[Geobunny]

I'm running MenuMeters (great little app) to monitor CPU usage and network traffic. For a while now I've noticed that my computer's ethernet card seems to be receiving random packets at a rate of about 4 Kb/s! The only services I'm running are AppleShare, SSH and Apache - none of which are actually being used. Even if they were the culprits, I presume I'd also be seeing corresponding outgoing packets, but as you can see from the screenshot, that's not happening.

http://markjallan.pwp.blueyonder.co.uk/packets.gif

I know it's not a user-level process as I've logged into ">console" as root and there are very very few processes running. netstat shows only a handful of open ports, only two of which are "LISTEN".

Here's my setup:

[ Blueyonder (cable ISP) ]
Cable modem -> ethernet hub 'uplink' port -> QS G4/733/OS X.2.6 (running NAT on same eth0 interface, no DHCP) -> same hub as before (obviously!) -> beige G3/266/OS 9.2.2

The G3 is switched off most of the time as only my parents use it, but the packet stream is somewhat constant...and very annoying.

I've tried turning NAT off and that makes no difference. I'm about to reboot into OS 9 to see if that makes any difference.

Anybody got any ideas?

Thanks

[juanpacolopez]

Originally posted by Geobunny:
Anybody got any ideas?

Thanks

No ideas, but I'm very interested in this as I've noticed the same thing. I can't help but wonder if it's a menumeters bug.

[Wevah]

I get constant incoming network traffic of about 60 bytes per second. I think it might just have something to do with broadcast packets and whatnot, but 4K/sec sounds odd.

[Geobunny]

It's definitely not a MenuMeters bug, the same thing just happened when I booted into OS 9. I'm back in OS X now and I've just done a tcpdump from the terminal. The packets all seem to be ARP requests from machine X to machine Y (blueyonder seems to own machine Y), machine X is not mine!

Here's a snippet:

Code:
tcpdump -c 10
tcpdump: listening on en0
01:42:12.115715 arp who-has pc-80-195-45-12-ed.blueyonder.co.uk tell s06-ubr07-ed.blueyonder.co.uk
01:42:12.117540 arp who-has 82-41-50-133.cable.ubr07.edin.blueyonder.co.uk tell 82-41-48-1.cable.ubr07.edin.blueyonder.co.uk
01:42:12.150166 arp who-has 82-41-51-147.cable.ubr07.edin.blueyonder.co.uk tell 82-41-48-1.cable.ubr07.edin.blueyonder.co.uk
01:42:12.212922 arp who-has pc-80-195-44-57-ed.blueyonder.co.uk tell s05-ubr07-ed.blueyonder.co.uk
01:42:12.482276 arp who-has 82-41-49-117.cable.ubr07.edin.blueyonder.co.uk tell 82-41-48-1.cable.ubr07.edin.blueyonder.co.uk
01:42:12.694408 arp who-has 82-41-48-77.cable.ubr07.edin.blueyonder.co.uk tell 82-41-48-1.cable.ubr07.edin.blueyonder.co.uk
01:42:12.860874 arp who-has 82-41-48-56.cable.ubr07.edin.blueyonder.co.uk tell 82-41-48-1.cable.ubr07.edin.blueyonder.co.uk
01:42:12.971213 arp who-has pc-80-195-45-165-ed.blueyonder.co.uk tell s06-ubr07-ed.blueyonder.co.uk
01:42:12.977583 arp who-has pc-80-195-45-166-ed.blueyonder.co.uk tell s06-ubr07-ed.blueyonder.co.uk
01:42:12.984107 arp who-has pc-80-195-45-167-ed.blueyonder.co.uk tell s06-ubr07-ed.blueyonder.co.uk
23 packets received by filter
0 packets dropped by kernel

Not a single one of those IP addresses is mine, so I want to know what's going on! I've emailed Blueyonder's helpdesk and will post the reply here....if I get one

[Tritium]

ARP packets are ethernet broadcasts, they will be received by every machine on the segment. Cable companies seem to have a bunch of modems connected to the same ethernet segment, so that broadcasts are received by everyone. Even on switched ethernet, ARP requests are sent to every port.

[Art Vandelay]

Cable broadband is a shared network. It is normal for you to be seeing all that traffic. Even on switched networks, you will still see broadcasts as was said before.

[RooneyX]

It's your porn cookies. How many times do I have to say this?

[Geobunny]

Originally posted by Tritium:
ARP packets are ethernet broadcasts, they will be received by every machine on the segment. Cable companies seem to have a bunch of modems connected to the same ethernet segment, so that broadcasts are received by everyone. Even on switched ethernet, ARP requests are sent to every port.

I'm aware of that and I know what ARP packets are, but I never used to get so many of them. 4Kb/s is a tad excessive.

[Arkham_c]

I suspect that since you're not behind a router, you're seeing network chatter from everyone else on your end of the cable modem head-end. Everyone in your neighborhood running Windows is broadcasting assorted SAMBA packets. Everyone running OSX is broadcasting Rendezvous packets. Etc.

If you want to know conclusively, get Ethereal and run it. It will break down the packets by port and protocol and will even show you the content of each packet broken down by datagram.

[cybergoober]

Humor me here and turn off internet sharing and see what happens...

Why, you ask?
When I was running internet sharing on my G4 a while back to share its connection with my TiBook over AirPort, I had noticed this same constant stream of incoming packets. One day, after about a month of this, I finally got a call from one of the network admins (I'm on a fairly large local area network) asking me what was going on with my machine. I said I didn't know. Turns out the G4 was intercepting BootP requests! As soon as I turned off internet sharing the incoming packets ceased. Shortly after that I got another drop in my cubicle and haven't used internet sharing since, so I don't know what the fix might be. Seemed to be an issue of the G4 acting as a router or something...

Just a guess.

[Geobunny]

Originally posted by cybergoober:
Humor me here and turn off internet sharing and see what happens...

Why, you ask?
When I was running internet sharing on my G4 a while back to share its connection with my TiBook over AirPort, I had noticed this same constant stream of incoming packets. One day, after about a month of this, I finally got a call from one of the network admins (I'm on a fairly large local area network) asking me what was going on with my machine. I said I didn't know. Turns out the G4 was intercepting BootP requests! As soon as I turned off internet sharing the incoming packets ceased. Shortly after that I got another drop in my cubicle and haven't used internet sharing since, so I don't know what the fix might be. Seemed to be an issue of the G4 acting as a router or something...

Just a guess.

Scary stuff! I've already tried turning internet sharing/NAT off. I even rebooted into OS 9 which doesn't have any form of internet sharing installed at all.

[cybergoober]

Hmm.

Weird stuff indeed, mate. Hope you get it sorted.

[Person Man]

Originally posted by cybergoober:
Seemed to be an issue of the G4 acting as a router or something...

Yes, there is a bug in the 10.2 implementation of internet connection sharing that allows your machine to act as a "rogue DHCP server" on the network.

See the following warning from Princeton University for more info:

http://www.net.princeton.edu/mac/internet-sharing-x/

[Geobunny]

Here's the reply I just got from Blueyonder, TWO days after my original email. Bear in mind that I've already had the standard response email stating "we are investigating the problem and will get back to you shortly"

Dear Sir/Madam,

Thank you for your email to blueyonder Technical Support.

If you suspect a blueyonder user of committing an act of abuse, to ensure that this issue is dealt with correctly, please could you send any details you have to our abuse team by email at the address:

abuse@blueyonder.co.uk

The abuse team will have all the tools needed to deal with this issue accordingly.

If the person you suspect is not a blueyonder customer, please contact the abuse team of their ISP to report their actions. This is usually done by mailing the details to abuse@ispname, eg abuse@hotmail.com.

Kind regards,


Amy Haggarty

blueyonder Technical Support.
=========================

Is it just me, or does anyone else get pissed off when they feel they know more than the Technical Support department?!

[Mr Scruff]

Originally posted by Geobunny:
Here's the reply I just got from Blueyonder, TWO days after my original email. Bear in mind that I've already had the standard response email stating "we are investigating the problem and will get back to you shortly"



Is it just me, or does anyone else get pissed off when they feel they know more than the Technical Support department?!

It's true - but if you worked in tech support you'd assume everyone that came to you was a moron as well.

[Geobunny]

Originally posted by Mr Scruff:
It's true - but if you worked in tech support you'd assume everyone that came to you was a moron as well.

I do....and they ARE!

[SMacTech]

You can try netstat in terminal to see your active connections. I see ~ 60B/s on our local LAN with about 100 users with menumeters.

[Geobunny]

Originally posted by SMacTech:
You can try netstat in terminal to see your active connections. I see ~ 60B/s on our local LAN with about 100 users with menumeters.

I already tried that. Said as much in my original post. I'll email my original helpdesk email to some other addresses @blueyonder.co.uk - they'll either bounce or get to someone clueful!