I have a web server on a coloc host. All 'planned' activity is over HTTP. (There's no FTP server, no bittorrent client, no IRC bots, etc.)

My inbound traffic is consistently 5-10 times higher than my outbound traffic. (For example, over the past 24 hours I have served 228MB of data, but received 1.94GB.)

  1. Is this standard/expected for a web server? (Am I perhaps getting slammed with thwarted nefarious attempts whose packet size versus a 0-byte response overwhelms the normal inverse relationship?)

  2. If this is not expected, what tools should I use to investigate where the traffic is coming from? (The server is running Ubuntu 10.04.)

enter image description here

    You've been given a great answer by voretaq7, but one quick point - where's the data coming from? I assume the hosting provider? Sometimes it's from the switch's POV - i.e. the _switch_ "received" 1.94GB from your server, rather than your server received 1.94GB. – James O'Gorman Feb 17 '12 at 21:38
    @James A good clarifying question. `ifconfig` shows `RX bytes:9.3GB TX bytes:1.4GB` on the ethernet interface. Further, I've performed multiple tests where I download massive amounts of data from the server over a short period of time and see the "outbound" graphs spike, confirming which direction is which. It seems pretty clear to me that it is data flowing into my server that is outpacing the data flowing out of it. – Phrogz Feb 17 '12 at 21:47
    @Phrogz That is certainly the opposite of what I would expect from a "normal" web server (in fact the ratio is *exactly* opposite of one of my servers), so unless you're doing something that involves big uploads and very few downloads I'd break out the packet sniffer and see what's going on :) – voretaq7 Feb 17 '12 at 22:27

2 Answers


Yes for some protocols. No for others. The answer is it depends on what kind of traffic is "normal" for your environment.

Think about web browsing (and let's just agree for a moment that it's representative of normal internet traffic for say an office):

I want to look at this question, so I connect to serverfault.com and go

GET questions/361329 HTTP/1.1
host: serverfault.com

Total size of my outbound traffic (request): Maybe 1K if we include all the protocol overhead and additional requests my browser will make for images and such.

The serverfault.com server chews on my request and returns several hundred KB of HTML, images, etc.

Outbound traffic: 1k. Inbound traffic: 19k (as of that colon).

If you're the server half of that equation it's normal for your outbound traffic to far exceed your inbound traffic. Take a look at this graph from an anonymous ISP's web hosting network: Shared Hosting traffic

Now if your traffic does not look the way you think you should a good traffic monitoring system (or a few minutes with tcpdump/ethereal/etc.) may give you an idea of what's going on, or at least who is talking to who on what ports.

  • @JohnThePro I left out the part about "balanced" protocols because I couldn't think of any. Though the ISP's [overall traffic graph](http://i.stack.imgur.com/8YQId.png) shows how a good blend of traffic will tend to create symmetry (anything sent by one machine must eventually be received by another). – voretaq7 Feb 17 '12 at 21:31
  • @voretaq7 A good description, but you've described the exact opposite of my situation. My server (has gobs more _inbound_ traffic that _outbound_. I'm starting to look at tools for analysis now. (Sadly, [Darkstat](http://unix4lyfe.org/darkstat/) looks promising but appears broken, never able to return data to me.) – Phrogz Feb 17 '12 at 21:43
  • @Phrogz I've described a general situation. Extrapolate to your specific case to determine if this is "normal" -- If your site takes lots of large file uploads but relatively few downloads for example you'd expect the opposite of the situation I described. – voretaq7 Feb 17 '12 at 22:02

Random thoughts:

I have an nginx server that proxies to application servers behind it. If you have a similar setup is the response payload from the app servers that go through your webserver considered "inbound"?

Can you check your webserver log to see if there are any POST requests coming in.

Do any URLs on your site accept POST data? Webservers have a way to limit the body size; maybe that'll lead to some resolution. For example, this will limit POST body size to 1 meg in nginx:

client_max_body_size 1m;

Finally, if the server shouldn't be getting anything but web (and SSH) traffic, use iptables to block everything but 80 and 22.

  • Thanks for the thoughts. 1) No, as described above, the response from the apps is outbound. (I'm looking at network adapter traffic.) 2) There are a few scattered POST, but not significant. 3) The only routes accepting POST regularly are for my own admin, and those are used infrequently for only kilobytes. 4) Good point on blocking, thanks. – Phrogz Feb 21 '12 at 14:08