service is causing the network activity?