My server (Debian 7.4, x86_64, Proxmox) has 4 IPs. One for the VM Host (call it A), and three that I use for virtual machines (say B, C and D). Currently, only B and C are used, the D address is not assigned at all. The VM host does not even respond to pings or anything on D, so as far as I can see it doesn't even "know" about it. ifconfig -a and ip addr show only refers to A.
I have set the traffic limit at my server's ISP for D to 1MB. Since yesterday, I am suddenly receiving traffic warnings that D is using several megabytes of traffic per hour. It's not that it's much, but I am completely clueless what could even generate that traffic? It seems to be outgoing only. How does Proxmox (the VM software I use) assign IPs to OpenVZ containers? How can I check that D is not just randomly used as outgoing for perfectly normal traffic? But why would it do that, since there does not seem to be a way to respond to any packets? Or have I been hacked, and someone somehow figured out that D must belong to that server too and is using it for nefarious purposes? Any suggestions to track this down welcome. :-)
Use tcpdump. It will listen on an interface and show all of the traffic moving through that interface. There are a bunch of different options to tune what you capture and how to display it:
tcpdump -i [interface D]will show you traffic on D. If D doesn't have its own interface, then usetcpdump -i [interface] host [D IP address], this will show you all traffic on that shared interface bound for D's IP address.