LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
Reload this Page something is accessing the internet every 15 seconds...
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 11-22-2007, 12:49 AM   #1
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307

Rep: Reputation: 32
something is accessing the internet every 15 seconds...

Hello everyone,

I have a simple debian install and have since installed X and gkrellm (and some other stuff). I have noticed (via gkrellm) that something is accessing the internet about every 15 seconds or so. It is extremely regular.

I was wondering if anyone could aim me in a direction to track the culprit down. I do have a ntp daemon running, but I'm fairly sure it is set to only check the time once a day.

I checked my crontab and it is empty.

I'm going to go on a hunt right now... but I'll be back.

Happy turkey day!
 
Old 11-22-2007, 04:13 AM   #2
bigrigdriver
LQ Addict
Contributing Member
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,908

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
Check you email application, specifically a setting which tells it how often to poll the ISP for mail.
 
Old 11-22-2007, 06:45 AM   #3
dmedhora
LQ Newbie
 
Registered: Nov 2007
Posts: 10

Rep: Reputation: 0
try to run a tcpdump on your interface and keep
it running...you'll see where the packets are coming or going (i.e you'll see the ip addresses and maybe hostnames ) - you'll also be able to see
the protocol/application initiating the traffic.. hope this helps!
 
Old 11-22-2007, 04:02 PM   #4
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307

Original Poster
Rep: Reputation: 32
I don't yet have an e-mail application on this system (except for internal system mail).

Thanks for the tip of tcpdump.
Here is some of the tcpdump:

13:49:23.081402 IP (tos 0x0, ttl 127, id 65463, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:49:23.081651 IP (tos 0x0, ttl 127, id 65464, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:49:23.081838 IP (tos 0x0, ttl 128, id 22824, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 56129+ PTR? 250.255.255.239.in-addr.arpa. (46)
13:49:23.081902 IP (tos 0x0, ttl 127, id 65465, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:49:23.082525 IP (tos 0x0, ttl 127, id 65466, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:49:23.083398 IP (tos 0x0, ttl 127, id 65467, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:49:23.083649 IP (tos 0x0, ttl 127, id 65468, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:49:23.084273 IP (tos 0x0, ttl 127, id 65469, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:49:23.085023 IP (tos 0x0, ttl 127, id 65470, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:49:23.085272 IP (tos 0x0, ttl 127, id 65471, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:49:23.085897 IP (tos 0x0, ttl 127, id 65472, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:49:23.086771 IP (tos 0x0, ttl 127, id 65473, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:49:23.087021 IP (tos 0x0, ttl 127, id 65474, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:49:23.087645 IP (tos 0x0, ttl 127, id 65475, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:49:28.081210 arp who-has 192.168.0.1 tell 192.168.0.121
13:49:28.081235 IP (tos 0x0, ttl 128, id 22825, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 56129+ PTR? 250.255.255.239.in-addr.arpa. (46)
13:49:28.081401 arp reply 192.168.0.1 is-at 00:15:e9:1d:98:c6 (oui Unknown)
13:49:28.286781 IP (tos 0x0, ttl 51, id 38154, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 56129 ServFail q: PTR? 250.255.255.239.in-addr.arpa. 0/0/0 (46)
13:49:28.286905 IP (tos 0x0, ttl 128, id 24125, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 28539+ PTR? 1.0.168.192.in-addr.arpa. (42)
13:49:28.336880 IP (tos 0x0, ttl 51, id 38259, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 28539 NXDomain q: PTR? 1.0.168.192.in-addr.arpa. 0/0/0 (42)
13:49:28.336943 IP (tos 0x0, ttl 128, id 24138, offset 0, flags [DF], proto: UDP (17), length: 72) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 10496+ PTR? 121.0.168.192.in-addr.arpa. (44)
13:49:28.351244 IP (tos 0x0, ttl 56, id 8988, offset 0, flags [DF], proto: UDP (17), length: 72) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 10496 NXDomain q: PTR? 121.0.168.192.in-addr.arpa. 0/0/0 (44)
13:49:28.430324 IP (tos 0x0, ttl 57, id 9515, offset 0, flags [DF], proto: UDP (17), length: 74) sjos-cns03.sanjose.ca.sanfran.comcast.net.domain > 192.168.0.121.32771: [udp sum ok] 56129 ServFail q: PTR? 250.255.255.239.in-addr.arpa. 0/0/0 (46)
13:49:28.430396 IP (tos 0x0, ttl 128, id 24161, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 21560+ PTR? 181.76.87.68.in-addr.arpa. (43)
13:49:28.478046 IP (tos 0x0, ttl 51, id 38536, offset 0, flags [DF], proto: UDP (17), length: 126) 192.168.0.1.domain > 192.168.0.121.32771: 21560 q: PTR? 181.76.87.68.in-addr.arpa. 1/0/0 181.76.87.68.in-addr.arpa. (98)
13:49:43.082144 IP (tos 0x0, ttl 127, id 65482, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:49:43.082393 IP (tos 0x0, ttl 127, id 65483, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:49:43.082643 IP (tos 0x0, ttl 127, id 65484, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:49:43.083267 IP (tos 0x0, ttl 127, id 65485, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:49:43.084142 IP (tos 0x0, ttl 127, id 65486, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:49:43.084392 IP (tos 0x0, ttl 127, id 65487, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:49:43.085017 IP (tos 0x0, ttl 127, id 65488, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:49:43.085766 IP (tos 0x0, ttl 127, id 65489, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:49:43.086016 IP (tos 0x0, ttl 127, id 65490, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:49:43.086641 IP (tos 0x0, ttl 127, id 65491, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:49:43.087516 IP (tos 0x0, ttl 127, id 65492, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:49:43.087765 IP (tos 0x0, ttl 127, id 65493, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:49:43.088390 IP (tos 0x0, ttl 127, id 65494, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:49:51.313160 arp who-has 192.168.0.75 (25:54:c0:a8:c0:a8 (oui Unknown)) tell 192.168.0.1
13:49:51.313297 IP (tos 0x0, ttl 128, id 29882, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 15756+ PTR? 75.0.168.192.in-addr.arpa. (43)
13:49:51.327401 IP (tos 0x0, ttl 56, id 34955, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 15756 NXDomain q: PTR? 75.0.168.192.in-addr.arpa. 0/0/0 (43)
13:50:03.083141 IP (tos 0x0, ttl 127, id 65495, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:50:03.083387 IP (tos 0x0, ttl 127, id 65496, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:50:03.083637 IP (tos 0x0, ttl 127, id 65497, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:50:03.084261 IP (tos 0x0, ttl 127, id 65498, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:50:03.085011 IP (tos 0x0, ttl 127, id 65499, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:50:03.085261 IP (tos 0x0, ttl 127, id 65500, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:50:03.085885 IP (tos 0x0, ttl 127, id 65501, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:50:03.086761 IP (tos 0x0, ttl 127, id 65502, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:50:03.087010 IP (tos 0x0, ttl 127, id 65503, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:50:03.087635 IP (tos 0x0, ttl 127, id 65504, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:50:03.088384 IP (tos 0x0, ttl 127, id 65505, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:50:03.088634 IP (tos 0x0, ttl 127, id 65506, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:50:03.089258 IP (tos 0x0, ttl 127, id 65507, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:50:22.628896 IP (tos 0x0, ttl 128, id 37712, offset 0, flags [DF], proto: UDP (17), length: 68) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 19041+ TXT? current.cvd.clamav.net. (40)
13:50:22.732461 IP (tos 0x0, ttl 51, id 15105, offset 0, flags [DF], proto: UDP (17), length: 108) 192.168.0.1.domain > 192.168.0.121.32771: 19041 q: TXT? current.cvd.clamav.net. 1/0/0 current.cvd.clamav.net. TXT[|domain]
13:50:23.084010 IP (tos 0x0, ttl 127, id 65508, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:50:23.084255 IP (tos 0x0, ttl 127, id 65509, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:50:23.084506 IP (tos 0x0, ttl 127, id 65510, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:50:23.085130 IP (tos 0x0, ttl 127, id 65511, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:50:23.085879 IP (tos 0x0, ttl 127, id 65512, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:50:23.086129 IP (tos 0x0, ttl 127, id 65513, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:50:23.086754 IP (tos 0x0, ttl 127, id 65514, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:50:23.087628 IP (tos 0x0, ttl 127, id 65515, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:50:23.087878 IP (tos 0x0, ttl 127, id 65516, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:50:23.088502 IP (tos 0x0, ttl 127, id 65517, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:50:23.089252 IP (tos 0x0, ttl 127, id 65518, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:50:23.089503 IP (tos 0x0, ttl 127, id 65519, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:50:23.090127 IP (tos 0x0, ttl 127, id 65520, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:50:27.632331 arp who-has 192.168.0.1 tell 192.168.0.121
13:50:27.632520 arp reply 192.168.0.1 is-at 00:15:e9:1d:98:c6 (oui Unknown)

Just about a minutes worth.

I'm thinking maybe dhcpd? I also have bind9 and a samba server.
Samba is setup to only use eth1 (which isn't being logged here) and there isn't another PC connected to the server at this moment. I do have a router with 2 linux boxes (including this one) and a Windows XP box connected. Am I getting 'noise' from the windows box?

No PC is currently setup to talk to this machine for samba or any other type of service... that I know of.

I tried to ping 239.255.255.250 with 0 results. I really don't know where else to look or how to go about it. I have tried looking at the syslog for dhcpd messages. I then attempted to edit syslog.conf to separate dhcpd into its own log. So far I haven't seen a log file get made for dhcpd - don't know if it is because of incorrect syslog.conf or just nothing has happend. It has only been about 30 minutes after I have done that tho.

Thank you in advance for any advice.

P.S. I did see google hit this box once previously. It prolly happend because my other linux box has a webpage on it. Google likely just hit my ip address looking around and some got through to this one. It shouldn't have however, because the router is set to only forward those ports to the other box. I do have a firewall running - but it was a self-done job.
 
Old 11-23-2007, 05:01 PM   #5
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307

Original Poster
Rep: Reputation: 32
Ok... did a little research. Sorry for bugging you guys on something so simple to find info on.

http://www.grc.com/port_1900.htm

UDP 1900 is uPnP - 5000 is also address that uPnP devices will talk on.

IP 239.255.255.250 is the broadcast address.

Seems it's my own router (D-link) that is sending these out to all machines on the network.


I'm going to see about turning off uPnP on the router and see what happens.


Thanks anyways,
checkmate3001
 
Old 11-23-2007, 05:06 PM   #6
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307

Original Poster
Rep: Reputation: 32
OK - went into router settings and Disabled uPnP - no more activity every 15 seconds. The LAN is now a little more quiter. Nice.
 
Old 12-09-2007, 04:36 PM   #7
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307

Original Poster
Rep: Reputation: 32
Did another tcpdump found some more
I have done another tcpdump and have also found that my ntp daemon is checking the time every 20 seconds or so. I also am getting some noise from an xp machine on my lan.

all and all I'm surprised by how much goes on that you never even see. there is a lot of computer chatter out there.

it is fairly quiet however. Thank you guys for your help.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
convert total no of seconds in the format hour minutes and seconds suchi_s Programming 15 03-15-2011 11:34 AM
Accessing Internet DanTaylor Programming 2 03-09-2006 12:04 AM
Need help accessing the internet ubuntu_nig Ubuntu 6 10-07-2005 07:35 AM
Accessing the internet... TBomb Linux - Networking 7 07-24-2005 08:54 AM
Accessing the internet ruitao Linux - General 2 03-05-2003 06:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:34 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration