Distro : OpenSuse 10.2

It would be very helpful to know if there is any way to find out what's being downloaded? For the last couple of days I find at times something is getting downloaded while I am neither updating or downloading anything from any site.

Thanks for your help.

I'd first run netstat to see what your computer has active connections with. If it's connected to something unfamiliar I'd then start logging with Wireshark to figure out what exactly is going on.

If you think something fishy is going on I'd run Wireshark on a seperate computer that can be trusted on the same network.

Thanks for your suggestions. I have tried netstat earlier, it's a great tool, but not being an expert I have not understood the output of netstat properly.

I will start knowing more about Wireshark. In the meantime I came to know about iptraf. It's also a very helpful tool.

Thanks for your help.

How does this manifest itself then?
Or what hunches do you have?
Or what "seems wrong"?

What (publicly) accessable services does this server provide?
Is all software updated when updates are available?
Is the server hardened?
Is the server audited in any way?
Do the system and daemon logs or login records show any "weird" activity?

No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened.

Regarding the Updates I still I have not all the updates installed.

From the Netstat output I could not gather what was being downloaded and what it the file.

iptraf works

Shame you managed to read or reply to only half of my questions.

[QUOTE=Shame you managed to read or reply to only half of my questions.[/QUOTE]

I am really ashamed that I have "managed to read or reply to only half of your "questions". I apologize to you if I have wasted your time and the time of those who might be reading this post. Actually being a basic level user, I couldn't understand those part of your questions which I have not replied.

If I look back at your question and to my reply then I find that the questions were :

My reply to part of your question that I could understand was :
'How does this manifest itself then?
Or what hunches do you have?
Or what "seems wrong"? '

My answer to this (what "seems wrong"?) was "No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened." I presumed the above question as one because you used "or".

I failed to understand the following part and thus couldn't reply :
a) "What (publicly) accessable services does this server provide?"
b) "Is the server hardened? Is the server audited in any way?"
c) "Is the server audited in any way?"

I tried to reply on the following part of your question.
a) "Is all software updated when updates are available?"
b) "Do the system and daemon logs or login records show any "weird" activity?"

My reply was :
"No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened.

Regarding the Updates I still I have not all the updates installed.

From the Netstat output I could not gather what was being downloaded and what it the file."

May be I made a mistake in assuming that you will understand why I am not replying to some of your questions. I hope I have explained my position.

Coming back to my original question on what's being downloaded I think "iptraf" is good, which coolb has also replied as "iptraf works". It would be great for me if you can comment more on "iptraf".

I would finish of by asking you a simple question :
Do you feel you have correctly used the word 'shame' in your reply? I think you could have asked the same question in the following manner :
"If you can answer all my questions that would certainly help in solving the problem".

Thank you.

I have noticed similar behavior with SUSE 10.2 on my system (Dual boot with XP). I'm using the KDE desktop and have noticed the activity also. I have no home network, just the laptop connected to a cable modem at home and dial-up when on the road. The firewall is up, and no servers running.

The download activity is at a low rate, 1-2 kB/s or so, and stops and starts. It is not continuous, and only happens on the eth0 interface when hooked up to the cable modem. It doesn't happen on the ppp interface and it shows no activity unless FF or another program is accessing the net. Tried booting from a Knoppix DVD, and I don't get this activity when running Knoppix or Windows XP. This seems to be happening only in SUSE, and only on my on board eth0 interface.

Have already installed iptraf and wireshark and will do some captures to gather some data once I get home.

I'm not sure what was meant by a "hardened" server.

I think iptraf is good. I tried iptraf, chose the all connections and it instantly showed me all the connections. Although it's not a direct solution to the problem that I mentioned but through iptraf, now I can find out the IP's and make an idea about what's going on.

Thanks for mentioning about wireshark. I will check that also.

I've never used SUSE, but it's possible the traffic is yast periodically checking with SUSE's servers to see if there are any new updates available. unSpawn's question about publically accessible servers might be relevant, he was asking if you are running any internet server programs, such as a web or mail server, or an ssh or ftp daemon? For hopefully obvious reasons, a web server or mail server may well have internet traffic even if you're not accessing the net yourself. If you're running an ssh server for remote access, and someone else is trying to find a login for it, it may be worth taking some extra security measures to prevent a brute force attack from succeeding.

A hardened server has extra security set up on it, I think including things such as SELinux and AppArmor. I've no idea if any of these things are enabled on SUSE by default or not.

Checked this out with iptraf, and with Wireshark. It seems that the KTraffic Analyzer and some of the kicker apps are picking up the other activity on the network. Its mostly ARP activity, but there are some other things in there also. Netstat, etc. show no connections to the network that shouldn't be there, like ntp, yast updating from the security servers, and things like that. I can post some examples if you like but I don't think it will be necessary.

I would like to find out if this is "normal" behavior for the kicker apps or if I've got something configured wrong, though. If nothing else, I've learned some more about networking in Linux so the time is not wasted.

Thanks Gethyn for explaining things.

Since I installed iptraf, I can monitor the network activities better. So whenever I feel that some processes might be using the net, I try to check which one might be using the Net. In my system AppArmor is installed.