Welcome to the MacNN Forums.

Douglashh · Jan 7, 2009, 03:54 AM

Not sure this is the correct forum but here goes.

Normally the 'link' light on my cable modem only blinks when I'm on the internet.

Today I noticed that the 'link' light is constantly rapidly blinking even when I'm not on the internet. I checked Activity Monitor and it shows that I'm receiving data, not sending, at the rate of 800KB to 1100KB constantly.

I'd like to find out where that data is going on my computer. Is there any way to determine what application or file is receiving this data.

At first I thought it was a hacker but there is no data being sent only received. I have my firewall turned on.

I'm using a Intel Mini with 10.5.6.

Thanks,

Big Mac · Jan 7, 2009, 03:57 AM

That's certainly curious. If you close every single application on your Mac except for the Finder and Activity monitor, does the activity continue?

JKT · Jan 7, 2009, 04:19 AM

Do you download upgrades to the OS in the background (check Software Update settings in System Preferences)? It could be an update perhaps although, as you are on 10.5.6 already, that seems unlikely.

Douglashh · Jan 7, 2009, 12:02 PM

Yes the activity continues with only the Finder and Activity Monitor running. I checked Software Update and it is NOT set to check for updates. I do that manually.

It's still 'receiving data' according the the 'link' light and Activity Monitor. It's continuous.

Any other ideas?

besson3c · Jan 7, 2009, 12:16 PM

Do a tcpdump:

sudo tcpdump -i <interface>

fisherKing · Jan 7, 2009, 12:18 PM

do you have a password on your network? perhaps someone else is connecting to it...

Douglashh · Jan 7, 2009, 12:59 PM

besson3c, can you explain your suggestion further. What exactly does this do?

fisherking, my ISP is Comcast, don't think I have a password for anything but email.

fisherKing · Jan 7, 2009, 01:24 PM

Originally Posted by Douglashh

besson3c, can you explain your suggestion further. What exactly does this do?

fisherking, my ISP is Comcast, don't think I have a password for anything but email.

you want to put a password on your NETWORK, so no one can access it unless you GIVE them the password... maybe a neighbor is on your network..?

call comcast, they can walk you thru setting this up...

besson3c · Jan 7, 2009, 01:29 PM

Originally Posted by Douglashh

besson3c, can you explain your suggestion further. What exactly does this do?

fisherking, my ISP is Comcast, don't think I have a password for anything but email.

tcpdump shows you exactly what is going on within your TCP layer. Apps like Little Snitch use tcpdump to monitor incoming and outgoing TCP traffic. If you want to know exactly what traffic goes in and out of your computer, run tcpdump and monitor it for a while. If you know exactly what you want to search for you can pipe it to grep to use as a filter.

Of course tcpdump won't monitor your network, that is up to whatever functionality your router provides, but at least you'll have a better idea as to what your computer is chatting with, if any.

Thorzdad · Jan 7, 2009, 01:29 PM

I'm not sure which modem you have, but I'm also with Comcast and the Activity light on my modem (a Moto Surfboard) is always blinking, even with no apps running. I think it's pretty normal.

besson3c · Jan 7, 2009, 01:32 PM

If you decide to monitor your traffic using tcpdump, I'd also suggest monitoring traffic on localhost (lo0) just to be thorough...

turtle777 · Jan 7, 2009, 02:25 PM

Originally Posted by Douglashh

Normally the 'link' light on my cable modem only blinks when I'm on the internet.

Today I noticed that the 'link' light is constantly rapidly blinking even when I'm not on the internet.

Did you consult the modem's manual to see what that light is supposed to show ?

-t

Douglashh · Jan 7, 2009, 03:29 PM

turtle777, yes I looked in the modem manuel. It's only supposed to flash when there is data being sent or received. Up until yesterday that's exactly how it operated.

besson3c, I looked at Little Snitch and that only monitors out going traffic. There is no out going traffic only incoming traffic. That is what I'm concerned about. What is it connecting too and what is it possibly doing to my system.

turtle777 · Jan 7, 2009, 03:31 PM

OIC.

-t

besson3c · Jan 7, 2009, 03:40 PM

Originally Posted by Douglashh

turtle777, yes I looked in the modem manuel. It's only supposed to flash when there is data being sent or received. Up until yesterday that's exactly how it operated.

besson3c, I looked at Little Snitch and that only monitors out going traffic. There is no out going traffic only incoming traffic. That is what I'm concerned about. What is it connecting too and what is it possibly doing to my system.

tcpdump monitors all traffic. That was my recommendation, not Little Snitch.

Douglashh · Jan 7, 2009, 03:51 PM

besson3c, I'm not really comfortable using terminal I'm afraid I may screw something up.

Do I type it in exactly as you showed in the previous post?

thanks

turtle777 · Jan 7, 2009, 04:07 PM

Originally Posted by Douglashh

besson3c, I'm not really comfortable using terminal I'm afraid I may screw something up.

Do I type it in exactly as you showed in the previous post?

thanks

Try the tcpdumb GUI:

http://mac.softpedia.com/get/System-...Ethereal.shtml

-t

Douglashh · Jan 7, 2009, 05:38 PM

I just tried booting into my system clone which has not been run since before Christmas on the off chance that this is somehow related to a virus, very remote, or trojan, also very unlikely.

There is still a steady stream of data being received.

As for the other stuff, I'm sorry to say it's way over my pay grade and I wouldn't know what I was looking at even if I could do it.

I have comcast coming to replace the modem and see if that fixes things.

Thorzdad · Jan 7, 2009, 05:55 PM

Honestly, I believe it's normal traffic. Remember, that coax hooked up to your modem is carrying EVERYTHING Comcast has...including the active tv signals. Now, your modem has no clue about the tv data and simply filters it out. That doesn't mean it isn't going to see it as activity, though.

I've had my Comcast account for several years and that Activity light has always flashed like mad.

Douglashh · Jan 7, 2009, 06:18 PM

My cable modems have never operated that way and neither did this current one until yesterday. The link light has always been solid unless I was doing something on the internet and then it blinked rapidly.

The Activity Monitor shows receiving data and I don't think it would show TV data.

jmiddel · Jan 7, 2009, 07:03 PM

My activity light also blinks constantly, always has. Activity monitor reports zero bytes received/sent.

Cold Warrior · Jan 7, 2009, 07:23 PM

Moved to Networking.

turtle777 · Jan 7, 2009, 08:08 PM

Originally Posted by Douglashh

I have comcast coming to replace the modem and see if that fixes things.

Well, nothing's broken, really ?
Your internet works, as promised.

Be careful so you don't get charged for a "false" alarm.

And don't worry about viruses. They don't exist for Macs yet. The only thing you could theoretically get is a Trojan. And the known Mac trojans typically don't cause network activity.

-t

Douglashh · Jan 7, 2009, 09:36 PM

Comcast replaced the modem, no change in behavior. Even the modem operations manuel says the link light should only blink with data being sent/received.

Called Apple Tech Support and they had be boot into Safe Mode - no change in behavior. Activity Monitor still shows data being received No data being sent.
Then booted with the Leopard Install DVD and the link light still blinks rapidly. The tech support guy then suggested that maybe the Ethernet card is bad. I've got an appointment at the local Genius Bar to have them check it tomorrow.

turtle777 · Jan 8, 2009, 12:09 AM

Why does this bother you so much ?

-t

Tomchu · Jan 8, 2009, 12:31 AM

My cable modem light blinks 24/7, and it's always been that way. Due to the design and architecture of cable WAN networks, there are tons of ARP requests floating around on your local cable segment, and your modem gets them, even when they're not meant for you -- hence the blinking. I don't know why yours was never doing it but suddenly is. Maybe your ISP changed something about their architecture?

There's nothing inherently bad about this, and it doesn't cause problems.

Originally Posted by Thorzdad

Remember, that coax hooked up to your modem is carrying EVERYTHING Comcast has...including the active tv signals. Now, your modem has no clue about the tv data and simply filters it out. That doesn't mean it isn't going to see it as activity, though.

You don't know what you're talking about. Analog/digital cable TV signals are on a different frequency from Internet signals, which are on a different frequency from audio-only channels, etc. Your modem no more picks it up than it understands it. The electronic radio is tuned into only a particular upstream/downstream channel, and that's all it ever "hears". Blinking lights are an indication of data frames coming/going -- not just random radio noise on the line.

Douglashh · Jan 8, 2009, 02:05 AM

turtle777, it's not the blinking link light that bothers me so much as the fact that Activity Monitor shows that my computer is receiving significant amounts of data and I'd like to know why this is happening because it didn't start until yesterday.

ibook_steve · Jan 8, 2009, 05:24 AM

Does it happen with a test user account?

Steve

Simon · Jan 8, 2009, 05:29 AM

The fact that a cable modem senses traffic even when on your end everything is off is normal.

The fact that Activity Monitor shows a constant inflow of data even though you know of nothing being downloaded is not.

Use tcpdump to find out what's going on.

ghporter · Jan 8, 2009, 08:22 AM

Have you (gasp!) restarted your Mac? Oh, and what is the rest of your network like? What router (if any) do you use? What other machines are connected to your network and by what kind of link (wired, wireless)? Are you absolutely sure this activity you're seeing is coming from the outside and not from another computer on your network?

besson3c · 10:15 AM

Originally Posted by Douglashh

besson3c, I'm not really comfortable using terminal I'm afraid I may screw something up.

Do I type it in exactly as you showed in the previous post?

thanks

Yes, but substitute your network interface. If you are connecting via ethernet:

sudo tcpdump -i en0

wireless:

sudo tcpdump -i en1

Also have another window open monitoring your local traffic:

sudo tcpdump -i lo0

There is nothing to screw up, this isn't changing anything, just viewing your activity. This is really the only way to achieve a definitive answer as to what is going on.

Douglashh · Jan 8, 2009, 11:56 AM

I am connected to the internet via Ethernet cable from the modem to my computer. I have not router. Nothing wireless and I shut my computer off at night so I reboot every morning.

Yes it continues even with a test account.

turtle777 · Jan 8, 2009, 12:04 PM

Well, at this point, tcpdumb could help, or you could use Little Snitch to see what application or process requests access to the internet.

Theoretically, when you set up Little Snitch, no external traffic is allowed. The Activity monitor should NOT show any data flow until you allow certain apps via LS.

-t

Douglashh · Jan 8, 2009, 12:08 PM

Ok, I finally did the tcpdump and this is the start of what came up. I have no idea what it means.

08:03:13.465812 arp who-has c-24-18-140-148.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.487429 arp who-has c-24-18-133-27.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.489105 arp who-has c-67-182-130-229.hsd1.wa.comcast.net tell c-67-182-130-1.hsd1.wa.comcast.net
08:03:13.512040 arp who-has c-24-18-140-96.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.535172 arp who-has c-76-28-180-177.hsd1.wa.comcast.net tell c-76-28-180-1.hsd1.wa.comcast.net
08:03:13.542132 arp who-has user-38lmc6f.cable.mindspring.com tell user-38lmc61.cable.mindspring.com
08:03:13.548222 arp who-has c-67-170-84-18.hsd1.wa.comcast.net tell c-67-170-84-1.hsd1.wa.comcast.net
08:03:13.561354 arp who-has c-24-18-128-221.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.595426 arp who-has c-67-160-100-184.hsd1.wa.comcast.net tell c-67-160-100-1.hsd1.wa.comcast.net
08:03:13.650646 arp who-has user-0c2i85b.cable.earthlink.net tell user-0c2i851.cable.earthlink.net
08:03:13.668664 arp who-has c-67-160-103-244.hsd1.wa.comcast.net tell c-67-160-100-1.hsd1.wa.comcast.net
08:03:13.711425 arp who-has c-67-183-120-159.hsd1.wa.comcast.net tell c-67-183-120-1.hsd1.wa.comcast.net
08:03:13.839123 arp who-has c-24-18-129-61.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.863651 arp who-has c-24-18-128-15.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.882517 arp who-has c-24-18-128-176.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:13.912283 arp who-has c-24-18-133-43.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.007727 arp who-has c-71-227-173-212.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:14.052174 arp who-has c-98-203-140-213.hsd1.wa.comcast.net tell c-98-203-140-1.hsd1.wa.comcast.net
08:03:14.072130 arp who-has c-71-227-172-49.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:14.190828 arp who-has c-24-18-139-129.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.235202 arp who-has c-71-227-172-165.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:14.238416 arp who-has c-67-171-22-238.hsd1.wa.comcast.net tell c-67-171-22-1.hsd1.wa.comcast.net
08:03:14.320575 arp who-has c-71-227-175-21.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:14.350092 arp who-has c-67-182-131-26.hsd1.wa.comcast.net tell c-67-182-130-1.hsd1.wa.comcast.net
08:03:14.360742 arp who-has c-24-18-133-242.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.362350 arp who-has c-24-18-140-159.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.378085 arp who-has c-24-18-138-66.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.398528 arp who-has c-67-171-22-114.hsd1.wa.comcast.net tell c-67-171-22-1.hsd1.wa.comcast.net
08:03:14.466436 IP c-24-18-142-239.hsd1.wa.comcast.net.57014 > cns.beaverton.or.bverton.comcast.net.domain: 21474+ PTR? 148.140.18.24.in-addr.arpa. (44)
08:03:14.502459 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.57014: 21474 1/0/0 (93)
08:03:14.503777 IP c-24-18-142-239.hsd1.wa.comcast.net.54033 > cns.beaverton.or.bverton.comcast.net.domain: 35353+ PTR? 1.128.18.24.in-addr.arpa. (42)
08:03:14.525052 arp who-has c-67-170-107-56.hsd1.wa.comcast.net tell c-67-170-104-1.hsd1.wa.comcast.net
08:03:14.527484 arp who-has c-24-18-133-67.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.536686 arp who-has c-71-227-172-172.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:14.540612 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.54033: 35353 1/0/0 PTR[|domain]
08:03:14.541212 arp who-has c-76-28-180-58.hsd1.wa.comcast.net tell c-76-28-180-1.hsd1.wa.comcast.net
08:03:14.541967 IP c-24-18-142-239.hsd1.wa.comcast.net.50949 > cns.beaverton.or.bverton.comcast.net.domain: 38230+ PTR? 27.133.18.24.in-addr.arpa. (43)
08:03:14.578575 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.50949: 38230 1/0/0 (91)
08:03:14.579802 IP c-24-18-142-239.hsd1.wa.comcast.net.63551 > cns.beaverton.or.bverton.comcast.net.domain: 48508+ PTR? 229.130.182.67.in-addr.arpa. (45)
08:03:14.616748 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.63551: 48508 1/0/0 (95)
08:03:14.618075 IP c-24-18-142-239.hsd1.wa.comcast.net.50261 > cns.beaverton.or.bverton.comcast.net.domain: 56394+ PTR? 1.130.182.67.in-addr.arpa. (43)
08:03:14.654446 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.50261: 56394 1/0/0 (91)
08:03:14.655385 arp who-has c-24-18-138-29.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.655754 IP c-24-18-142-239.hsd1.wa.comcast.net.63780 > cns.beaverton.or.bverton.comcast.net.domain: 18338+ PTR? 96.140.18.24.in-addr.arpa. (43)
08:03:14.695064 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.63780: 18338 1/0/0 (91)
08:03:14.696395 IP c-24-18-142-239.hsd1.wa.comcast.net.52346 > cns.beaverton.or.bverton.comcast.net.domain: 4513+ PTR? 177.180.28.76.in-addr.arpa. (44)
08:03:14.731071 arp who-has c-24-18-132-186.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:14.732511 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.52346: 4513 1/0/0 (93)
08:03:14.733802 IP c-24-18-142-239.hsd1.wa.comcast.net.59473 > cns.beaverton.or.bverton.comcast.net.domain: 14940+ PTR? 1.180.28.76.in-addr.arpa. (42)
08:03:14.770541 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.59473: 14940 1/0/0 PTR[|domain]
08:03:14.771859 IP c-24-18-142-239.hsd1.wa.comcast.net.59862 > cns.beaverton.or.bverton.comcast.net.domain: 55588+ PTR? 207.48.91.209.in-addr.arpa. (44)
08:03:14.838631 arp who-has c-71-231-66-190.hsd1.wa.comcast.net tell c-71-231-66-1.hsd1.wa.comcast.net
08:03:14.853927 arp who-has c-67-183-121-26.hsd1.wa.comcast.net tell c-67-183-120-1.hsd1.wa.comcast.net
08:03:14.855337 arp who-has c-67-160-103-186.hsd1.wa.comcast.net tell c-67-160-100-1.hsd1.wa.comcast.net
08:03:14.868649 arp who-has c-98-203-140-215.hsd1.wa.comcast.net tell c-98-203-140-1.hsd1.wa.comcast.net
08:03:14.903699 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.59862: 55588 1/0/0 (91)
08:03:14.904987 IP c-24-18-142-239.hsd1.wa.comcast.net.59284 > cns.beaverton.or.bverton.comcast.net.domain: 22944+ PTR? 193.48.91.209.in-addr.arpa. (44)
08:03:14.918558 arp who-has c-71-227-173-100.hsd1.wa.comcast.net tell c-71-227-172-1.hsd1.wa.comcast.net
08:03:15.010132 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.59284: 22944 1/0/0 (91)
08:03:15.011401 IP c-24-18-142-239.hsd1.wa.comcast.net.57249 > cns.beaverton.or.bverton.comcast.net.domain: 13162+ PTR? 18.84.170.67.in-addr.arpa. (43)
08:03:15.048306 arp who-has c-67-170-107-74.hsd1.wa.comcast.net tell c-67-170-104-1.hsd1.wa.comcast.net
08:03:15.050756 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.57249: 13162 1/0/0 (91)
08:03:15.052038 IP c-24-18-142-239.hsd1.wa.comcast.net.60039 > cns.beaverton.or.bverton.comcast.net.domain: 37244+ PTR? 1.84.170.67.in-addr.arpa. (42)
08:03:15.073805 arp who-has c-24-18-140-69.hsd1.wa.comcast.net tell c-24-18-128-1.hsd1.wa.comcast.net
08:03:15.088689 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.60039: 37244 1/0/0 PTR[|domain]
08:03:15.089977 IP c-24-18-142-239.hsd1.wa.comcast.net.61571 > cns.beaverton.or.bverton.comcast.net.domain: 30304+ PTR?

amazing · Jan 8, 2009, 01:10 PM

I've been on comcast for ages, and the activity light is always blinking, even when all the computers are off, or asleep.

It's the nature of the internet nowadays: I used to manage a network with a dedicated firewall device. Every once in awhile, out of curiosity, I'd do a locate on the various bots that were pinging the network, day in, day out. China, Russia, or a compromised Windows PC in California.

So: millions of bots are randomly searching for vulnerable computers, every second. The comcast modem is showing that activity.

Just be glad you're not vulnerable.

besson3c · Jan 8, 2009, 01:17 PM

So now you know what machines your computer is speaking with. There is no way of telling what you were doing at that precise time to know how much of that traffic is legit, but you can see that several Comcast addresses were talking to you as well as others. Any surprises in there? I'm surprised that you are getting that much Comcast chatter... Now, do a:

netstat -a | grep -i listen

so that you can see what network ports are open. This will help you/us determine whether you have some network service setup that is doing business with these IPs that you aren't aware of.

Douglashh · Jan 8, 2009, 01:52 PM

I was not on the internet at the time I did the tcpdump as you suggested. I did the tcpdump after all applications were closed.

This is apparently what has been going on the past couple of days. What I don't understand is why this just started a couple of days ago. Prior to that there was NO activity except when I was on the internet.

Douglashh · Jan 8, 2009, 01:57 PM

besson3c,

I typed netstat -a | grep -i listen into terminal and nothing happened at all. I copied and pasted your command.

besson3c · Jan 8, 2009, 02:11 PM

What do you mean nothing happened? You pressed enter and got absolutely no response?

Douglashh · Jan 8, 2009, 04:22 PM

That is correct, I got no response after I pressed enter.

I just got back from taking my Mini to the Genius Bar at the local Apple Store. Hooked up my Mini to their internet and got the same response of receiving data as do the display machines and they are on a different ISP. The tech guys printed out the same kind of stuff as I posted earlier but it had their ISP in place of Comcast.

The only thing the tech could think of is that Apple did something with the 10.5.6 update that is causing this.

dsteinman · Jan 14, 2009, 12:24 AM

Originally Posted by Douglashh

turtle777, it's not the blinking link light that bothers me so much as the fact that Activity Monitor shows that my computer is receiving significant amounts of data and I'd like to know why this is happening because it didn't start until yesterday.

The easy solution to this is to put a router with a firewall between the cable modem and your computer.

dsteinman · 12:36 AM

The arp requests are broadcasts so everyone on that physical segment will see them.

"08:03:15.050756 IP cns.beaverton.or.bverton.comcast.net.domain > c-24-18-142-239.hsd1.wa.comcast.net.57249: 13162 1/0/0 (91)"

This IP packet is probably your machine. Btw, Wireshark is much more powerful than tcpdump. I use it on my iMac all the time. You can get it at www.wireshark.org.

markponcelet · Dec 18, 2009, 01:07 AM

It's been almost a year since the last post, so I don't know if anyone is still monitoring, but I wanted to post a reply because my Comcast modem just started doing this last night, and I found this post when I was trying to figure out what was going on.

I bought my own SB6120 from Motorola. Last night, I noticed two things change. First, the downstream light on the modem turned blue, indicating that the modem was using bonded channels. At the same time, my data light started blinking continuously.

I have Tomato firmware installed in my router, so I was able to pull up the total bandwidth consumed over the last 24 hours. During the night, it had gone from about zero to 4KB/sec. It stayed there through the whole night and the whole day.

I noticed that with no devices attached to the modem, the receive light would stay off. But as soon as I would attach a device (either my router or my computer), that device would start reporting about 4KB/sec of sustained data coming downstream.

Tomorrow I'll try the steps mentioned here and maybe a few other programs to sniff out what's happening.