Re: Unknown network traffic (Conclusion)

To: debian-user@lists.debian.org
Subject: Re: Unknown network traffic (Conclusion)
From: T o n g <mlist4suntong@yahoo.com>
Date: Sun, 11 Jan 2009 23:08:03 +0000 (UTC)
Message-id: <[🔎] gkdu4j$r7u$1@ger.gmane.org>
References: <[🔎] gk809f$3ta$1@ger.gmane.org>

> I've tried all the network bandwidth monitoring tools that I know to find
> out the unknown network traffic I'm having now . . .

As for tools to further analysis the traffic,

Both Allen Kistler @gmail.com & Javier Barroso @comp.os.linux.networking
suggested tcpdump and wireshark, which are pretty much the standard tools
for capturing and dissecting traffic.

Chris Davies @comp.os.linux.networking suggested tshark (the console version
of wireshark) and showed its usage as well (thanks!):

   tshark -nlp -i eth0

James Youngman @gnu.org suggested to run 

 tcpdup -n -i eth0

although I didn't find where the executable comes from.

> My normal network bandwidth is almost 0. Now, with 1.95Kb outbound and 
> 4.71Kb inbound, I don't know what's exactly going on with my network.

As for analyzing the cause of the unknown traffic,

>   bps    % desc
>  107.2   0% icmp unreach port 192.168.0.100 -> 119.40.7.39
>  107.2   0% icmp unreach port 192.168.0.100 -> 122-121-216-117
>  107.2   0% icmp unreach port 192.168.0.100 -> 17
>  107.2   0% icmp unreach port 192.168.0.100 -> 220-136-240-189
>  108.5   0% icmp unreach port 192.168.0.100 -> 227
>  105.4   0% icmp unreach port 192.168.0.100 -> 77.81.248.210
>  105.4   0% icmp unreach port 192.168.0.100 -> 83-157-127-150
>  . . .

Both James Youngman @gnu.org and Eric Pozharski @comp.os.linux.networking
explained the actual meaning of "icmp unreach port":

... these ICMP port-unreachable errors indicate that the remote systems are
trying to communicate with a network port you're not listening on.

... those hosts attempt to open port on yours address...; then, since you
(supposedly) don't have those services enabled on your host, yours kernel
REJECTs them (that's what "icmp unreach port" means).

Knowing this, I feel much relieved. 

> First of all, these are very small numbers.   This almost certainly is
> not a summary of what's using up all your bandwidth (if that's indeed
> happening). 

The explanation for this is that I didn't list all the traffic. There are
many and they do add up to all my bandwidth.

The actual reason, I think, is that I've used a Bittorrent client
before. But it was *hours* before -- didn't expect the Bittorrent clients
on other side were so persistent... 

Thanks again to everybody!

Cheers

-- 
Tong (remove underscore(s) to reply)
  http://xpt.sourceforge.net/techdocs/
  http://xpt.sourceforge.net/tools/

Reply to:

References:
- Unknown network traffic
  - From: T o n g <mlist4suntong@yahoo.com>

Prev by Date: Re: Speeding up Debian Boot
Next by Date: Re: Speeding up Debian Boot
Previous by thread: Re: Unknown network traffic
Next by thread: root's offsite mail
Index(es):
- Date
- Thread