Monitoring internet traffic - Suse

This is a discussion on Monitoring internet traffic - Suse ; I'm using Suse 10.2. Since a couple of days something has been downloading something from the internet at about 25-30 kilobytes/s, constantly, without interruption, for dozens of hours in total now. I see this from gkrellm. (This would mean that ...

+ Reply to Thread
Results 1 to 20 of 20

Thread: Monitoring internet traffic

  1. Monitoring internet traffic

    I'm using Suse 10.2.

    Since a couple of days something has been downloading something from
    the internet at about 25-30 kilobytes/s, constantly, without
    interruption, for dozens of hours in total now. I see this from gkrellm.
    (This would mean that it has downloaded over 2 gigabytes by now.)

    However, I haven't the faintest idea of what it could be. It's
    annoying, it's robbing me of a good chunk of my connection, and I want
    to know what it is.

    But how? I have closed all possible programs, to no avail. I installed
    ntop in the hopes that it would tell me which programs are connecting to
    the net, to no avail (ntop just seems to produce some pie charts about
    general net usage, but not a list of processes connecting to the net).
    What next? Any suggestions?

  2. Re: Monitoring internet traffic

    Juha Nieminen wrote:
    > I'm using Suse 10.2.
    >
    > Since a couple of days something has been downloading something from
    > the internet at about 25-30 kilobytes/s, constantly, without
    > interruption, for dozens of hours in total now. I see this from gkrellm.
    > (This would mean that it has downloaded over 2 gigabytes by now.)
    >
    > However, I haven't the faintest idea of what it could be. It's
    > annoying, it's robbing me of a good chunk of my connection, and I want
    > to know what it is.
    >
    > But how? I have closed all possible programs, to no avail. I installed
    > ntop in the hopes that it would tell me which programs are connecting to
    > the net, to no avail (ntop just seems to produce some pie charts about
    > general net usage, but not a list of processes connecting to the net).
    > What next? Any suggestions?


    Look up the documentation of the command 'lsof' (man lsof).

    It lists "open files" and the processes they belong to, but sockets are
    also treated as files. With the command line switches, you get all
    sockets and the programs they have been opened from.

    Another useful command is 'iftop'. However, it's not install by
    default. "sudo zypper install iftop" should take care of that. 'iftop'
    lists all IPs you are connected to. It doesn't list processes, but the
    IPs the traffic goes to/comes from is always useful as a clue.

  3. Re: Monitoring internet traffic

    Juha Nieminen wrote:

    > I'm using Suse 10.2.
    >
    > Since a couple of days something has been downloading something from
    > the internet at about 25-30 kilobytes/s, constantly, without
    > interruption, for dozens of hours in total now. I see this from gkrellm.
    > (This would mean that it has downloaded over 2 gigabytes by now.)
    >
    > However, I haven't the faintest idea of what it could be. It's
    > annoying, it's robbing me of a good chunk of my connection, and I want
    > to know what it is.
    >
    > But how? I have closed all possible programs, to no avail. I installed
    > ntop in the hopes that it would tell me which programs are connecting to
    > the net, to no avail (ntop just seems to produce some pie charts about
    > general net usage, but not a list of processes connecting to the net).
    > What next? Any suggestions?


    I like wireshark for a nice gui. You can watch the traffic on any interface
    in real time. Click on any suspicious packet and you'll get a detailed
    description of what precisely is going on...

  4. Re: Monitoring internet traffic

    Nikos Chantziaras wrote:
    >Juha Nieminen wrote:
    >> I'm using Suse 10.2.
    >>
    >> Since a couple of days something has been downloading something from
    >> the internet at about 25-30 kilobytes/s, constantly, without
    >> interruption, for dozens of hours in total now. I see this from gkrellm.
    >> (This would mean that it has downloaded over 2 gigabytes by now.)
    >>
    >> However, I haven't the faintest idea of what it could be. It's
    >> annoying, it's robbing me of a good chunk of my connection, and I want
    >> to know what it is.
    >>
    >> But how? I have closed all possible programs, to no avail. I installed
    >> ntop in the hopes that it would tell me which programs are connecting to
    >> the net, to no avail (ntop just seems to produce some pie charts about
    >> general net usage, but not a list of processes connecting to the net).
    >> What next? Any suggestions?


    >Look up the documentation of the command 'lsof' (man lsof).


    >It lists "open files" and the processes they belong to, but sockets are
    >also treated as files. With the command line switches, you get all
    >sockets and the programs they have been opened from.


    >Another useful command is 'iftop'. However, it's not install by
    >default. "sudo zypper install iftop" should take care of that. 'iftop'
    >lists all IPs you are connected to. It doesn't list processes, but the
    >IPs the traffic goes to/comes from is always useful as a clue.


    I believe that 'netstat' does the same thing and it is installed
    by default. It lists much more than just connections so one should
    run it through 'less' perhaps like >netstat | less

    --
    --- Paul J. Gans

  5. Re: Monitoring internet traffic

    Paul J Gans wrote:
    > Nikos Chantziaras wrote:
    >> Another useful command is 'iftop'. However, it's not install by
    >> default. "sudo zypper install iftop" should take care of that. 'iftop'
    >> lists all IPs you are connected to. It doesn't list processes, but the
    >> IPs the traffic goes to/comes from is always useful as a clue.

    >
    > I believe that 'netstat' does the same thing and it is installed
    > by default. It lists much more than just connections so one should
    > run it through 'less' perhaps like >netstat | less


    iftop is dynamic/real-time with a curses interface.

  6. Re: Monitoring internet traffic

    Michael Soibelman wrote:
    > Juha Nieminen wrote:
    >
    >> I'm using Suse 10.2.
    >>
    >> Since a couple of days something has been downloading something from
    >> the internet at about 25-30 kilobytes/s, constantly, without
    >> interruption, for dozens of hours in total now. I see this from gkrellm.
    >> (This would mean that it has downloaded over 2 gigabytes by now.)
    >>
    >> However, I haven't the faintest idea of what it could be. It's
    >> annoying, it's robbing me of a good chunk of my connection, and I want
    >> to know what it is.
    >>
    >> But how? I have closed all possible programs, to no avail. I installed
    >> ntop in the hopes that it would tell me which programs are connecting to
    >> the net, to no avail (ntop just seems to produce some pie charts about
    >> general net usage, but not a list of processes connecting to the net).
    >> What next? Any suggestions?

    >
    > I like wireshark for a nice gui. You can watch the traffic on any interface
    > in real time. Click on any suspicious packet and you'll get a detailed
    > description of what precisely is going on...


    I've used the open source product ethereal (www.ethereal.com) to do the
    same type of monitoring, though I tend to take five minute 'samples'
    that allow me to take a closer look at exactly what is going on.

  7. Re: Monitoring internet traffic

    On Fri, 14 Mar 2008, class_a wrote:-

    >Michael Soibelman wrote:


    >> I like wireshark for a nice gui. You can watch the traffic on any interface
    >> in real time. Click on any suspicious packet and you'll get a detailed
    >> description of what precisely is going on...

    >
    >I've used the open source product ethereal (www.ethereal.com) to do the
    >same type of monitoring, though I tend to take five minute 'samples'
    >that allow me to take a closer look at exactly what is going on.


    You do know that Ethereal was renamed as Wireshark going on for a couple
    of years ago[0] don't you?


    [0]

    Regards,
    David Bolt

    --
    www.davjam.org/lifetype/ www.distributed.net: OGR@100Mnodes, RC5-72@15Mkeys
    SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a1
    SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit
    RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11

  8. Re: Monitoring internet traffic

    David Bolt wrote:
    > On Fri, 14 Mar 2008, class_a wrote:-
    >
    >> Michael Soibelman wrote:

    >
    >>> I like wireshark for a nice gui. You can watch the traffic on any interface
    >>> in real time. Click on any suspicious packet and you'll get a detailed
    >>> description of what precisely is going on...

    >> I've used the open source product ethereal (www.ethereal.com) to do the
    >> same type of monitoring, though I tend to take five minute 'samples'
    >> that allow me to take a closer look at exactly what is going on.

    >
    > You do know that Ethereal was renamed as Wireshark going on for a couple
    > of years ago[0] don't you?
    >
    >
    > [0]


    And why doesn't ethereal.com say anything about this? Nice project
    leader that one. Maybe he considers it as an unimportant "detail" or
    something.

  9. Re: Monitoring internet traffic

    On Fri, 14 Mar 2008 22:15:54 +0200, Nikos Chantziaras wrote:

    > David Bolt wrote:
    >> On Fri, 14 Mar 2008, class_a wrote:-
    >>
    >>> Michael Soibelman wrote:

    >>
    >>>> I like wireshark for a nice gui. You can watch the traffic on any
    >>>> interface in real time. Click on any suspicious packet and you'll
    >>>> get a detailed description of what precisely is going on...
    >>> I've used the open source product ethereal (www.ethereal.com) to do
    >>> the same type of monitoring, though I tend to take five minute
    >>> 'samples' that allow me to take a closer look at exactly what is going
    >>> on.

    >>
    >> You do know that Ethereal was renamed as Wireshark going on for a
    >> couple of years ago[0] don't you?
    >>
    >>
    >> [0]

    >
    > And why doesn't ethereal.com say anything about this? Nice project
    > leader that one. Maybe he considers it as an unimportant "detail" or
    > something.


    Because the owners of ethereal.com don't want you to use wireshark
    instead. The sordid story is at

    http://en.wikipedia.org/wiki/Wireshark

  10. Re: Monitoring internet traffic

    Juha Nieminen wrote:
    > However, I haven't the faintest idea of what it could be. It's
    > annoying, it's robbing me of a good chunk of my connection, and I want
    > to know what it is.
    >
    > What next? Any suggestions?



    Also check out 'iptraf', and 'netstat -tupn'

  11. Re: Monitoring internet traffic

    David Bolt wrote:
    > On Fri, 14 Mar 2008, class_a wrote:-
    >
    >> Michael Soibelman wrote:

    >
    >>> I like wireshark for a nice gui. You can watch the traffic on any interface
    >>> in real time. Click on any suspicious packet and you'll get a detailed
    >>> description of what precisely is going on...

    >> I've used the open source product ethereal (www.ethereal.com) to do the
    >> same type of monitoring, though I tend to take five minute 'samples'
    >> that allow me to take a closer look at exactly what is going on.

    >
    > You do know that Ethereal was renamed as Wireshark going on for a couple
    > of years ago[0] don't you?
    >
    >
    > [0]


    Actually I didn't! I've just continued to use an old install of
    Ethereal I have here. I guess I should load/update to wireshark to see
    what new features have been added.

  12. Re: Monitoring internet traffic

    In article , Nikos Chantziaras wrote:
    > Juha Nieminen wrote:
    >> I'm using Suse 10.2.
    >>
    >> Since a couple of days something has been downloading something from
    >> the internet at about 25-30 kilobytes/s, constantly, without
    >> interruption, for dozens of hours in total now. I see this from gkrellm.
    >> (This would mean that it has downloaded over 2 gigabytes by now.)
    >>


    Offhand I would probably recommend ethereal as well to have a look at what is
    coming in. I'm no net expert, but ethereal provides a lot of useful
    information.

  13. Re: Monitoring internet traffic

    Thanks for the suggestions.

    It seems that a machine with an IP address otherwise similar to mine,
    except ending in .250 (does this have any special meaning?) is
    constantly sending packets to diverse addresses around the world, and
    for some reason they are arriving at my computer.

    I don't even understand why these packets are arriving at my computer,
    given that their source and destination IP addresses have nothing to do
    with my own (except that the source is in the same subnet as me).

  14. Re: Monitoring internet traffic

    Michael Soibelman wrote:
    > I like wireshark for a nice gui.


    I installed it with yast's installer, but I can't make it work. If I
    run it with my own account, it cannot capture any traffic (like tcpdump
    can't). If I run it with "sudo" or from the K-Menu directly (in which
    case it asks from the root password), it says

    (wireshark:17405): Gtk-WARNING **: cannot open display:

  15. Re: Monitoring internet traffic

    Juha Nieminen wrote:
    > Michael Soibelman wrote:
    >> I like wireshark for a nice gui.

    >
    > I installed it with yast's installer, but I can't make it work. If I
    > run it with my own account, it cannot capture any traffic (like tcpdump
    > can't). If I run it with "sudo" or from the K-Menu directly (in which
    > case it asks from the root password), it says
    >
    > (wireshark:17405): Gtk-WARNING **: cannot open display:


    Open a terminal and type `sux -`. Then run it as root.

    houghi
    --
    If God doesn't destroy Hollywood Boulevard, he owes Sodom and
    Gomorrah an apology.

  16. Re: Monitoring internet traffic

    Juha Nieminen wrote:
    > Thanks for the suggestions.
    >
    > It seems that a machine with an IP address otherwise similar to mine,
    > except ending in .250 (does this have any special meaning?) is
    > constantly sending packets to diverse addresses around the world, and
    > for some reason they are arriving at my computer.
    >
    > I don't even understand why these packets are arriving at my computer,
    > given that their source and destination IP addresses have nothing to do
    > with my own (except that the source is in the same subnet as me).



    ..250 has no special meaning.

    The traffic sounds vaguely like P2P, but your system should not see it
    unless perhaps your netmask is too narrow (e.g., /16 istead of /24)

    What is the output of the command "ip addr show"?

  17. Re: Monitoring internet traffic

    Gary Gapinski wrote:
    > The traffic sounds vaguely like P2P, but your system should not see it
    > unless perhaps your netmask is too narrow (e.g., /16 istead of /24)



    Or (I just realized) you ran Wireshark in promiscuous mode. However, you
    should normally (i.e., when not in promiscuous mode) not see any traffic
    other than that specifically for your address or broadcast addresses.


    >
    > What is the output of the command "ip addr show"?



    Which, I find, does not indicate if promiscuous mode is enabled. Neither
    does ifconfig -a.

  18. Re: Monitoring internet traffic

    Gary Gapinski wrote:
    > Juha Nieminen wrote:
    >> Thanks for the suggestions.
    >>
    >> It seems that a machine with an IP address otherwise similar to mine,
    >> except ending in .250 (does this have any special meaning?) is
    >> constantly sending packets to diverse addresses around the world, and
    >> for some reason they are arriving at my computer.
    >>
    >> I don't even understand why these packets are arriving at my computer,
    >> given that their source and destination IP addresses have nothing to do
    >> with my own (except that the source is in the same subnet as me).

    >
    >
    > .250 has no special meaning.


    Indeed. If the adress is 85.194.211.250, then it is
    d85-194-211-250.cust.wlannet.com. so just another customer.

    Some guessing. You have dynamic IP adresses and one of you or both use
    dynamic DNS and something goes wrong there.

    houghi
    --
    If God doesn't destroy Hollywood Boulevard, he owes Sodom and
    Gomorrah an apology.

  19. Re: Monitoring internet traffic

    Gary Gapinski wrote:
    > The traffic sounds vaguely like P2P, but your system should not see it
    > unless perhaps your netmask is too narrow (e.g., /16 istead of /24)
    >
    > What is the output of the command "ip addr show"?


    It says /24.

  20. Re: Monitoring internet traffic

    Gary Gapinski wrote:
    > Or (I just realized) you ran Wireshark in promiscuous mode. However, you
    > should normally (i.e., when not in promiscuous mode) not see any traffic
    > other than that specifically for your address or broadcast addresses.


    Hiding the traffic not addressed directly to me in the traffic
    monitoring software wouldn't help solving the problem (which is this
    traffic eating 30 kB/s of my connection).

    I have contacted my ISP customer service. Let's see what they have to
    say. (They have been quite competent in the past with technical problems.)

    Anyways, I apologize for this somewhat off-topic thread. It has
    nothing to do with Suse per se.

+ Reply to Thread