Unknown network traffic

[daves_nt_here]

Something is running on one of my PVE nodes every hour, 11 minutes past the hour. I can see data going out from PVE 1 going to PVE 2 but I have no cronjobs set up for that time.
PVE 2 was about to be decommissioned so everything's now shut down on it and that's how I noticed this little spike in traffic every hour.
I checked all the cronjobs in every LXC on PVE 1 and nothing is scheduled.
No cronjobs on either of the hosts.

I checked journalctl as well but nothing shows up there either.
I'm stumped.

 

[Onslow]

Hi, @daves_nt_here
I would do something like: log from a workstation into PVE2 with ssh, then about 10 minutes past an hour:
tcpdump -i any not host ip.address.of.workstation
You can make the filter more detailed but we don't know the source IP address of this strange traffic (there may be many addresses at PVE1).

Or at PVE2 install net-acct package, configure /etc/nacctd.conf and start the daemon. Then observe the logs (usually in /var/log/net-acct ). See man nacctd

The log should contain the epoch timestamp, protocol, src and dst addresses, src and dst port numbers, count of packets, size of data.