We help IT Professionals succeed at work.

Network activity concerns

Dear Experts,

My desktop seems to be constantly uploading and downloading data, which I am not aware off.  Please have a look at the attached image.  How do I find out what is going on and how do I stop it without disabling internet access altogether?
Screenshot-System-Monitor.png
Comment
Watch Question

Commented:
Use a program such as "tcpdump" to monitor traffic on your interface.

You may well just be receiving lots of broadcast traffic.

Leon
Duncan RoeSoftware Developer
Commented:
The program top will show you which processes are using CPU. The program lsof -p process-id
will show you what files that process has open (including sockets). I would recommend that any system connected directly to the Internet should have some kind of iptables filter (i.e. firewall).

Commented:
Try typing "netstat -an" to see if there are any established conections. If this machine is directly connected to a cable internet connection that traffic might just be arps since cable is shared and typically uses huge subnets.
Hugh FraserConsultant

Commented:
The first step is to see who your machine's talking to. I like etherape for visualizing conversations, and once you know who the big talker is, use Wireshark to sniff the traffic.

Author

Commented:
Lots of suggestions here, so I am starting from the top.  Using tcpdump, I have captured 100 packets from eth0 and have attached the output.

What does all that mean?  If i did not limit it to 100, it would have gone on forever, without me browsing the web...
tcpdump-eth0.log
Duncan RoeSoftware Developer
Commented:
There is traffic over a number of short-lived connections between what looks like a browser or browsers on the local system and a server process running on your firewall serving the FileMaker port 591 (http-alt). That might be a proxy server - you would know.
The rest of the traffic in your sample is DNS-related (they look to me like reverse name lookups) (I don't recognise the mdns port but clearly tcpdump does). Much of this traffic is probably caused by tcpdump itself - it needs to do reverse name lookups to display host names

Author

Commented:
OK, so what's the next step?  Try out one of the other programs suggested?
Duncan RoeSoftware Developer
Commented:
Is the traffic you saw the traffic that concerns you? If so, you could use lsof -i to see what process(es) has/have the ports open.
As well, you could use tcpdump to actually examine the data - you could be out of luck and find it's all binary but you might easily see enough text to give you an idea what's going on.

tcpdump -s 1500 -A

Also you should confirm what process on the server has port 591 open

Author

Commented:
What concerns me is the amount of network activity which I am getting without me using the browser.

Author

Commented:
after a fresh reboot, if i type lsof -i, i get nothing.  Without using the computer for webbrowsing, if I type in lsof -i 1 minute later I get 2 entries:

ubuntuone 1563 narmi2   20u  IPv4  11938      0t0  TCP ubuntu.local:59034->firewall.narmi2.com:http-alt (ESTABLISHED)
ubuntuone 1563 narmi2   21u  IPv4  10809      0t0  TCP ubuntu.local:50600->ec2-174-129-241-144.compute-1.amazonaws.com:https (ESTABLISHED)

top gives me ubuntuone top place

1563 narmi2     20   0 41072  19m 5100 S  4.3  4.0   0:09.29 ubuntuone-syncd                                                                                                                                  

lsof -p 1563 give me

narmi2@ubuntu:~$ lsof -p 1563
COMMAND    PID  USER   FD   TYPE     DEVICE SIZE/OFF   NODE NAME
ubuntuone 1563 narmi2  cwd    DIR      252,1     4096      2 /
ubuntuone 1563 narmi2  rtd    DIR      252,1     4096      2 /
ubuntuone 1563 narmi2  txt    REG      252,1  2288240 391184 /usr/bin/python2.6
ubuntuone 1563 narmi2  mem    REG      252,1   251916 394369 /usr/lib/libgobject-2.0.so.0.2400.1
ubuntuone 1563 narmi2  mem    REG      252,1   821768 132053 /lib/libglib-2.0.so.0.2400.1
ubuntuone 1563 narmi2  mem    REG      252,1    71988 399428 /usr/lib/python2.6/lib-dynload/datetime.so
ubuntuone 1563 narmi2  mem    REG      252,1    13760 433238 /usr/lib/libpyglib-2.0-python2.6.so.0.0.0
ubuntuone 1563 narmi2  mem    REG      252,1   122232 433241 /usr/lib/pyshared/python2.6/gtk-2.0/gobject/_gobject.so
ubuntuone 1563 narmi2  mem    REG      252,1     5460 456413 /usr/lib/python2.6/dist-packages/twisted/python/_initgroups.so
ubuntuone 1563 narmi2  mem    REG      252,1   108196 399467 /usr/lib/python2.6/lib-dynload/_ctypes.so
ubuntuone 1563 narmi2  mem    REG      252,1    14484   7238 /usr/lib/python2.6/dist-packages/Crypto/PublicKey/_fastmath.so
ubuntuone 1563 narmi2  mem    REG      252,1    50176   2699 /usr/lib/pyshared/python2.6/OpenSSL/SSL.so
ubuntuone 1563 narmi2  mem    REG      252,1    31848 526624 /usr/lib/pyshared/python2.6/simplejson/_speedups.so
ubuntuone 1563 narmi2  mem    REG      252,1    22036 131266 /lib/tls/i686/cmov/libnss_dns-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1    26088 433233 /usr/lib/libffi.so.5.0.10
ubuntuone 1563 narmi2  mem    REG      252,1   227000 131161 /lib/libdbus-1.so.3.4.0
ubuntuone 1563 narmi2  mem    REG      252,1   127088 440270 /usr/lib/pyshared/python2.6/_dbus_bindings.so
ubuntuone 1563 narmi2  mem    REG      252,1    79512 130850 /lib/libz.so.1.2.3.3
ubuntuone 1563 narmi2  mem    REG      252,1   197540 399454 /usr/lib/python2.6/lib-dynload/pyexpat.so
ubuntuone 1563 narmi2  mem    REG      252,1   112948 428934 /usr/lib/libgnome-keyring.so.0.1.1
ubuntuone 1563 narmi2  mem    REG      252,1   470976 132141 /lib/libgcrypt.so.11.5.2
ubuntuone 1563 narmi2  mem    REG      252,1    71432 131273 /lib/tls/i686/cmov/libresolv-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1    30684 131295 /lib/tls/i686/cmov/librt-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1  1405508 131258 /lib/tls/i686/cmov/libc-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1    10180 440269 /usr/lib/pyshared/python2.6/_dbus_glib_bindings.so
ubuntuone 1563 narmi2  mem    REG      252,1   390700 420742 /usr/lib/libgmp.so.3.5.2
ubuntuone 1563 narmi2  mem    REG      252,1   286296 131686 /lib/i686/cmov/libssl.so.0.9.8
ubuntuone 1563 narmi2  mem    REG      252,1    59576 433243 /usr/lib/pyshared/python2.6/gtk-2.0/glib/_glib.so
ubuntuone 1563 narmi2  mem    REG      252,1     9736 131261 /lib/tls/i686/cmov/libdl-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1   113964 155804 /lib/ld-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1    20104 526698 /usr/lib/python2.6/dist-packages/zope/interface/_zope_interface_coptimizations.so
ubuntuone 1563 narmi2  mem    REG      252,1    36156 457061 /usr/lib/pyshared/python2.6/gtk-2.0/gnomekeyring.so
ubuntuone 1563 narmi2  mem    REG      252,1     9748 144013 /lib/tls/i686/cmov/libutil-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1     9620 142004 /lib/libnss_mdns4_minimal.so.2
ubuntuone 1563 narmi2  mem    REG      252,1   117176 428164 /usr/lib/libdbus-glib-1.so.2.1.0
ubuntuone 1563 narmi2  mem    REG      252,1    11300   2700 /usr/lib/pyshared/python2.6/OpenSSL/rand.so
ubuntuone 1563 narmi2  mem    REG      252,1    62096   2701 /usr/lib/pyshared/python2.6/OpenSSL/crypto.so
ubuntuone 1563 narmi2  mem    REG      252,1   149392 131262 /lib/tls/i686/cmov/libm-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1   117086 131272 /lib/tls/i686/cmov/libpthread-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1  1364764 131644 /lib/i686/cmov/libcrypto.so.0.9.8
ubuntuone 1563 narmi2  mem    REG      252,1    14000 130811 /lib/libuuid.so.1.3.0
ubuntuone 1563 narmi2  mem    REG      252,1    42572 131267 /lib/tls/i686/cmov/libnss_files-2.11.1.so
ubuntuone 1563 narmi2  mem    REG      252,1   193860 130533 /lib/libpcre.so.3.12.1
ubuntuone 1563 narmi2  mem    REG      252,1    17856 399447 /usr/lib/python2.6/lib-dynload/termios.so
ubuntuone 1563 narmi2  mem    REG      252,1    17940 394371 /usr/lib/libgthread-2.0.so.0.2400.1
ubuntuone 1563 narmi2  mem    REG      252,1    16752 399430 /usr/lib/python2.6/lib-dynload/_heapq.so
ubuntuone 1563 narmi2  mem    REG      252,1    13604 132151 /lib/libgpg-error.so.0.4.0
ubuntuone 1563 narmi2  mem    REG      252,1    26048 467272 /usr/lib/gconv/gconv-modules.cache
ubuntuone 1563 narmi2  mem    REG      252,1   256324 400552 /usr/lib/locale/en_GB.utf8/LC_CTYPE
ubuntuone 1563 narmi2    0u   CHR        1,3      0t0    788 /dev/null
ubuntuone 1563 narmi2    1u   CHR        1,3      0t0    788 /dev/null
ubuntuone 1563 narmi2    2u   CHR        1,3      0t0    788 /dev/null
ubuntuone 1563 narmi2    3r  FIFO        0,8      0t0  10544 pipe
ubuntuone 1563 narmi2    4u   CHR        1,3      0t0    788 /dev/null
ubuntuone 1563 narmi2    5w  FIFO        0,8      0t0  10544 pipe
ubuntuone 1563 narmi2    6r  FIFO        0,8      0t0  10545 pipe
ubuntuone 1563 narmi2    7w  FIFO        0,8      0t0  10545 pipe
ubuntuone 1563 narmi2    8r  FIFO        0,8      0t0   5717 pipe
ubuntuone 1563 narmi2    9w  FIFO        0,8      0t0   5717 pipe
ubuntuone 1563 narmi2   10r  FIFO        0,8      0t0  10546 pipe
ubuntuone 1563 narmi2   11w  FIFO        0,8      0t0  10546 pipe
ubuntuone 1563 narmi2   12r  unix 0xdf22b600      0t0  10739 socket
ubuntuone 1563 narmi2   13r   REG      252,1   450267 260333 /home/narmi2/.cache/ubuntuone/log/syncdaemon.log
ubuntuone 1563 narmi2   14r   REG      252,1   446970 260357 /home/narmi2/.cache/ubuntuone/log/syncdaemon-exceptions.log
ubuntuone 1563 narmi2   15r   DIR       0,11        0      1 inotify
ubuntuone 1563 narmi2   16r   DIR       0,11        0      1 inotify
ubuntuone 1563 narmi2   17u  unix 0xdf22ba00      0t0  10780 socket
ubuntuone 1563 narmi2   18u  unix 0xdf22b400      0t0  10791 socket
ubuntuone 1563 narmi2   19r   CHR        1,9      0t0    793 /dev/urandom
ubuntuone 1563 narmi2   20u  IPv4      15140      0t0    TCP ubuntu.local:42831->firewall.narmi2.com:http-alt (ESTABLISHED)
ubuntuone 1563 narmi2   21u  IPv4      10809      0t0    TCP ubuntu.local:50600->ec2-174-129-241-144.compute-1.amazonaws.com:https (ESTABLISHED)
narmi2@ubuntu:~$

In the last few minutes after the reboot without using the internet browser, my computer has send 1Mb and received 5Mb and increasing at a rate of roughly 10Kb a second for receiving and 2Kb a second for sending...
So, looks like it's UbuntuOne that generates the traffic. Try turning it off.

Regards, Tobias

Author

Commented:
I have deleted ubuntuone because I do not use it, and the network activity has stopped!  Finally!!!

Any idea what ubuntuone was transmitting?  I do not log into ubuntu one, so why was it constantly transmitting around 10Kbs?
I suppose that's the way UbuntuOne is designed. It might generate network traffic when checking if the Ubuntu One servers are up?

Regards, Tobias

Author

Commented:
That is really really bad if you're on pay as you go broadband...
Yes, I agree!

It also might be a bug in Ubuntu One. If you want do dig deeper you could start UbuntuOne in debug mode. Check this: https://wiki.kubuntu.org/UbuntuOne/BugsKarmic

Regards, Tobias