[whop]

i use menu meters and when im at home and connected the internet it is showing that i am receiving anywhere from 40 - 80 KB/s, and nothing will be running, i have shut down all applications, checked the activity monitor for any "wierd processes" it has been going on for about 3 days.....but it never shows me transferring anything, so im conufsed about what is getting sent to my powerbook...

[Spheric Harlot]

Are you sure it's "KB" and not bytes?

[CaptainHaddock]

If it's just a few kilobits, that's normal. Your Mac will be constantly listening on the network for other machines and the network status. Also keep in mind, the Internet is full of zombied Windows machines that flood random IP addresses with attempted worm and trojan break-ins.

If you're really concerned, there's probably a program that can take a snapshot of network traffic and identify the computers/programs involved. You could also open up Terminal and type "sudo fs_usage" to see if any rogue processes are going crazy.

[whop]

ok, i just got to campus and connected to the wireless network, and its doing the same thing! i restarted my computer and took this snap shot, keep in mind nothing is running



and im receiving roughly 16-11KB/s constantly.

[whop]

Originally posted by CaptainHaddock:
If it's just a few kilobits, that's normal. Your Mac will be constantly listening on the network for other machines and the network status. Also keep in mind, the Internet is full of zombied Windows machines that flood random IP addresses with attempted worm and trojan break-ins.

If you're really concerned, there's probably a program that can take a snapshot of network traffic and identify the computers/programs involved. You could also open up Terminal and type "sudo fs_usage" to see if any rogue processes are going crazy.

ok i typed that and i get this like 8943348934483 times, actually it wont stop

13:29:06 CACHE_HIT 0.000008 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000005 WindowServer
13:29:06 CACHE_HIT 0.000041 WindowServer

plus there is some random stuff that is also showing up....but it goes by so quick i cant read it, and its still going as i type...

[SMacTech]

Try sudo tcpdump -v to see what is being heard on your ethernet port. fs_usage is showing file system activity. What you see with the WindowServer is normal.

[whop]

tcpdump: (no devices found) /dev/bpf0: Permission denied


?

[SMacTech]

It should work, if you use sudo first. The -v is for a more verbose listing. You might try it without it too.

[Kristoff]

netstat

[whop]

tcpdump: WARNING: en0: no IPv4 address assigned
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 96 bytes

[SMacTech]

What's up with the NO IP address assigned? You should be getting a listing, similar to this :

15:54:11.184787 IP 10.0.0.11.apc-3052 > 10.0.0.255.apc-3052: UDP, length: 475
15:54:13.313077 IP dax.xxxxx.com.netbios-ns > 10.0.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:13.526547 arp who-has 10.0.0.31 tell dax. xxxxx.com
15:54:15.181041 arp who-has odo. xxxxx.com tell easkins-vm1. xxxxx.com
15:54:15.363801 IP 10.0.0.1 > igrp-routers.mcast.net: igrp: request V0 edit=5 AS=61133 (0/0/0) [extra bytes 28]
15:54:15.625561 IP dax. xxxxx.com.netbios-ns > 10.0.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:16.545844 arp who-has 10.0.0.1 tell bmcmahon. xxxxx.com
15:54:18.469853 arp who-has 10.0.0.1 tell odo. xxxxx.com

netstat is also a good tool for monitoring connections, but it won't be as informative as to where the particular packets are coming from.

[whop]

well i tried sudo tcpdump -v again and it said the same thing, this is kind of odd, ive been trying to remember what i was doing when all this started and it was around the same time i tried to install vpc 7, but i have no clue if they have any correlation.

[Mithras]

Your Airport connection is usually en1 -- if you're connected via Airport use en1 in place of en0. Type ifconfig -a to see a full list of network ports; look for one that says "status: active".

[Kristoff]

or, like I said, just type netstat and it will show what you want to see

I mean, you're not really trying to capture the packets for analysis...you just want to see what's sending you crap, right?

[SMacTech]

Originally posted by Kristoff:
or, like I said, just type netstat and it will show what you want to see

I mean, you're not really trying to capture the packets for analysis...you just want to see what's sending you crap, right?

The combination of both commands will lend evidence of what may be the source. But netstat won't show how active the connection is, just the IP you have established a connection too.

[SMacTech]

Originally posted by whop:
well i tried sudo tcpdump -v again and it said the same thing, this is kind of odd, ive been trying to remember what i was doing when all this started and it was around the same time i tried to install vpc 7, but i have no clue if they have any correlation.

What OS version are you running, and did you apply the latest security updates? I had similar problems with netstat after the 1st Security update 2004-09-07 and it was fixed in v1.1 of that update.

[Uncle Skeleton]

I had a similar problem once:

http://forums.macnn.com/showthread.p...hreadid=176407

geekwagon helpfully analyzed my tcpdump and told me it was a UPS somewhere on comcast's network going nuts (nothing to worry about). It stopped a week or so later and never came back.

[alex_kac]

This happened to me last week. It was our Samba service running causing it.

[whop]

i also have noticed ever since this proble has come around that my dock will disappear at random times and then appear again after a couple of seconds.....ive never had this problem before.

[mitchell_pgh]

Get a router with a firewall...

it blocks 99% of these zombies...