I have a FreePBX instance on a VM. There are between three to four phones permanently connected. The traffic of one month in the management console of my VM host is about 500 GB.
Is that normal?
It looks high, try installing
iftop
and see if you recognize all the traffic
I already did and checked yesterday night and - nothing. As you can see in the network graph for one week the traffic seems to appear only during day time, but there is working nobody at the weekend.
191Mb 381Mb 572Mb 763Mb 954Mb
βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
pbx.example.com => office2.example.de 7,74Mb 8,76Mb 5,09Mb
<= 77,3Kb 70,0Kb 70,4Kb
pbx.example.com => office1.example.de 6,12Kb 5,55Kb 5,55Kb
<= 464b 362b 402b
pbx.example.com => p4FE8F756.dip0.t-ipconnect.de 0b 756b 222b
<= 0b 1,07Kb 323b
pbx.example.com => ns2-coloc.hetzner.net 1,41Kb 578b 901b
<= 2,75Kb 1,08Kb 1,47Kb
pbx.example.com => 50-69-162-69.static.reverse.lstn.net 0b 461b 136b
<= 0b 572b 168b
pbx.example.com => 45.143.220.40 2,02Kb 414b 122b
<= 2,82Kb 578b 170b
pbx.example.com => 195.185.37.60 1,92Kb 393b 116b
<= 1,61Kb 329b 97b
pbx.example.com => 14.153.116.221 0b 141b 41b
<= 0b 32b 9b
pbx.example.com => 46-118-122-254.broadband.kyivstar.net 0b 64b 19b
<= 0b 83b 24b
pbx.example.com => static.vnpt.vn 320b 64b 19b
<= 416b 83b 24b
pbx.example.com => 14.145.152.118 0b 106b 41b
<= 0b 0b 9b
pbx.example.com => 169.11.138.203 176b 70b 52b
<= 0b 0b 9b
pbx.example.com => 116.149.50.9 176b 70b 52b
<= 0b 0b 9b
pbx.example.com => 199.44.155.0 0b 70b 41b
<= 0b 0b 9b
pbx.example.com => a104-113-19-58.deploy.static.akamaitechnologies.com 160b 32b 9b
<= 176b 35b 10b
pbx.example.com => 116.93.87.126 0b 32b 9b
<= 0b 35b 10b
pbx.example.com => 116.131.96.77 176b 35b 62b
<= 0b 0b 9b
pbx.example.com => 161.137.16.7 0b 35b 52b
<= 0b 0b 9b
pbx.example.com => 116.243.109.163 0b 35b 41b
<= 0b 0b 9b
pbx.example.com => vmi220481.contaboserver.net 0b 0b 1,28Kb
<= 0b 0b 257b
pbx.example.com => 106.12.91.209 0b 0b 891b
<= 0b 0b 316b
pbx.example.com => 117.240.172.19 0b 0b 538b
<= 0b 0b 283b
pbx.example.com => ns1-coloc.hetzner.de 0b 0b 264b
<= 0b 0b 257b
pbx.example.com => ns3-coloc.hetzner.com 0b 0b 240b
<= 0b 0b 223b
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TX: cum: 21,7MB peak: 19,1Mb rates: 7,75Mb 8,76Mb 5,10Mb
RX: 320KB 108Kb 85,5Kb 74,2Kb 75,3Kb
TOTAL: 22,0MB 19,1Mb 7,83Mb 8,84Mb 5,18Mb
Fortunately or unfortunately I recognize the host with the most traffic (office2). There is exactly one Snom 370 phone registered. The router traffic stats acknowledge the the traffic from the pbx:
So there seems to be a misconfiguration of this phone. If I deactivate the idendity the whole traffic disappears. After activating it again everything is fine and there is no suspicious traffic. But for sure it will be in a couple of hours because this happens since month 
Any ideas what could be the reason why this phone is downloading so much?
havng identified the source, you have the IP , so
tcpdump host PHONEIP . . . .
then wireshark it to see what protocol the trafficis on
There are tons of messages like this:
Γtn7Γ£/E`Β―ΓΈΓ³@@ð½tΓ
\ΓrΓPΓNOTIFY sip:[email protected]:1024;line=04mqtbrq SIP/2.0
Via: SIP/2.0/UDP 116.202.xxx.yyy:5060;rport;branch=z9hG4bKPj74c4e54e-18be-4409-8771-b8e1e02dccbc
From: <sip:[email protected]>;tag=f7acdf46-826f-4a6f-8cfd-fac6b7e28b93
To: <sip:[email protected];line=04mqtbrq>
Contact: <sip:[email protected]:5060>
Call-ID: 9a9ca26f-5822-4527-ba9e-0a75c327803f
CSeq: 44621 NOTIFY
Subscription-State: terminated
Event: message-summary
Allow-Events: presence, dialog, message-summary, refer
Max-Forwards: 70
User-Agent: FPBX-14.0.13.26(15.7.3)
Content-Type: application/simple-message-summary
Content-Length: 48
Messages-Waiting: no
Voice-Message: 0/0 (0/0)
Is the whole traffic only about the MWI ?
It seems that more than 300 MWI notifications per second to one client is a bit to much or am I wrong?
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.