[Uncle Skeleton]

my network activity shows a constant stream of ~30 K/s download and zero upload (shown by menumeters). I've killed all my processes and it's still there. Pulling the ethernet cable is the only way I've found to stop it. Restarting is a temporary reprieve, but it always returns (at least, in the last 3 days it has). OS X's firewall is on. I've looked in tcpdump and netstat, but I must admit I don't know what I'm looking for there.

Please help me find the culprit!

thanks

[oscar]

You run/ran a program called direct connect p2p app, as that will cause simelar problems.

[Uncle Skeleton]

are you asking or telling? I do run mlMac, but it was not downloading at the time, and the network activity conintued after closing the mlnet daemon. If anyone can confirm that mlMac runs other processes besides mlnet, I'll look into it, but I don't think it does.

[israces]

Yeah, I get this too in MenuMeters. Are you sure it is a process or is it just a bug in the meters? Maybe you could try using Little Snitch and see what it says.

[SMacTech]

Sorry, must spend more time reading people's posts. Didn't see you mentioned netstat. That should give you a clue.

Try running netstat in Terminal to view your active connections. You will see something like this :
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.0.0.94.50515 mail.kachinachap.pop3 ESTABLISHED
tcp4 0 0 10.0.0.94.50509 208.185.101.168..http CLOSE_WAIT
tcp4 0 0 10.0.0.94.50507 servedby.adverti.http CLOSE_WAIT
tcp4 0 0 localhost.50296 localhost.ipp CLOSE_WAIT
tcp4 0 0 localhost.50295 localhost.ipp CLOSE_WAIT
tcp4 0 0 10.0.0.94.50271 64.12.30.24.aol ESTABLISHED
tcp4 92 0 10.0.0.94.50266 i064.tdlc.com.ftp CLOSE_WAIT

[Uncle Skeleton]

oh yeah, one more thing. Last night I was struggling with this, and when I killed something called Fernbedienung (or something) that resides inside the folder for my video capture card (televio), the downloading seemed to stop. Since then, the downloading returned and the process didn't, so I guess it was a coincidence. But maybe not.

israces: yes, the only control I could think of for instrumentation failure is that when I unplugged the cable the reported activity did drop to zero. I will try Little Snitch when I get home and plug the cable back in. Are you saying that for you, menumeters actually reports a false positive signal? how did you determine that it was a false positive (like, how do you know the other test isn't wrong)?


SMacTech: yes, I did see something like that. So, what does that tell me exactly? I still don't understand what to look for in the output. Does it just tell me the remote address that I'm receiving from? What do I do from there if I don't recognize the address?

thanks all

[Xeo]

I have the same problem. I haven't messed with it in a while since our network went down last week due to the Blaster virus. (People returned to campus and hooked up their infected computers, yaay!)

I ran tcpdump and redirected the output to a file, I just never got around to posting it. I will post it here.

packets.tgz [194KB]

The conditions of that output are: 1) there is no outgoing traffic. I used Little Snitch to block any and all outgoing traffic, 2) All lines with "arp" were ignored. Being normal, they wouldn't provide anything interesting and only make the file larger, 3) this is 20 minutes worth of data. I did nothing else with my iBook during this time. 4) I am s0041.summer.res-hall.gac.edu.

The interesting things I noticed is that it seems lots of random hosts seem to be connecting to me for something. I don't know what it is. I am not requesting anything from them, as I have no outgoing traffic. They just seem to show up out of nowhere.

[Uncle Skeleton]

well it's reassuring to know that other people have this and their hard drives weren't erased by it, but Xeo your problem sounds a little different. you said you had 2-3K interspersed with 20K blips. Mine is a constant, sustained 30K/s download. (I have comcast cable, limited to 256K/s down, I think)

I'll do the tcpdump to file (I can't believe I didn't think of putting it in a file) when I get home, but I still don't really know how to interpret the output of these utilities. Do they show what port your being accessed on? Do they let you do anything about it?

anyway, thanks again

[geekwagon]

Originally posted by Xeo:
I have the same problem. I haven't messed with it in a while since our network went down last week due to the Blaster virus. (People returned to campus and hooked up their infected computers, yaay!)

I ran tcpdump and redirected the output to a file, I just never got around to posting it. I will post it here.

packets.tgz [194KB]

The conditions of that output are: 1) there is no outgoing traffic. I used Little Snitch to block any and all outgoing traffic, 2) All lines with "arp" were ignored. Being normal, they wouldn't provide anything interesting and only make the file larger, 3) this is 20 minutes worth of data. I did nothing else with my iBook during this time. 4) I am s0041.summer.res-hall.gac.edu.

The interesting things I noticed is that it seems lots of random hosts seem to be connecting to me for something. I don't know what it is. I am not requesting anything from them, as I have no outgoing traffic. They just seem to show up out of nowhere.

I can tell you the following from that packet dump. Firstly, after I grepped out all the broadcast traffic, for example:
1. Anything that has a 224.x.x.x address (that is multicast traffic such as rendevouz and various streaming programs)
2. Any line with a ff:ff:ff (these are usually going to be rarps or IPX broadcast traffic)
3. Anything with a 255.255 in the line (broadcast again..)

that removed about half the packets. Looking at what was left, a vast amount of it goes to a port that has been registered as a license manager daemon for InterBASE. I did a cursory search on Google and couldn't find any other application that uses port 1454 commonly.

That left 3259 packets, which was almost all icmp port scanning activity. Could be a management tool or something, or if it's coming from the internet could be just your typical script kiddy garbage. Not very threatening though.

I also saw a few packets that look like bittorrents, if you have ever taken part in a torrent it seems like people who have left their download windows open will continuosly try to re-peer with you on an occasional basis. I see this sometimes too on my box. That accounts for 585 of the remaining 3259 packets. There was also traffic related to a different licensing service.

So, in summary, this traffic is all completely normal and to be expected of a host that is connected to a largish network (like a university.)

Hope this helps.

EDIT: Oh, forgot to mention, it looks like you are on a shared port with a few other hosts. So quite a bit of that traffic wasn't even directed at your host. In fact, now that I look at it again, all the bittorrent traffic was aimed at a different box on your port.

[geekwagon]

Originally posted by Uncle Skeleton:
well it's reassuring to know that other people have this and their hard drives weren't erased by it, but Xeo your problem sounds a little different. you said you had 2-3K interspersed with 20K blips. Mine is a constant, sustained 30K/s download. (I have comcast cable, limited to 256K/s down, I think)

I'll do the tcpdump to file (I can't believe I didn't think of putting it in a file) when I get home, but I still don't really know how to interpret the output of these utilities. Do they show what port your being accessed on? Do they let you do anything about it?

anyway, thanks again

Uncle Skeleton,

Go ahead and post your dump when you get a chance. Since you are on a cable modem I bet that most of the traffic that you are seeing isn't even directed at your host (cable modems are on a shared network, like a hub, not a switch.)

EDIT, oh, and Comcast is 1.5mb down and 256kb up BTW.

[Uncle Skeleton]

thanks geekwagon. After leaving the ethernet cable unplugged all day, it seems the activity is gone, for now. As soon as it starts up again I'll dump it to a file and post it

[Xeo]

Originally posted by geekwagon:
EDIT: Oh, forgot to mention, it looks like you are on a shared port with a few other hosts. So quite a bit of that traffic wasn't even directed at your host. In fact, now that I look at it again, all the bittorrent traffic was aimed at a different box on your port.

Thanks a lot for the breakdown. I have two computers in my room that are connected to a switch. The uplink is connected to the room port, which is hubbed to the rest of the building. The building is switched to the main server room on campus which handles everything else.

I'm confused about the part I quoted. I know all the broadcast stuff is normal, but wouldn't I not see the bittorrent traffic going to other boxes since I am on a switch locally? Wouldn't the switch not send me anything unless it was specifically directed to me? I guess I'm confused at how switches decide to send information along.

[geekwagon]

Originally posted by Xeo:
Thanks a lot for the breakdown. I have two computers in my room that are connected to a switch. The uplink is connected to the room port, which is hubbed to the rest of the building. The building is switched to the main server room on campus which handles everything else.

I'm confused about the part I quoted. I know all the broadcast stuff is normal, but wouldn't I not see the bittorrent traffic going to other boxes since I am on a switch locally? Wouldn't the switch not send me anything unless it was specifically directed to me? I guess I'm confused at how switches decide to send information along.

Well, you are absolutely right that the switch should only transmit you things that are either 1: addressed to your MAC address or 2: ethernet broadcasts. Not sure why other stuff was showing up in there, but I definately remember seeing lines that had 2 hosts that didn't match the names that you gave me above. There are other reasons why that could happen. Some nameservice glitch (the names that are output by tcpdump are resolved on your local host, they aren't attached to the packets), your switch doesn't have the best algorithym for keeping track of what MAC address is plugged into which port, or the switch was exceeding it's processing capability and was simply forwarding all traffic rather than slowing traffic down while it processes it.

The last option doesn't seem very likely from the total amount of traffic in that file, so I am betting on the 1st or 2nd options.

OK, I just grepped around in that file some more. Of the 13242 packets that were captured, only 118 were resolved to originating or terminating at s0041. Approximately 8500 non-broadcast packets were aimed at or originated at various other hosts (s0036, s0071, etc.) Most of the trafic that came from/to s0041 were IGMP (router discovery) and Dynamic DNS (also known as Rendevous). I didn't realize that OS X started up "routed" (which is where the IGMP traffic would come from), in fact I don't see it on my box. Do you have Internet Sharing on maybe? Or maybe the firewall does it.

tcpdump doesn't give enough information compared to something like snoop on Solaris or Ethereal so its hard to say exactly what those packets that don't involve your host are doing on your switch port. I am kinda guessing that your switch is just kinda leaky however.

Do you have Fink installed perchance? If you captured me a few minutes of traffic in Ethereal (which runs under X11 and can be downloaded via Fink) I could tell you a lot more. Ethereal will also give the full ethernet headers and the payload of the packet, not just the one line summary (too be fair, tcpdump can do this too, but since it dumps it to a text file it is really, really hard to read and process). This is why I love OS X, I can use all my favorite tools, yet still run MS Word on the same machine.

If you are really interested. I'm kinda curious, what brand/model of switch are you using?

[Xeo]

Originally posted by geekwagon:
Do you have Fink installed perchance? If you captured me a few minutes of traffic in Ethereal (which runs under X11 and can be downloaded via Fink) I could tell you a lot more. Ethereal will also give the full ethernet headers and the payload of the packet, not just the one line summary (too be fair, tcpdump can do this too, but since it dumps it to a text file it is really, really hard to read and process). This is why I love OS X, I can use all my favorite tools, yet still run MS Word on the same machine.

If you are really interested. I'm kinda curious, what brand/model of switch are you using?

Actually, I do have fink installed as well as ethereal. I'm not booted into Jaguar right now so I'll wait until later to log the packets. What flags should I use to get the output? Just run tethereal and redirect to a file?

The brand and model of the switch I *was* using is SpeedStream SS2105. I'm now using my Linksys EZXS55W. I believe the traffic is still coming, even on this different switch. Again, I'll have to wait until later to check.

I'll post back later.

[geekwagon]

Originally posted by Xeo:
Actually, I do have fink installed as well as ethereal. I'm not booted into Jaguar right now so I'll wait until later to log the packets. What flags should I use to get the output? Just run tethereal and redirect to a file?

The brand and model of the switch I *was* using is SpeedStream SS2105. I'm now using my Linksys EZXS55W. I believe the traffic is still coming, even on this different switch. Again, I'll have to wait until later to check.

I'll post back later.

In the capture window, leave "filter" blank, set it to capture from "en1" (should be your internal ethernet) and under file just put in a name of a file for it to save to. Also make sure that all 3 of the "name resolution" options are checked (enabled) that makes my life easier than dealing with IP and MAC addresses.
Make sure that none of the "only capture x packets" or similar options are on. Just hit capture and wait until you got a good number of packets. When it is done, I think you need to save the file via the file menu before you exit the program, although that might have changed in the more recent versions, can't remember for sure.

Oh, and also send the output of "ifconfig -a" so I will know your MAC address for sure.

[Uncle Skeleton]

well, I finally had another incident tonight, and I saved tcpdump to a file. I'm disturbed by the fact that twice tcpdump ran for a few minutes and then crashed with a segmentation fault. And then the download suddenly stopped before I could try the other apps mentioned here.

Anyway, geekwagon, I'll PM you with the file. For some reason my paranoiod schizophrenia is acting up about posting all manner of information about myself while I'm having an unexplained network hemorrhage

[israces]

Originally posted by Uncle Skeleton:


israces: yes, the only control I could think of for instrumentation failure is that when I unplugged the cable the reported activity did drop to zero. I will try Little Snitch when I get home and plug the cable back in. Are you saying that for you, menumeters actually reports a false positive signal? how did you determine that it was a false positive (like, how do you know the other test isn't wrong)?

Yes, I occasionally see a 30B/s reading in MenuMeters. Then, I say to myself "What the hell is that?" and I think about it for a second. Then, I seem to just go right back to working on whatever it is I was doing when I noticed it and vow to figure out what it is when I get some time. This process repeats several times a month. I have done exactly nothing about it, so I am really interested in what you guys figure out.

[geekwagon]

Originally posted by israces:
Yes, I occasionally see a 30B/s reading in MenuMeters. Then, I say to myself "What the hell is that?" and I think about it for a second. Then, I seem to just go right back to working on whatever it is I was doing when I noticed it and vow to figure out what it is when I get some time. This process repeats several times a month. I have done exactly nothing about it, so I am really interested in what you guys figure out.

In U.S.'s case it was mostly a misconfiguration somewhere in Comcast's network. A UPS in one of their facilities was requesting an IP address via DHCP, and the DHCP server was for some reason sending the response out onto the cable modem network instead of the internal one. Since it never heard from the server, it kept trying..

[Uncle Skeleton]

thanks for clearing that up. I guess I'll ignore it from now on. Any idea why tcpdump would throw a segfault on me like that (twice)?

[geekwagon]

Originally posted by Uncle Skeleton:
thanks for clearing that up. I guess I'll ignore it from now on. Any idea why tcpdump would throw a segfault on me like that (twice)?

That, I don't know. I have never seen that happen before.

Hey, I sent you a p.m. with a more detailed breakdown but MacNN says you haven't read it yet. Let me know if you don't see it in your user center.

[Xeo]

Sorry it took so long for me to to this.

Here is my MAC address on en0 (my ethernet):
00:03:93:08:96:fc

I ran this command:
% sudo tethereal -i en0 -N "mnt" -w tethereal.out

and got this output:
tethereal-out.tgz [544 KB]

I had Little Snitch on again, blocking any and all outgoing traffic. I fear it may have kept the name resolution from happening but I haven't looked at the file so I'm not sure. I let it run until I got 20,000 packets. If you need me to do it again, let me know.

[geekwagon]

Originally posted by Xeo:
I had Little Snitch on again, blocking any and all outgoing traffic. I fear it may have kept the name resolution from happening but I haven't looked at the file so I'm not sure. I let it run until I got 20,000 packets. If you need me to do it again, let me know.

OK, I finally got around to looking at this. There are a few hundred packets in there that I wouldn't expect to see if you were plugged into a switched port. There was absolutely no reason why you should have seen those packets. They were all completely normal traffic, it was just directed traffic for between hosts other than yours.

It didn't seem like there was enough of it for it to be all the traffic in your area (there was several different computers) it was like there was a packet here and there from several different machines. I think your switch is just not doing a good job keeping up with a fairly busy network.

[Xeo]

Originally posted by geekwagon:
OK, I finally got around to looking at this. There are a few hundred packets in there that I wouldn't expect to see if you were plugged into a switched port. There was absolutely no reason why you should have seen those packets. They were all completely normal traffic, it was just directed traffic for between hosts other than yours.

It didn't seem like there was enough of it for it to be all the traffic in your area (there was several different computers) it was like there was a packet here and there from several different machines. I think your switch is just not doing a good job keeping up with a fairly busy network.

This was coming from a different switch than the tcpdump output. It was the Linksys I mentioned above. Should I try again with the SpeedStream?