FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-09-2009, 04:08 PM
T o n g
 
Default Unknown network traffic

Hi,

I've tried all the network bandwidth monitoring tools that I know to find
out the unknown network traffic I'm having now, I've tried iftop, netstat,
lsof and pktstat, and still can't find out the result. Please help.

First, neither of the following command reveal anything suspicious:

netstat -ap | grep -v ^unix
lsof -i

However, iftop reports:

192.168.0.100 => 192.168.0.1 1.95Kb 1.24Kb 1.31Kb
<= 4.71Kb 3.50Kb 3.41Kb
192.168.0.100 => i118-17-235-161.s10.a024. 0b 130b 108b
<= 0b 107b 89b
192.168.0.100 => 71-15-119-132.dhcp.ftwo.t 0b 127b 106b
<= 0b 105b 87b
192.168.0.100 => 76.105.253.104 636b 127b 106b
<= 524b 105b 87b
192.168.0.100 => lan31-4-82-227-130-41.fbx 0b 127b 106b
<= 0b 105b 87b
192.168.0.100 => ctv-86-100-215-242.ip.ryg 0b 127b 106b
<= 0b 105b 87b
192.168.0.100 => i038098.gprs.dnafinland.f 636b 127b 106b
<= 524b 105b 87b
192.168.0.100 => host-89-228-137-138.gorzo 0b 127b 106b
<= 0b 105b 106b

That's all tools that I know, then I google and find pktstat, which reports:

bps % desc
107.2 0% icmp unreach port 192.168.0.100 -> 119.40.7.39
107.2 0% icmp unreach port 192.168.0.100 -> 122-121-216-117
107.2 0% icmp unreach port 192.168.0.100 -> 17
107.2 0% icmp unreach port 192.168.0.100 -> 220-136-240-189
108.5 0% icmp unreach port 192.168.0.100 -> 227
105.4 0% icmp unreach port 192.168.0.100 -> 77.81.248.210
105.4 0% icmp unreach port 192.168.0.100 -> 83-157-127-150
108.5 0% icmp unreach port 192.168.0.100 -> 84
icmp unreach port 192.168.0.100 -> 87-121-157-166
82.8 0% icmp unreach port 192.168.0.100 -> 93.190.206.248
108.5 0% icmp unreach port 192.168.0.100 -> adsl110-221
105.4 0% icmp unreach port 192.168.0.100 -> bas3-montreal02-1096681363
108.5 0% icmp unreach port 192.168.0.100 -> bau06-5-88-168-64-43
107.2 0% icmp unreach port 192.168.0.100 -> cpc4-neat2-0-0-cust924
105.4 0% icmp unreach port 192.168.0.100 -> host217-43-58-203
icmp unreach port 192.168.0.100 -> host70-87-dynamic
108.5 0% icmp unreach port 192.168.0.100 -> host86-137-255-28
107.2 0% icmp unreach port 192.168.0.100 -> i222-150-158-232

My normal network bandwidth is almost 0. Now, with 1.95Kb outbound and
4.71Kb inbound, I don't know what's exactly going on with my network.
I've even tried to 'ifdown eth0' then 'ifup eth0', but the traffic
resumes. Can anyone help?


Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-10-2009, 10:43 AM
"James Youngman"
 
Default Unknown network traffic

On Fri, Jan 9, 2009 at 5:08 PM, T o n g <mlist4suntong@yahoo.com> wrote:
> Hi,
>
> I've tried all the network bandwidth monitoring tools that I know to find
> out the unknown network traffic I'm having now, I've tried iftop, netstat,
> lsof and pktstat, and still can't find out the result. Please help.
>
> First, neither of the following command reveal anything suspicious:
>
> netstat -ap | grep -v ^unix
> lsof -i

Try switching to single-user mode in order to rule out most
locally-running programs and repeating the experiment.

At that point you should be able to just run "tcpdup -n -i blah"
(where blah is your outward-facing network interface, eth0 on my
machine here) and eyeball the raw information. Look for common
themes in the local and remote port numbers.


>
> However, iftop reports:
>
> 192.168.0.100 => 192.168.0.1 1.95Kb 1.24Kb 1.31Kb
> <= 4.71Kb 3.50Kb 3.41Kb

This is internal traffic (or should be - both addresses are unroutable
RFC1918 addresses)

> 192.168.0.100 => i118-17-235-161.s10.a024. 0b 130b 108b
> <= 0b 107b 89b
> 192.168.0.100 => 71-15-119-132.dhcp.ftwo.t 0b 127b 106b
> <= 0b 105b 87b
> 192.168.0.100 => 76.105.253.104 636b 127b 106b
> <= 524b 105b 87b
> 192.168.0.100 => lan31-4-82-227-130-41.fbx 0b 127b 106b
> <= 0b 105b 87b
> 192.168.0.100 => ctv-86-100-215-242.ip.ryg 0b 127b 106b
> <= 0b 105b 87b
> 192.168.0.100 => i038098.gprs.dnafinland.f 636b 127b 106b
> <= 524b 105b 87b
> 192.168.0.100 => host-89-228-137-138.gorzo 0b 127b 106b
> <= 0b 105b 106b

AFAICT most of these are other broadband users. Are you using some
kind of p2p tool? If not, perhaps they are compromised remote
systems attempting to compromise your machine. This would imply that
your computer is connected directly to the Internet, without benefit
of a separate firewall device. That's not such a great idea from a
security point of view.

>
> That's all tools that I know, then I google and find pktstat, which reports:
>
> bps % desc
> 107.2 0% icmp unreach port 192.168.0.100 -> 119.40.7.39
> 107.2 0% icmp unreach port 192.168.0.100 -> 122-121-216-117
> 107.2 0% icmp unreach port 192.168.0.100 -> 17
> 107.2 0% icmp unreach port 192.168.0.100 -> 220-136-240-189
> 108.5 0% icmp unreach port 192.168.0.100 -> 227
> 105.4 0% icmp unreach port 192.168.0.100 -> 77.81.248.210
> 105.4 0% icmp unreach port 192.168.0.100 -> 83-157-127-150
> 108.5 0% icmp unreach port 192.168.0.100 -> 84
> icmp unreach port 192.168.0.100 -> 87-121-157-166
> 82.8 0% icmp unreach port 192.168.0.100 -> 93.190.206.248
> 108.5 0% icmp unreach port 192.168.0.100 -> adsl110-221
> 105.4 0% icmp unreach port 192.168.0.100 -> bas3-montreal02-1096681363
> 108.5 0% icmp unreach port 192.168.0.100 -> bau06-5-88-168-64-43
> 107.2 0% icmp unreach port 192.168.0.100 -> cpc4-neat2-0-0-cust924
> 105.4 0% icmp unreach port 192.168.0.100 -> host217-43-58-203
> icmp unreach port 192.168.0.100 -> host70-87-dynamic
> 108.5 0% icmp unreach port 192.168.0.100 -> host86-137-255-28
> 107.2 0% icmp unreach port 192.168.0.100 -> i222-150-158-232
>
> My normal network bandwidth is almost 0.

First of all, these are very small numbers. This almost certainly is
not a summary of what's using up all your bandwidth (if that's indeed
happening). But these ICMP port-unreachable errors indicate that the
remote systems are trying to communicate with a network port you're
not listening on. Perhaps they are trying to perform some SQL Server
exploit or something like that.

James.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-11-2009, 08:58 PM
"Javier Barroso"
 
Default Unknown network traffic

On Fri, Jan 9, 2009 at 6:08 PM, T o n g <mlist4suntong@yahoo.com> wrote:
> Hi,
>
> I've tried all the network bandwidth monitoring tools that I know to find
> out the unknown network traffic I'm having now, I've tried iftop, netstat,
> lsof and pktstat, and still can't find out the result. Please help.
Perhaps capturing packets with wireshark / tcpdump could help you to
interpret that traffic.

Regards


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org