System Monitor for Firewall, Receiving and Sending Match

I am updating a template.

My receiving and sending in my system-monitor for sys-firewall is about the same.

Is this because the sys-firewall is getting the data and sending it to another qube? It wouldn’t look this way in a normal distro and want to make sure I’m interpreting this correctly.

It depends on how your system-monitor works.
sys-firewall is forwarding the traffic between vif+ interface and eth0 interface so if system-monitor is just adding up the traffic for all available interfaces then you’ll have RX ~= TX overall traffic.

1 Like

that’s probably what is going on

is there anything i need to do to check on this? i figured that’s what’s happening, but if i’m wrong it could mean large amounts of data are being sent whenever I receive data. it seems very unlikely that i’m being hacked like that and much more likely it’s what you said

I guess you need to read how system-monitor works and check the system-monitor configuration.
You can also use some other tool to check the traffic that can show it per interface.

is there a good tool that shows per interface traffic that isn’t as complex as wireshark?

Check the output of this command in terminal:

ip -s link show

they don’t match exactly and i’m not sure why. when i look at gnome-system-status, usually the send and receive graphs almost match.

this shows eth0 rx 4341333227 and tx 77858135 bytes

and vif5.0 is rx 29386147 and tx 471659360

i was updating templates for dom0 and using whonix and downloading some other large files in a VM connected to the firewall and not whonix but this doesn’t make sense to me

both the larger numbers start with 4, but the largest number is about 10x more than the second largest number

sending an receiving show as exact in the graph almost always and they don’t match when i did that command

this probably means i am being hacked somehow

The template/dom0 updates are not coming through vif+ interfaces, they are transferring between templates/dom0 and sys-firewall using qrexec so you’ll see the traffic through eth0 as if it was generated by sys-firewall itself.
If you have multiple VMs connected to sys-firewall then each VM will have its own vif+ interface so when you’ll shutdown one of VMs connected to sys-firewall then it’s vif+ will be gone from sys-firewall but the traffic counted from this vif+ to eth0 will still be seen in eth0 stats.


that’s what it is. i understand now. so i could test this by restarting and just not shutting down VMs and keeping all vifs open just to make sure they add up

i get it now!

here i use nethogs… whenever i need to watch a qube i run it from dom0 terminal… it works like a charm…

qvm-run -u root <machine> "xterm -e 'nethogs && read'"