Accounting for /proc/net/dev reported traffic

monitoringnetstatnetworkingproctraffic

I noticed that according to /proc/net/dev I am constantly receiving around 6Kb/s on my wireless usb interface. But I can't account for anything even close to that with the individual connections that I get with iptraf, iftop, and nethogs. Investigations with netstat, lsof, and tcpdump didn't help either.

So, what else could contribute to /proc/net/dev values? I can speculate that, while only IP based traffic is reported by the applications I mentioned, /proc/net/dev probably accounts for other link-layer/internet-layer stuff too (arp? icmp? wireless management stuff?). Or maybe other transport/application protocols. Can anyone confirm this?

How else would you proceed to find out: through what sockets are the 6Kb/s coming through? What processes are receiving the traffic?

[EDIT]

The 2 consistent results across all the tools:

the totals of Rx are around a few Kb/s
- confirmed with /proc/net/dev, dstat, bmw-ng, cbm, iptraf, ifstat, gnome-system-monitor
no connection/packet stream justifies that
- confirmed with netstat, tcpdump, iftop, nethogs, iptraf

All of this with a Netgear WDNA 4100 wireless usb adapter using a custom driver from some git (the only way I got it to work). I asked the devs about it here.

This might be malware, but I suspect the driver is simply reporting wrong totals. Nevertheless, I cannot explain what's going on for sure.

Best Answer

When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be nethogs.

You can use ip link show or netstat -i to find out your network interface names.

$ netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
em1       1500        0      0      0 0             0      0      0      0 BMU
lo       65536    81375      0      0 0         81375      0      0      0 LRU
virbr0    1500        0      0      0 0             0      0      0      0 BMU
wlp3s0    1500  2264942      0      0 0       2376236      0      0      0 BMRU

My wireless on my Fedora 19 laptop is wlp3s0, so we tell nethogs to watch that:

$ sudo nethogs wlp3s0

As you let nethogs run it will start to show you the applications that are consuming your network bandwidth.

Related Solutions

Linux – /proc//net/dev

/proc/net/dev contains statistics about network interfaces, while /proc/<pid>/net/dev contains statistics about network interfaces from the process' point of view.

I suppose that if a process runs on a network namespace (see man ip-netns) where it has access only to a limited set of interfaces, only these will show up in /proc/<pid>/net/dev.

Is there documentation for /proc/net/netstat and /proc/net/snmp

The /proc/net/* files are generated by the kernel: the entries are in net/ipv4/proc.c in the kernel source, and the entry list is found in include/uapi/linux/snmp.h. It grabs the values from various MIB databases that the kernel keeps.

According to the snmp.h header file, the MIB definitions come from the following documents:

RFC 1213: MIB-II
RFC 2011 (updates 1213): SNMPv2-MIB-IP
RFC 2863: Interfaces Group MIB
RFC 2465: IPv6 MIB: General Group
draft-ietf-ipv6-rfc2011-update-10.txt: MIB for IP: IP Statistics Tables

ActiveOpens is from RFC 1213 (page 47):

tcpActiveOpens OBJECT-TYPE
          SYNTAX  Counter
          ACCESS  read-only
          STATUS  mandatory
          DESCRIPTION
                  "The number of times TCP connections have made a
                  direct transition to the SYN-SENT state from the
                  CLOSED state."
          ::= { tcp 5 }

If you can't find the netstat entry in the RFCs, you'll have to search around. Quite a few of the items are not listed in detail in these documents. If you want more than the brief summary, you'll have to search the kernel source for some of the entries that you described.

EmbryonicRsts is modified in net/ipv4/tcp_minisocks.c (line 796 in 4.16.0), and appears to count invalid SYN resets on non-fast opened connections. This is probably not likely to occur unless you're in a SYN cookie flood.

Best Answer

Related Solutions

Linux – /proc//net/dev

Is there documentation for /proc/net/netstat and /proc/net/snmp

Related Question