[SOLVED] I got network traffic without doing anything !

robeich · 04-03-2011, 01:28 PM

3 days ago I freshly installed Mandriva 2010 Powerpack at my hp thin client.
It's connected to A netgear router with a 3G USB stick.
I was watching Network monitor just for curiosity and realized even if I'm doing absolutely
nothing at the network, I got a lot of traffic actually Downloaded 3.10 MB and Uploaded
475.43 KB. within 15 minutes!
I checked my computer with chkrootkit but it's clean.
So my question, any suggestions what's that amount of traffic causes ?
robeich

markush · 04-03-2011, 02:24 PM

Hello robeich,

you should check which protocols make the network traffic. For example if you have an emailclient running, it will periodically connect to the mailserver. Also the arp-protocol which manages the resolution between IP- and MAC-adresses tries to update it's caches over the network periodically.
In order to see what's going on, as an example

Code:

tcpdump -i eth0

and then start your emailclient and look what happens. Be sure to use your correct interfacename (wlan0 if you're connected via wlan).

Markus

tredegar · 04-03-2011, 03:58 PM

Quote:

It's connected to A netgear router with a 3G USB stick.

Eh??

Netgear routers use wireless 802.11x and 3G is a mobile-phone connection.

These two things cannot talk to one another directly.

Please tell us how your network is really set up.

robeich · 04-04-2011, 05:09 AM

Oh, I forgot to mention that the reason for the new installation was:
I tried to access Google and I had a message from Google there is unusual traffic from my network
and I had to verify by typing in one of that displayed codes to make sure I'm a person and not a robot !

The 3G USB stick is connected by USB cable to my Netgear wireless Router MBR624GU,
and eth0 is connected by cat5 network cable to the router.

tcpdump -i eth0 gives me the message: command not found even if I use as user either root!

I'm not using any email client, actually not setup because I'm with gmail.

I just checked with netstat and got this :
#####

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 hpsmall.localdomain:59264 74.125.230.151:https TIME_WAIT
tcp 1 1 hpsmall.localdomain:50103 www.linuxquestions.org:http LAST_ACK
tcp 1 1 hpsmall.localdomain:36556 ww-in-f102.1e100.net:http LAST_ACK
tcp 0 0 hpsmall.localdomain:47484 74.125.230.150:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37271 TIME_WAIT
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37276 TIME_WAIT
tcp 0 0 hpsmall.localdomain:45879 74.125.230.152:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37273 TIME_WAIT
tcp 0 0 hpsmall.localdomain:54298 wy-in-f97.1e100.net:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:43980 74.125.230.145:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37286 TIME_WAIT
tcp 0 0 hpsmall.localdomain:50101 bru01s01-in-f95.1e100:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37274 TIME_WAIT
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37272 TIME_WAIT
tcp 1 1 hpsmall.localdomain:58712 images.linuxquestions.:http LAST_ACK
tcp 1 1 hpsmall.localdomain:50116 www.linuxquestions.org:http LAST_ACK
tcp 0 0 hpsmall.localdomain:45878 74.125.230.152:https ESTABLISHED
tcp 1 1 hpsmall.localdomain:36558 ww-in-f102.1e100.net:http LAST_ACK
tcp 0 0 hpsmall.localdomain:43983 74.125.230.145:https ESTABLISHED
tcp 0 0 hpsmall.localdomain:7634 hpsmall.localdomain:37282 TIME_WAIT

#####
I just had opened Firefox with 2 tabs Gmail and Linuxquestions.

thanks
robeich

tredegar · 04-04-2011, 05:21 AM

Thanks for the additional information.

Quote:

tcpdump -i eth0 gives me the message: command not found even if I use as user either root!

Then you need to install it before you can use it

Code:

sudo -i
apt-get update
apt-get install tcpdump
tcpdump -i eth0

jschiwal · 04-04-2011, 06:52 AM

apt-get is a debian/Ubuntu command. You can use the package manager to install tcpdump or wireshark.

There is a command line utility to install packages, but I don't remember it's name for Mandriva. Last time I used it, it was named Mandrake.

One thing you can do is make sure that you have your firewall setup. Also check the logs. Look for things like denied ssh login attempts.

If you have an update applet, is could be updating the catalogs to check if updates are needed.

tredegar · 04-04-2011, 08:54 AM

Quote:

apt-get is a debian/Ubuntu command.

Good point.

It looks as though that router provides wireless access as well. I know you are using ethernet cable, but is the wireless access point
- Disabled?
- Enabled and secured with WPA or better (ie not WEP)?
- Completely open, with the default login of admin and the default password of password?

You can normally login to your router's configuration panel with
http://192.168.0.1 in your browser to check these things out. There you will also have the option to "View Connected Devices". If you see some that you do not recognise, that could be where the problem lies.

salasi · 04-04-2011, 01:09 PM

Quote:

Originally Posted by robeich

3 days ago I freshly installed Mandriva 2010 Powerpack at my hp thin client.
It's connected to A netg even if I'm doing absolutely
nothing at the network, I got a lot of traffic actually Downloaded 3.10 MB and Uploaded
475.43 KB. within 15 minutes!

That's not a lot of traffic; 3.10 M per 15 minutes is about 3.5 kB per second. I'd bet one of the mDNS variants or maybe CUPS is sending a packet every few seconds; use wireshark to confirm.

robeich · 04-05-2011, 05:24 AM

The firewall is setup and should work fine ?!

The system is fully updated 2 days ago.

The wireless actually is turned off at netgear.

Cups is not installed at that computer.

Checked /var/log messages and securtiy and msec.log and last log no warnings or unusual ( have to say there is a lot of I really don't got clou what's it about )

But now after I changed the firewall settings ( closed port 80 at computers firewall, actually there is another firewall at the netgear denying any incoming traffic )
I'm running apache at this machine and I had an update for my netgear router it seems much better.

I got that new software for the MBR624GU directly from netgear because
I realized last September a huge security hole in their software !
I could go into routers setup without password and do any changes if I typed 192.168.01 into my browser !!
After 7 weeks emailing with a worthless support team I was able to
get over the netgear forum a contact where I could contact somebody
he was able to understand my complains.
And now after 6 month I got the first update WOUW to check ( even if I'm not employed at netgear ).

Will get tcpdump from one the Mandriva mirrors and have a look what's that telling me .

Thanks for all that interest, will keep you updated if I got more information from tcpdump.

robeich · 04-07-2011, 07:12 AM

Final information,

tcpdump installed.

checked traffic, no more unusual traffic while doing nothing !

Actually I was really surprised about the traffic to the different IP's of Google and different DNS servers.
Checked a lot of IP addresses and domainnames ( am I paranoid ? ) but it seems ok .

But I still got no idea what had caused that unusual traffic and what stopped that traffic.

Will keep an eye on that story.

I want to say thanks to everybody looking after me.

robeich