Re: [squid-users] weird traffic

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 23 Sep 2009 13:53:34 +1200

On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan <atcs.matthew_at_gmail.com>
wrote:
> Leonardo Carneiro wrote:
>> you could bind squid to only listen the LAN interface. doind this, no
>> one will be able to estabilish a external connection with squid.
> I'll try that, but I thought my firewall rules were taking care of
> that. They may not be though...I'm just recently learning iptables.
> I'll post back with the results.
>
> Thanks!
>

IIRC llnw.net are one of the providers for a lot of video content. If your
Squid is configured to download a complete file on range requests and one
of your users started downloading a video then stopped Squid would show
this behavior.

Though yeah, a firewall spot-check is also good when strange things happen.

Amos

>
>>
>> Matthew Morgan escreveu:
>>> I have squid set up as a transparent proxy. It has two interfaces:
>>> eth0 (internet facing wan) and eth1 (local). I'm using iptables to
>>> masquerade the packets from my local network on eth1 and redirect
>>> them to squid's port. All this seems to work fine.
>>>
>>> The thing is, I keep seeing long periods of high incoming traffic on
>>> eth0, but low outgoing traffic on eth0, and nearly no traffic on
>>> eth1. Every time I see this, the data is always coming from either
>>> llnw.net or msecn.net. Both of these are legitimate content delivery
>>> networks. When I inspect the traffic I'm getting with
>>> tcpdump/wireshark, none of the traffic from these domain is going
>>> through to eth1 at all. I can confirm that this traffic is going to
>>> squid, since a netstat -p shows squid as the program with the
>>> connection open.
>>>
>>> What could be causing this? I tried turning off persistent
>>> connections in case a client was making the connection and then
>>> ignoring the data, but I'm not sure if that's possible or the
>>> problem. I'm not a network expert.
>>>
>>
Received on Wed Sep 23 2009 - 01:53:39 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 23 2009 - 12:00:03 MDT