 |
 |
My computer is always downloading... help?
|
|
|
|
|
Moderator Emeritus  Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
I noticed today that my iBook is always downloading. I use MenuMeters preference pane to monitor my traffic and it's always at 2-3K/s download, jumping to 17-20K/s at random times. I don't know what's up with it.
I've checked for everything I can by running "top" and looking at "ps" and looking for any activity by using "netstat" but everything comes up empty. There doesn't seem to be any phantom program downloading.
And yeah, I've quit all my GUI apps, shut off all daemons, and everything short of pulling the plug on the ethernet cable does nothing.
This is on Jaguar 10.2.6. If I boot into Panther and run MenuMeters, I get the same thing happening. A constant 2-3K/s download.
Now, if I unplug my ethernet and go with AirPort through my Linksys, I don't have the constant incoming traffic. I don't know how to check if my Linksys is also receiving this kind of traffic since it's wired.
What could it be? I can only think of someone trying to constantly access something of mine that I don't have, or a port that isn't open. Would this register if someone was pinging me? What else would cause this traffic?
It's never outgoing traffic. It's all incoming traffic and only over my wired ethernet connection.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Status:
Offline
|
|
Originally posted by Xeo:
I noticed today that my iBook is always downloading. I use MenuMeters preference pane to monitor my traffic and it's always at 2-3K/s download, jumping to 17-20K/s at random times. I don't know what's up with it.
I've checked for everything I can by running "top" and looking at "ps" and looking for any activity by using "netstat" but everything comes up empty. There doesn't seem to be any phantom program downloading.
And yeah, I've quit all my GUI apps, shut off all daemons, and everything short of pulling the plug on the ethernet cable does nothing.
This is on Jaguar 10.2.6. If I boot into Panther and run MenuMeters, I get the same thing happening. A constant 2-3K/s download.
Now, if I unplug my ethernet and go with AirPort through my Linksys, I don't have the constant incoming traffic. I don't know how to check if my Linksys is also receiving this kind of traffic since it's wired.
What could it be? I can only think of someone trying to constantly access something of mine that I don't have, or a port that isn't open. Would this register if someone was pinging me? What else would cause this traffic?
It's never outgoing traffic. It's all incoming traffic and only over my wired ethernet connection.
Post the output of 'sudo lsof -i TCP'. Do you have any other machines on the network? Are you connected to a switch or a hub?
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
What kind of internet connection do you have? It sounds like you're on a shared connection (i.e. cable). If this is the case, your computer is seeing all of the traffic on the network. This is normal with shared connection topologies.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2003
Status:
Offline
|
|
It's the cookies from the porn sites!
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
Originally posted by BatmanPPC:
Post the output of 'sudo lsof -i TCP'. Do you have any other machines on the network? Are you connected to a switch or a hub?
Code:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
netinfod 285 root 6u inet 0x02016d1c 0t0 TCP localhost:1033 (LISTEN)
netinfod 285 root 7u inet 0x020131fc 0t0 TCP localhost:1033->localhost:busboy (ESTABLISHED)
netinfod 285 root 8u inet 0x0201523c 0t0 TCP localhost:1033->localhost:1019 (ESTABLISHED)
cupsd 368 root 0u inet 0x0201579c 0t0 TCP localhost:ipp (LISTEN)
Directory 378 root 5u inet 0x020154ec 0t0 TCP localhost:1019->localhost:1033 (ESTABLISHED)
Directory 378 root 7u inet 0x02014f8c 0t0 TCP *:* (CLOSED)
Directory 378 root 9u inet 0x02014cdc 0t0 TCP *:* (CLOSED)
iChatAgen 536 admin 8u inet 0x02013cbc 0t0 TCP *:5298 (LISTEN)
iChatAgen 536 admin 10u inet 0x0201625c 0t0 TCP 192.168.70.10:49339->205.188.12.92:aol (ESTABLISHED)
lookupd 570 root 7u inet 0x0201375c 0t0 TCP localhost:busboy->localhost:1033 (ESTABLISHED)
The 192.168.70.1 is my Linksys. Before I read your post I had disconnected my ethernet and was doing things via my AirPort. And I had logged out of iChat previously to see if that was the cause. So anything you see other than that? All I see are a bunch of localhost -> localhost connections. They exist on just my AirPort connection as well but I don't have the constant 2-3K/s downstream.
Yes, I'm on a switch. I am on my college network. In my dorm room, I have a switch connecting my computers together and the uplink is from the hubs in my dorm, which are connected via switches to the rest of campus to the main server room where the T-1 comes in. And being on a switch, shouldn't I NOT see any other traffic? That's one reason switches are better. Traffic only goes straight from the source to the destination, and not to all the computers in between. Technically I shouldn't see any traffic other than what I'm requesting, or if there's someone requesting something from me.
I do have a WAN IP on my ethernet interface.
The reason this bothers me is that I have never seen this before. When I'm not using the connection, it always reports 0KB/s. The only traffic is in the bytes/sec range and I don't have MenuMeter showing anything under a KB. However, now, it's always at least 1.5K/s, mostly over 2K/s. It's really strange.
RoonieX: 
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Even on a switch, you will see other traffic. You'll see broadcasts the most. It really depends on what kind of traffic is on your network and what is forwarded through routers. ServerMonitor reports about 1-6KB/sec of inbound traffic on my Xserves all the time. A lot of it is DHCP chatter, IPX chatter, AppleTalk chatter, ARP requests, etc.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Location: Portland, OR
Status:
Offline
|
|
If you want to know what kind of traffic you are seeing over your ethernet interface:
Code:
sudo tcpdump -i en0
that will print every packet you receive out to your terminal window. To stop, hit ctrl-c. If you want to capture it to a file for later perusal:
Code:
sudo tcpdump -i en0 > packets.txt
I'm betting it is just broadcast traffic (ARPs, etc) caused by all the traffic on your LAN.
If you do see something strange, post it here or PM me. I have a pretty good understanding of this stuff (I'm a sysadmin who dabbles in network admin when necessary.)
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Status:
Offline
|
|
Originally posted by Xeo:
The 192.168.70.1 is my Linksys. Before I read your post I had disconnected my ethernet and was doing things via my AirPort. And I had logged out of iChat previously to see if that was the cause. So anything you see other than that? All I see are a bunch of localhost -> localhost connections. They exist on just my AirPort connection as well but I don't have the constant 2-3K/s downstream.
Yes, I'm on a switch. I am on my college network. In my dorm room, I have a switch connecting my computers together and the uplink is from the hubs in my dorm, which are connected via switches to the rest of campus to the main server room where the T-1 comes in. And being on a switch, shouldn't I NOT see any other traffic? That's one reason switches are better. Traffic only goes straight from the source to the destination, and not to all the computers in between. Technically I shouldn't see any traffic other than what I'm requesting, or if there's someone requesting something from me.
I do have a WAN IP on my ethernet interface.
The reason this bothers me is that I have never seen this before. When I'm not using the connection, it always reports 0KB/s. The only traffic is in the bytes/sec range and I don't have MenuMeter showing anything under a KB. However, now, it's always at least 1.5K/s, mostly over 2K/s. It's really strange.
RoonieX:
Ok .. nothing out of the ordinary there. Here's my theory .... stupid !@%$# MS worms. I think what you're seeing is traffic from attempts to connect to port 135 and ICMP traffic. College networks are usually a big target. (as to why you are not seeing this on airport ... when you're on airport you have a private IP ... public IP when on ethernet)
You can use the tcpdump tips others have posted to confirm this.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: May 2001
Location: Boston, MA
Status:
Offline
|
|
Take a look in the network utility.app... are there lots of network errors?
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top