neddie Posted December 11, 2005 Report Share Posted December 11, 2005 gkrellm seems to be saying that there's a constant 4 or 5K/s coming in on the ethernet port. I'm curious what it is, there doesnt seem to be anything in 'top' and I'm not running anything obviously network-intensive (browser's closed, Skype's not running, BitTorrent's closed). Is there a tool which can tell me which applications are accessing the ethernet, or maybe sniff the packets to see what they're for? It's just a (slow) cable connection, with a single modem and a single computer. Partly I'm not sure whether I should be worried about this traffic, and partly if there's something chewing my bandwidth it might be nice to kill it. Quote Link to comment Share on other sites More sharing options...
jboy Posted December 12, 2005 Report Share Posted December 12, 2005 In a terminal, you could issue the command: netstat -pantu | grep ESTABLISHED This will show, among other things, the IP address and port number of every TCP and UDP connection, along with the Process ID and Program Name involved. If you want to see what's listening or waiting, just issue the netstat -pantu by itself. Quote Link to comment Share on other sites More sharing options...
neddie Posted December 12, 2005 Author Report Share Posted December 12, 2005 Thanks jboy, There's nothing in the list with ESTABLISHED, even when I'm root. The only output from this command is: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2628 0.0.0.0:* LISTEN 6134/0 tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 6092/master tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 5508/X tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 5574/mDNSResponder tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6092/master tcp 0 0 :::6000 :::* LISTEN 5508/X udp 0 0 0.0.0.0:68 0.0.0.0:* 5768/dhclient udp 0 0 0.0.0.0:5353 0.0.0.0:* 5574/mDNSResponder which still doesn't contain anything obvious. I'm not running remote X terminals and I can't believe that DNS and DHCP clients take many bits... Do you know what "master" is? Do you think this is just harmless background noise? Even though it's about 20% of my maximum download capacity? :unsure: Quote Link to comment Share on other sites More sharing options...
michaelcole Posted December 12, 2005 Report Share Posted December 12, 2005 It could be "Attacking" Systems out there trying to attack your system.. In the case with alot of internet connections nowdays since so many other computers are still infected with viruses you can get hit repeatedly by them.. Try to look at the packets coming down to your computer as it does look like you have nothing much happening on your side. Ethereal will show you all the packages and the actual messages that are on the line.. Could be also because you have had Bittorent open and now they are checking if you are still there.. (Not sure it works this way but a guess) Quote Link to comment Share on other sites More sharing options...
neddie Posted December 12, 2005 Author Report Share Posted December 12, 2005 I did think about the BitTorrent angle, but if I'm using DHCP then I should now have a completely different IP address from the last time I was using BitTorrent, so any traffic from that shouldn't be coming here... I'll look at ethereal, thanks for the tip. Quote Link to comment Share on other sites More sharing options...
Qchem Posted December 12, 2005 Report Share Posted December 12, 2005 I tend to use ntop for things like this. Quote Link to comment Share on other sites More sharing options...
jboy Posted December 12, 2005 Report Share Posted December 12, 2005 Do you know what "master" is? <{POST_SNAPBACK}> From the master man page: "The master daemon is the resident process that runs Postfix daemons on demand: daemons to send or receive messages via the network, daemons to deliver mail locally, etc. These daemons are created on demand up to a configurable maximum number per service." Quote Link to comment Share on other sites More sharing options...
Qchem Posted December 12, 2005 Report Share Posted December 12, 2005 Unless you're running a mail server, I'd turn postfix off - no need to have it running. Quote Link to comment Share on other sites More sharing options...
jboy Posted December 12, 2005 Report Share Posted December 12, 2005 Just came across a nice article at linux.com about handy aliases to add to $HOME/.bashrc that has a suggested alias related to this topic: ( original article here). Show all programs connected or listening on a network port alias nsl='netstat -alnp --protocol=inet | grep -v CLOSE_WAIT | cut -c-6,21-94 | tail +2' The nsl alias uses netstat to show the process ID and program name of everything either connected or listening on a network port, including the sockets of the sending and receiving hosts. It uses grep to sort through the netstat output and remove lines that match CLOSE_WAIT, so you see only programs that are listening or connected. This is a great way to make sure no unexpected services are running in the background. To see all available information, run this command as root. The output from nsl will be similar to this sample: root@penguin:~# nsl Proto Local Address Foreign Address State PID/Program name tcp 0.0.0.0:771 0.0.0.0:* LISTEN 3981/rpc.statd tcp 0.0.0.0:139 0.0.0.0:* LISTEN 3830/smbd tcp 0.0.0.0:111 0.0.0.0:* LISTEN 2908/portmap tcp 0.0.0.0:80 0.0.0.0:* LISTEN 4036/apache tcp 0.0.0.0:22 0.0.0.0:* LISTEN 3838/sshd tcp 0.0.0.0:631 0.0.0.0:* LISTEN 3582/cupsd tcp 127.0.0.1:25 0.0.0.0:* LISTEN 3761/exim4 tcp 0.0.0.0:7100 0.0.0.0:* LISTEN 3875/xfs tcp 0.0.0.0:445 0.0.0.0:* LISTEN 3830/smbd tcp 192.168.1.101:50372 66.35.250.177:80 ESTABLISHED 6585/firefox-bin Quote Link to comment Share on other sites More sharing options...
neddie Posted December 13, 2005 Author Report Share Posted December 13, 2005 Thanks for the suggestions, everyone! OK, first of all postfix - didn't even realise it was running. It was set to autostart at boot, so I've stopped it and disabled the start. Now it doesn't appear in netstat -pantu but the traffic in gkrellm is more or less unchanged. Next, ethereal - well I got it from urpmi but when I start it from the menu I get nothing and from the CLI I get errors: ethereal: Symbol `gsm_a_dtap_msg_rr_strings' has different size in shared object, consider re-linking ethereal: Symbol `gsm_map_opr_code_strings' has different size in shared object, consider re-linking ** (ethereal:7099): WARNING **: radius: Could not find the radius directory Unhandled exception ("proto.c:2923: failed assertion "(*ptr->p_id == -1 || *ptr->p_id == 0) && "Duplicate field detected in call toproto_register_field_array""", group=1, code=4) Aborted Yeah, whatever. Must be some conflict between rpms but I'm not wading through dependencies to find out what. Next I tried the bash alias (hey, neat trick with the alias, learnt something there!): # netstat -alnp --protocol=inet | grep -v CLOSE_WAIT | cut -c-6,21-94 | tail +2 Proto Local Address Foreign Address State PID/Program na tcp 0.0.0.0:2628 0.0.0.0:* LISTEN 6137/0 tcp 0.0.0.0:6000 0.0.0.0:* LISTEN 5606/X tcp 127.0.0.1:5335 0.0.0.0:* LISTEN 5672/mDNSRespo udp 0.0.0.0:68 0.0.0.0:* 5205/dhclient udp 0.0.0.0:5353 0.0.0.0:* 5672/mDNSRespo but that's again only showing X, DNS and DHCP (and something called "0" ??? So now I'm looking at ntop, and I've got the web interface going but it's got so much information I'm not sure where to start :/ guess I've got some reading to do. At the moment it looks like a variety of sources, but I can't see what they're trying to do. Oddly when it says "Sent vs Rcvd data" for one of these random IP addresses, it says things like "Sent 48.7% Rcvd 51.3%" so it looks like I'm sending data back too :/ Quote Link to comment Share on other sites More sharing options...
Qchem Posted December 13, 2005 Report Share Posted December 13, 2005 So now I'm looking at ntop, and I've got the web interface going but it's got so much information I'm not sure where to start :/ guess I've got some reading to do. At the moment it looks like a variety of sources, but I can't see what they're trying to do. Oddly when it says "Sent vs Rcvd data" for one of these random IP addresses, it says things like "Sent 48.7% Rcvd 51.3%" so it looks like I'm sending data back too :/ <{POST_SNAPBACK}> Could be pings and your machine replying to them? Quote Link to comment Share on other sites More sharing options...
Qchem Posted December 13, 2005 Report Share Posted December 13, 2005 Just came across a nice article at linux.com about handy aliases to add to $HOME/.bashrc that has a suggested alias related to this topic: ( original article here). Show all programs connected or listening on a network port alias nsl='netstat -alnp --protocol=inet | grep -v CLOSE_WAIT | cut -c-6,21-94 | tail +2' <{POST_SNAPBACK}> You'll probably want to add that to /etc/bashrc (or your distros equivalent) - if you run it as a user you'll only see processes due to that user, run it as root to see everything thats going on. There's some interesting stuff on that link - but aliasing something to ld is just plain stupid!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.