High Newtwork Traffic, Bandwidth Monitoring

Hi all,

On FreePBX with Asterisk 13.10.0 with about 90 chan sip extensions. Also, we’re using the build in FreePBX Firewall.

While troubeshooting some quality issues (on 5 or so similar servers as well), i noticed on the Dashboard, under the Hourly and Daily Network graphs, that bandwidth seems high.

For example, during the off hours, when no calls are being made, the Daily graph shows about 14MB Rx and Tx. What makes it more interesting is that during the last hour, the average is about 3 Rx and Tx, with a couple spikes in the 10 range (obviously lower than the off hours average). Perhaps the graph just isn’t a great representation of what’s going on network wise.

My questions are: 1. Is this normal? 2. If not, what might it be? 3. What bandwidth tools would you suggest I use to see what is using the extra bandwidth?

Any body?

I would be suspicious

sysstat, logwatch, iptraf and ntop are all in my standard toolkit


Hi dicko,

So I’m using the built in FreePBX firewall. Everything is set to internal only, or disabled all together, except for the required 10,000-20,000 UDP from any required by Anveo, and then an obscure TCP SIP port that we use. In the network exceptions list is some of our IP’s, so we can have unlimited access, and Anveo’s servers, basically so they can hit 5060 UDP.

That said, what should I look for when investigating? The attacker, if he exists, has really only the ability to ping the server, and send some traffic to the UDP port range above.

iptraf will show realtime netwirk traffic, ntop will help in resolving longteem bandwidth hogs, both have man pages on how to tune them and unterpret their nterface.

1 Like

Okay thank you.

Based on my setup though, I should still be suspicious? Is The FreePBX firewall not very fireproof?

I can’t say it is not available to my deployments, if you have multinegabytes per sec off peak, you should definitely identify what it is , perhaps a backup script? Those tools will identify hosts and protocols involved.

Okay, thanks for your input.

I think I just figured out what the network activity is: It’s the Live Network Activity gadget itself!! if you open another tab on explorer, and then tab back, you will see the activity flatlined while you were not looking. I made a bug report.

Well it shows 14MB tx over all or 14Mbps of transfer at a single time? There is a difference between data transferred and data speeds.

If it is 14MB of transfer overnight, let us not forget kids that Asterisk is qualifying all of those 90 endpoints at a generally 60 second intervals. That’s data, it’s being transferred and received. So yeah even in off hours the system is transferring data over the network or even over the WAN if your trunks are qualifying or remote endpoints are qualifying. Then there are the DNS requests if there are any FQDNs or DDNS.

There is plenty of “idle” traffic to explain 14MB tx/rx over an overnight or even an hour period. Like I said you’re qualifying 90 endpoints every 60 seconds roughly.


Did it stay stuck for you at one point? It kept on showing the same period…

Mine did even though running the debugger suggested nothing was crashed and it was still getting answers back from the PBX…

Have a nice day!


So yes, it looks like it’s data transferred, and not speeds. And yes, the qualifies justify the amount, at least at a glance.