Ongoing internet activity when browser has long been idle.
 

Hi all,

I am a bit concerned because often (not always) there is prolonged data activity on my internet connection although the browser has been idle for a long time. The total data usage on the connection seems much higher than it should be. eg: 9 MB to load a couple of webpages.

Browser: firefox + noscript.

system: suse 12.1

Desktop: KDE4 and KDE3.

Connection: mobile phone as G3 modem.

What to look at?
Can data usage by individual applications be displayed and compared with total data being sent / received?

I have not altered any firewall settings, but have used Ktorrent. Can there be torrent activity when the application is not running, and if so how to disable that?

Thanks in advance....

Andrew.

It is normal to have some background traffic. Applications such as your system update will occasionally "phone home" to check for updates and what not. You can use a tool like ntop to see what connections are being made and to where. Other things you may be facing include any Windows networking, and other network aware devices such as printers generating bursts of traffic.

With respect to torrents, it is possible for torrent applications to run in the background or as a daemon process uploading data. I would suggest you look at the process list (as root) to see if it is active.

..in addition to what's said already:
First of all what you think of as "traffic" is not only TCP but also UDP sprinkled with a bit of ICMP. Granted, the latter should not take up much volume as its primary concern is error messages but web pages are way larger these days. While on the one hand content distribution and compression help lessen the load on the other hand it allows web sites to draw from more and different sources more easily (or carelessly), becoming less concerned with how or what they incorporate things or optimization. And where "social network" connectivity is involved there'll be more content requested that aren't simply web pages but video, Flash, applets and web services "talking" with each other (SOA, RIA, AJAX, XUL, SOAP, REST). More sources also means more DNS requests and ninety nine per cent of the time that will be UDP traffic. (BitTorrent uses UDP too.) Then there's browsers default settings like IPv6 being enabled when you don't need or have it, anticipatory caching of pages you haven't visited and requests to addresses you visited earlier (Firefox).

There's at least five things you can implement regardless of your data plan being unlimited or not, regardless of knowing what data you send or receive and regardless of your web behavior:
- speed up domain name resolution by using a local caching name server (Pdnsd, Dnsmasq, etc),
- speed up or avoid loading elements by using a local filtering and caching proxy server (Privoxy, Polipo, etc),
- using sane browser defaults,
- disabling plug-ins you don't need and
- client-side in-browser filtering like Noscript offers.

Back to the original question of what to look at, apps like:
- Netfilter (iptables) has a module that can do traffic accounting
- dnstop show you DNS requests you make,
- nethogs show you the currently running applications that generate the most traffic,
- iftop shows you all current traffic by destination (or whatever you choose),
- vnstat can give you hourly, daily, weekly overviews of how much traffic went over the wire.
Equivalents / related: bandwidthd, (j)nettop, pktstat, cbm, bwm-ng, speedometer, ethstatus, trafshow, iptraf, Wireshark, MRTG and much, much more: check your distro's repos and Sourceforge, Freecode, Nongnu, etc, etc.


For currently running applications see above. Wrt saved statistics the problem is an application must not only track traffic but also assign it to a specific application. This means being able to read /proc for process names and UID's but also be able to differentiate between say Python running 'yum check-update' for user root and Python running 'calibre update' for say your unprivileged account. Possible but no app comes to mind right now.


If you're assigned an often-changing dynamic IP address you may see "ghost traffic" for the previous user and if you recently were part of a swarm you may see ghost requests too but no, if the application isn't running then there will be no active traffic.

Thank you both greatly. I think what you've said is enough to get me going, but another question comes to mind.

I live in a fringe reception area, where the phone network is 'thin' - many users, not much bandwidth. Will my connection generate more traffic during times of worst reception and/or when the network is busy?

I don't have any social media or gaming. I'm not aware of any non-torrent UDP, video, flash etc usage, other than perhaps what yahoo might create without my asking for it. All my internet use is vanilla TCP (at least I intend it to be that way). I thought anticipatory caching was ruled out as no other pages were open.

Let me put it this way. Yesterday, when the excess traffic was particularly obvious I disconnected and reconnected as that sometimes fixes the problem. When it did not, I decided to ask you this question and loaded the LQ website. It took 9 MB to load a) my email and b) the LQ front page. Each page took several minutes to load and there was lots of data being exchanged throughout - enough to load the pages in question many many times. By the time I'd asked the question, data use had reached 16 MB.

By comparison, the current session is only 2.43 MB and pages have loaded in seconds. And the connection has been quiet as a mouse the whole time. Whilst I have been drafting this, it took about twenty minutes to get from 2.36 to 2.43. That's the normal level of background activity that I am used to seeing.

Regards...

Andrew.

Good.


Oh no.


That would be something you can test yourself.



I was speaking in general terms.


Reflexes like killing and restarting processes, removing and re-installing software and reconnecting to networks sweep problems backu under the rug. On the surface it may make things work but without diagnosing it you don't learn what the core problem is and it does not fix things in the long run.


There are web sites that help you analyze what a page loads as well as browser plug-ins to do the same. The outcome of that together with output of some of the suggested tools may give you a better understanding of what's going on. 9 megs sounds like a lot but I don't feel like speculating about what causes it and neither does my ESP work today ;-p