Monitoring internet traffic

I'm using Suse 10.2.

Since a couple of days something has been downloading something from
the internet at about 25-30 kilobytes/s, constantly, without
interruption, for dozens of hours in total now. I see this from gkrellm.
(This would mean that it has downloaded over 2 gigabytes by now.)

However, I haven't the faintest idea of what it could be. It's
annoying, it's robbing me of a good chunk of my connection, and I want
to know what it is.

But how? I have closed all possible programs, to no avail. I installed
ntop in the hopes that it would tell me which programs are connecting to
the net, to no avail (ntop just seems to produce some pie charts about
general net usage, but not a list of processes connecting to the net).
What next? Any suggestions?

Juha Nieminen wrote:[color=blue]
> I'm using Suse 10.2.
>
> Since a couple of days something has been downloading something from
> the internet at about 25-30 kilobytes/s, constantly, without
> interruption, for dozens of hours in total now. I see this from gkrellm.
> (This would mean that it has downloaded over 2 gigabytes by now.)
>
> However, I haven't the faintest idea of what it could be. It's
> annoying, it's robbing me of a good chunk of my connection, and I want
> to know what it is.
>
> But how? I have closed all possible programs, to no avail. I installed
> ntop in the hopes that it would tell me which programs are connecting to
> the net, to no avail (ntop just seems to produce some pie charts about
> general net usage, but not a list of processes connecting to the net).
> What next? Any suggestions?[/color]

Look up the documentation of the command 'lsof' (man lsof).

It lists "open files" and the processes they belong to, but sockets are
also treated as files. With the command line switches, you get all
sockets and the programs they have been opened from.

Another useful command is 'iftop'. However, it's not install by
default. "sudo zypper install iftop" should take care of that. 'iftop'
lists all IPs you are connected to. It doesn't list processes, but the
IPs the traffic goes to/comes from is always useful as a clue.

Juha Nieminen wrote:
[color=blue]
> I'm using Suse 10.2.
>
> Since a couple of days something has been downloading something from
> the internet at about 25-30 kilobytes/s, constantly, without
> interruption, for dozens of hours in total now. I see this from gkrellm.
> (This would mean that it has downloaded over 2 gigabytes by now.)
>
> However, I haven't the faintest idea of what it could be. It's
> annoying, it's robbing me of a good chunk of my connection, and I want
> to know what it is.
>
> But how? I have closed all possible programs, to no avail. I installed
> ntop in the hopes that it would tell me which programs are connecting to
> the net, to no avail (ntop just seems to produce some pie charts about
> general net usage, but not a list of processes connecting to the net).
> What next? Any suggestions?[/color]

I like wireshark for a nice gui. You can watch the traffic on any interface
in real time. Click on any suspicious packet and you'll get a detailed
description of what precisely is going on...

Nikos Chantziaras <realnc@arcor.de> wrote:[color=blue]
>Juha Nieminen wrote:[color=green]
>> I'm using Suse 10.2.
>>
>> Since a couple of days something has been downloading something from
>> the internet at about 25-30 kilobytes/s, constantly, without
>> interruption, for dozens of hours in total now. I see this from gkrellm.
>> (This would mean that it has downloaded over 2 gigabytes by now.)
>>
>> However, I haven't the faintest idea of what it could be. It's
>> annoying, it's robbing me of a good chunk of my connection, and I want
>> to know what it is.
>>
>> But how? I have closed all possible programs, to no avail. I installed
>> ntop in the hopes that it would tell me which programs are connecting to
>> the net, to no avail (ntop just seems to produce some pie charts about
>> general net usage, but not a list of processes connecting to the net).
>> What next? Any suggestions?[/color][/color]
[color=blue]
>Look up the documentation of the command 'lsof' (man lsof).[/color]
[color=blue]
>It lists "open files" and the processes they belong to, but sockets are
>also treated as files. With the command line switches, you get all
>sockets and the programs they have been opened from.[/color]
[color=blue]
>Another useful command is 'iftop'. However, it's not install by
>default. "sudo zypper install iftop" should take care of that. 'iftop'
>lists all IPs you are connected to. It doesn't list processes, but the
>IPs the traffic goes to/comes from is always useful as a clue.[/color]

I believe that 'netstat' does the same thing and it is installed
by default. It lists much more than just connections so one should
run it through 'less' perhaps like >netstat | less

--
--- Paul J. Gans

Paul J Gans wrote:[color=blue]
> Nikos Chantziaras <realnc@arcor.de> wrote:[color=green]
>> Another useful command is 'iftop'. However, it's not install by
>> default. "sudo zypper install iftop" should take care of that. 'iftop'
>> lists all IPs you are connected to. It doesn't list processes, but the
>> IPs the traffic goes to/comes from is always useful as a clue.[/color]
>
> I believe that 'netstat' does the same thing and it is installed
> by default. It lists much more than just connections so one should
> run it through 'less' perhaps like >netstat | less[/color]

iftop is dynamic/real-time with a curses interface.

Michael Soibelman wrote:[color=blue]
> Juha Nieminen wrote:
>[color=green]
>> I'm using Suse 10.2.
>>
>> Since a couple of days something has been downloading something from
>> the internet at about 25-30 kilobytes/s, constantly, without
>> interruption, for dozens of hours in total now. I see this from gkrellm.
>> (This would mean that it has downloaded over 2 gigabytes by now.)
>>
>> However, I haven't the faintest idea of what it could be. It's
>> annoying, it's robbing me of a good chunk of my connection, and I want
>> to know what it is.
>>
>> But how? I have closed all possible programs, to no avail. I installed
>> ntop in the hopes that it would tell me which programs are connecting to
>> the net, to no avail (ntop just seems to produce some pie charts about
>> general net usage, but not a list of processes connecting to the net).
>> What next? Any suggestions?[/color]
>
> I like wireshark for a nice gui. You can watch the traffic on any interface
> in real time. Click on any suspicious packet and you'll get a detailed
> description of what precisely is going on...[/color]

I've used the open source product ethereal ([url]www.ethereal.com[/url]) to do the
same type of monitoring, though I tend to take five minute 'samples'
that allow me to take a closer look at exactly what is going on.

On Fri, 14 Mar 2008, class_a wrote:-
[color=blue]
>Michael Soibelman wrote:[/color]
[color=blue][color=green]
>> I like wireshark for a nice gui. You can watch the traffic on any interface
>> in real time. Click on any suspicious packet and you'll get a detailed
>> description of what precisely is going on...[/color]
>
>I've used the open source product ethereal ([url]www.ethereal.com[/url]) to do the
>same type of monitoring, though I tend to take five minute 'samples'
>that allow me to take a closer look at exactly what is going on.[/color]

You do know that Ethereal was renamed as Wireshark going on for a couple
of years ago[0] don't you?


[0] <URL:http://www.wireshark.org/news/20060607.html>

Regards,
David Bolt

--
[url]www.davjam.org/lifetype/[/url] [url]www.distributed.net:[/url] OGR@100Mnodes, RC5-72@15Mkeys
SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a1
SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit
RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11

David Bolt wrote:[color=blue]
> On Fri, 14 Mar 2008, class_a wrote:-
>[color=green]
>> Michael Soibelman wrote:[/color]
>[color=green][color=darkred]
>>> I like wireshark for a nice gui. You can watch the traffic on any interface
>>> in real time. Click on any suspicious packet and you'll get a detailed
>>> description of what precisely is going on...[/color]
>> I've used the open source product ethereal ([url]www.ethereal.com[/url]) to do the
>> same type of monitoring, though I tend to take five minute 'samples'
>> that allow me to take a closer look at exactly what is going on.[/color]
>
> You do know that Ethereal was renamed as Wireshark going on for a couple
> of years ago[0] don't you?
>
>
> [0] <URL:http://www.wireshark.org/news/20060607.html>[/color]

And why doesn't ethereal.com say anything about this? Nice project
leader that one. Maybe he considers it as an unimportant "detail" or
something.

On Fri, 14 Mar 2008 22:15:54 +0200, Nikos Chantziaras wrote:
[color=blue]
> David Bolt wrote:[color=green]
>> On Fri, 14 Mar 2008, class_a wrote:-
>>[color=darkred]
>>> Michael Soibelman wrote:[/color]
>>[color=darkred]
>>>> I like wireshark for a nice gui. You can watch the traffic on any
>>>> interface in real time. Click on any suspicious packet and you'll
>>>> get a detailed description of what precisely is going on...
>>> I've used the open source product ethereal ([url]www.ethereal.com[/url]) to do
>>> the same type of monitoring, though I tend to take five minute
>>> 'samples' that allow me to take a closer look at exactly what is going
>>> on.[/color]
>>
>> You do know that Ethereal was renamed as Wireshark going on for a
>> couple of years ago[0] don't you?
>>
>>
>> [0] <URL:http://www.wireshark.org/news/20060607.html>[/color]
>
> And why doesn't ethereal.com say anything about this? Nice project
> leader that one. Maybe he considers it as an unimportant "detail" or
> something.[/color]

Because the owners of ethereal.com don't want you to use wireshark
instead. The sordid story is at

[url]http://en.wikipedia.org/wiki/Wireshark[/url]

Juha Nieminen wrote:[color=blue]
> However, I haven't the faintest idea of what it could be. It's
> annoying, it's robbing me of a good chunk of my connection, and I want
> to know what it is.
>
> What next? Any suggestions?[/color]


Also check out 'iptraf', and 'netstat -tupn'

David Bolt wrote:[color=blue]
> On Fri, 14 Mar 2008, class_a wrote:-
>[color=green]
>> Michael Soibelman wrote:[/color]
>[color=green][color=darkred]
>>> I like wireshark for a nice gui. You can watch the traffic on any interface
>>> in real time. Click on any suspicious packet and you'll get a detailed
>>> description of what precisely is going on...[/color]
>> I've used the open source product ethereal ([url]www.ethereal.com[/url]) to do the
>> same type of monitoring, though I tend to take five minute 'samples'
>> that allow me to take a closer look at exactly what is going on.[/color]
>
> You do know that Ethereal was renamed as Wireshark going on for a couple
> of years ago[0] don't you?
>
>
> [0] <URL:http://www.wireshark.org/news/20060607.html>[/color]

Actually I didn't! I've just continued to use an old install of
Ethereal I have here. I guess I should load/update to wireshark to see
what new features have been added.

In article <freaie$rd8$1@volcano1.grnet.gr>, Nikos Chantziaras wrote:[color=blue]
> Juha Nieminen wrote:[color=green]
>> I'm using Suse 10.2.
>>
>> Since a couple of days something has been downloading something from
>> the internet at about 25-30 kilobytes/s, constantly, without
>> interruption, for dozens of hours in total now. I see this from gkrellm.
>> (This would mean that it has downloaded over 2 gigabytes by now.)
>>[/color][/color]

Offhand I would probably recommend ethereal as well to have a look at what is
coming in. I'm no net expert, but ethereal provides a lot of useful
information.

Thanks for the suggestions.

It seems that a machine with an IP address otherwise similar to mine,
except ending in .250 (does this have any special meaning?) is
constantly sending packets to diverse addresses around the world, and
for some reason they are arriving at my computer.

I don't even understand why these packets are arriving at my computer,
given that their source and destination IP addresses have nothing to do
with my own (except that the source is in the same subnet as me).

Michael Soibelman wrote:[color=blue]
> I like wireshark for a nice gui.[/color]

I installed it with yast's installer, but I can't make it work. If I
run it with my own account, it cannot capture any traffic (like tcpdump
can't). If I run it with "sudo" or from the K-Menu directly (in which
case it asks from the root password), it says

(wireshark:17405): Gtk-WARNING **: cannot open display:

Juha Nieminen wrote:[color=blue]
> Michael Soibelman wrote:[color=green]
>> I like wireshark for a nice gui.[/color]
>
> I installed it with yast's installer, but I can't make it work. If I
> run it with my own account, it cannot capture any traffic (like tcpdump
> can't). If I run it with "sudo" or from the K-Menu directly (in which
> case it asks from the root password), it says
>
> (wireshark:17405): Gtk-WARNING **: cannot open display:[/color]

Open a terminal and type `sux -`. Then run it as root.

houghi
--
If God doesn't destroy Hollywood Boulevard, he owes Sodom and
Gomorrah an apology.

Juha Nieminen wrote:[color=blue]
> Thanks for the suggestions.
>
> It seems that a machine with an IP address otherwise similar to mine,
> except ending in .250 (does this have any special meaning?) is
> constantly sending packets to diverse addresses around the world, and
> for some reason they are arriving at my computer.
>
> I don't even understand why these packets are arriving at my computer,
> given that their source and destination IP addresses have nothing to do
> with my own (except that the source is in the same subnet as me).[/color]


..250 has no special meaning.

The traffic sounds vaguely like P2P, but your system should not see it
unless perhaps your netmask is too narrow (e.g., /16 istead of /24)

What is the output of the command "ip addr show"?

Gary Gapinski wrote:[color=blue]
> The traffic sounds vaguely like P2P, but your system should not see it
> unless perhaps your netmask is too narrow (e.g., /16 istead of /24)[/color]


Or (I just realized) you ran Wireshark in promiscuous mode. However, you
should normally (i.e., when not in promiscuous mode) not see any traffic
other than that specifically for your address or broadcast addresses.

[color=blue]
>
> What is the output of the command "ip addr show"?[/color]


Which, I find, does not indicate if promiscuous mode is enabled. Neither
does ifconfig -a.

Gary Gapinski wrote:[color=blue]
> Juha Nieminen wrote:[color=green]
>> Thanks for the suggestions.
>>
>> It seems that a machine with an IP address otherwise similar to mine,
>> except ending in .250 (does this have any special meaning?) is
>> constantly sending packets to diverse addresses around the world, and
>> for some reason they are arriving at my computer.
>>
>> I don't even understand why these packets are arriving at my computer,
>> given that their source and destination IP addresses have nothing to do
>> with my own (except that the source is in the same subnet as me).[/color]
>
>
> .250 has no special meaning.[/color]

Indeed. If the adress is 85.194.211.250, then it is
d85-194-211-250.cust.wlannet.com. so just another customer.

Some guessing. You have dynamic IP adresses and one of you or both use
dynamic DNS and something goes wrong there.

houghi
--
If God doesn't destroy Hollywood Boulevard, he owes Sodom and
Gomorrah an apology.

Gary Gapinski wrote:[color=blue]
> The traffic sounds vaguely like P2P, but your system should not see it
> unless perhaps your netmask is too narrow (e.g., /16 istead of /24)
>
> What is the output of the command "ip addr show"?[/color]

It says /24.

Gary Gapinski wrote:[color=blue]
> Or (I just realized) you ran Wireshark in promiscuous mode. However, you
> should normally (i.e., when not in promiscuous mode) not see any traffic
> other than that specifically for your address or broadcast addresses.[/color]

Hiding the traffic not addressed directly to me in the traffic
monitoring software wouldn't help solving the problem (which is this
traffic eating 30 kB/s of my connection).

I have contacted my ISP customer service. Let's see what they have to
say. (They have been quite competent in the past with technical problems.)

Anyways, I apologize for this somewhat off-topic thread. It has
nothing to do with Suse per se.