[opensuse] strange internet traffic
Hello, I've seen in gkrellm that there is quite a lot of internet traffic, although I didn't have any program running that connects to outside. So I downloaded "iptraf" and let it run a short while. this is the beginning of the log it created:
Thu Jul 13 20:04:30 2017; ******** IP traffic monitor started ******** Thu Jul 13 20:04:35 2017; ICMPv6; eth0; 64 bytes; from fe80::da61:94ff:fe8b:c632 to ff02::1; router adv Thu Jul 13 20:04:35 2017; UDP; eth0; 138 bytes; from fe80::1e6f:65ff:fe91:8f9:5353 to ff02::fb:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:54612 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 71 bytes; from 192.168.1.33:34000 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 70 bytes; from 192.168.1.33:51486 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 130 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:34000 Thu Jul 13 20:04:35 2017; UDP; eth0; 127 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:51486 Thu Jul 13 20:04:36 2017; UDP; eth0; 182 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:54612 Thu Jul 13 20:04:36 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:36 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:40 2017; UDP; eth0; 69 bytes; from 192.168.1.33:57325 to 250.red-80-58-61.staticip.rima-tde.net:53
I see it talks to telefonica (my provider, 80.58.61.250), but why? And why is there sop much traffic with staticip.rima-tde.net? ... It seem strange to me and I am a bit worried - or is this normal and why? Should I let iptraf run a longer time and upload a log so someone here can check it? Thanks for your help! Daniel OS 42.1, KDE, connected via cable on eth0 -- Daniel Bauer photographer Basel Barcelona https://www.patreon.com/danielbauer http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
13.07.2017 21:15, Daniel Bauer пишет:
Hello,
I've seen in gkrellm that there is quite a lot of internet traffic, although I didn't have any program running that connects to outside.
So I downloaded "iptraf" and let it run a short while.
this is the beginning of the log it created:
Thu Jul 13 20:04:30 2017; ******** IP traffic monitor started ******** Thu Jul 13 20:04:35 2017; ICMPv6; eth0; 64 bytes; from fe80::da61:94ff:fe8b:c632 to ff02::1; router adv Thu Jul 13 20:04:35 2017; UDP; eth0; 138 bytes; from fe80::1e6f:65ff:fe91:8f9:5353 to ff02::fb:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:54612 to 80.58.61.250:53
port 53 is DNS and 5353 is mDNS; so some program tries to resolve names probably. You could look with wireshark what names this could give some hint. Although I would be surprised if it caused really a lot of traffic. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2017 02:27 PM, Andrei Borzenkov wrote:
port 53 is DNS and 5353 is mDNS; so some program tries to resolve names probably. You could look with wireshark what names this could give some hint.
I agree on Wireshark. I use it frequently. I even bought a cheap managed switch and configured it for port mirroring, so that I could monitor connection with my notebook computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2017 02:15 PM, Daniel Bauer wrote:
Hello,
I've seen in gkrellm that there is quite a lot of internet traffic, although I didn't have any program running that connects to outside.
So I downloaded "iptraf" and let it run a short while.
this is the beginning of the log it created:
Thu Jul 13 20:04:30 2017; ******** IP traffic monitor started ******** Thu Jul 13 20:04:35 2017; ICMPv6; eth0; 64 bytes; from fe80::da61:94ff:fe8b:c632 to ff02::1; router adv Thu Jul 13 20:04:35 2017; UDP; eth0; 138 bytes; from fe80::1e6f:65ff:fe91:8f9:5353 to ff02::fb:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:54612 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 71 bytes; from 192.168.1.33:34000 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 70 bytes; from 192.168.1.33:51486 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 130 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:34000 Thu Jul 13 20:04:35 2017; UDP; eth0; 127 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:51486 Thu Jul 13 20:04:36 2017; UDP; eth0; 182 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:54612 Thu Jul 13 20:04:36 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:36 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:40 2017; UDP; eth0; 69 bytes; from 192.168.1.33:57325 to 250.red-80-58-61.staticip.rima-tde.net:53
I see it talks to telefonica (my provider, 80.58.61.250), but why? And why is there sop much traffic with staticip.rima-tde.net?
I assume this is on your local LAN. Those UDP packets on port 5353 are mDNS. That is multicast DNS. Port 53 is regular DNS. That ICMPv6 line is from a link local address to an all hosts multicast. I assume that is from your router. That link local address contains the MAC address, with some modification. Do you recognize it? The packets from 250.red-80-58-61.staticip.rima-tde.net are responses to the DNS requests from 192.168.1.33. So, the question is who are you using for DNS? Could be them. The packets to ff02 & 224 are multicasts, which appear to be coming from 192.168.1.33 or venus.local. Does that name mean anything to you? What about 192.158.1.33? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 13.07.2017 um 20:35 schrieb James Knott:
On 07/13/2017 02:15 PM, Daniel Bauer wrote:
Hello,
I've seen in gkrellm that there is quite a lot of internet traffic,
I assume this is on your local LAN. Those UDP packets on port 5353 are mDNS. That is multicast DNS. Port 53 is regular DNS.
That ICMPv6 line is from a link local address to an all hosts multicast. I assume that is from your router. That link local address contains the MAC address, with some modification. Do you recognize it?
Yes
The packets from 250.red-80-58-61.staticip.rima-tde.net are responses to the DNS requests from 192.168.1.33. So, the question is who are you using for DNS? Could be them.
I guess so. I haven't configured anything, just took the router as is...
The packets to ff02 & 224 are multicasts, which appear to be coming from 192.168.1.33 or venus.local. Does that name mean anything to you? What about 192.158.1.33?
Yes, these are correct IP right now, and name of my computer. -- Daniel Bauer photographer Basel Barcelona https://www.patreon.com/danielbauer http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2017 02:46 PM, Daniel Bauer wrote:
The packets from 250.red-80-58-61.staticip.rima-tde.net are responses to the DNS requests from 192.168.1.33. So, the question is who are you using for DNS? Could be them.
I guess so. I haven't configured anything, just took the router as is...
What do you see for nameserver in /etc/resolv.conf? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 13.07.2017 um 20:15 schrieb Daniel Bauer:
Hello,
I've seen in gkrellm that there is quite a lot of internet traffic, although I didn't have any program running that connects to outside.
So I downloaded "iptraf" and let it run a short while.
this is the beginning of the log it created:
Thu Jul 13 20:04:30 2017; ******** IP traffic monitor started ******** Thu Jul 13 20:04:35 2017; ICMPv6; eth0; 64 bytes; from fe80::da61:94ff:fe8b:c632 to ff02::1; router adv Thu Jul 13 20:04:35 2017; UDP; eth0; 138 bytes; from fe80::1e6f:65ff:fe91:8f9:5353 to ff02::fb:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:54612 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 71 bytes; from 192.168.1.33:34000 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 70 bytes; from 192.168.1.33:51486 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 130 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:34000 Thu Jul 13 20:04:35 2017; UDP; eth0; 127 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:51486 Thu Jul 13 20:04:36 2017; UDP; eth0; 182 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:54612 Thu Jul 13 20:04:36 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:36 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:40 2017; UDP; eth0; 69 bytes; from 192.168.1.33:57325 to 250.red-80-58-61.staticip.rima-tde.net:53
I see it talks to telefonica (my provider, 80.58.61.250), but why? And why is there sop much traffic with staticip.rima-tde.net? ...
It seem strange to me and I am a bit worried - or is this normal and why?
Should I let iptraf run a longer time and upload a log so someone here can check it?
Thanks for your help!
Daniel
OS 42.1, KDE, connected via cable on eth0
Uff, I am obviously bad in googling, and even bader n memory, but now I found out that in 2014 I asked more or less the same question here... :-) According to the hints in that thread I was looking what lsof -iTCP says:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 2370 root 8u IPv6 15958 0t0 TCP localhost:ipp (LISTEN) cupsd 2370 root 9u IPv4 15959 0t0 TCP localhost:ipp (LISTEN) sshd 2593 root 3u IPv4 17297 0t0 TCP *:ssh (LISTEN) sshd 2593 root 4u IPv6 17299 0t0 TCP *:ssh (LISTEN) mysqld 2617 mysql 18u IPv6 17941 0t0 TCP *:mysql (LISTEN) httpd-pre 2652 root 4u IPv6 16026 0t0 TCP *:http (LISTEN) master 2838 root 13u IPv4 21889 0t0 TCP localhost:smtp (LISTEN) master 2838 root 14u IPv6 21890 0t0 TCP localhost:smtp (LISTEN) httpd-pre 2916 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 2918 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 2919 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 2920 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 2922 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 7521 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN) httpd-pre 27533 wwwrun 4u IPv6 16026 0t0 TCP *:http (LISTEN)
That looks pretty normal to me, although I don't know why some commands appear twice, why one httpd-pre runs as root, and what is "master". I guess I don't have to worry, but still I am happy for hints or explanations. Daniel -- Daniel Bauer photographer Basel Barcelona https://www.patreon.com/danielbauer http://www.daniel-bauer.com -- Daniel Bauer photographer Basel Barcelona https://www.patreon.com/danielbauer http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-13 20:15, Daniel Bauer wrote:
Hello,
I've seen in gkrellm that there is quite a lot of internet traffic, although I didn't have any program running that connects to outside.
So I downloaded "iptraf" and let it run a short while.
this is the beginning of the log it created:
Thu Jul 13 20:04:30 2017; ******** IP traffic monitor started ******** Thu Jul 13 20:04:35 2017; ICMPv6; eth0; 64 bytes; from fe80::da61:94ff:fe8b:c632 to ff02::1; router adv Thu Jul 13 20:04:35 2017; UDP; eth0; 138 bytes; from fe80::1e6f:65ff:fe91:8f9:5353 to ff02::fb:5353 Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353
Finding who is where, I think. Some routers talk a lot.
Thu Jul 13 20:04:35 2017; UDP; eth0; 118 bytes; from 192.168.1.33:54612 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 71 bytes; from 192.168.1.33:34000 to 80.58.61.250:53 Thu Jul 13 20:04:35 2017; UDP; eth0; 70 bytes; from 192.168.1.33:51486 to 80.58.61.250:53
This is DNS traffic. Normal.
Thu Jul 13 20:04:35 2017; UDP; eth0; 130 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:34000 Thu Jul 13 20:04:35 2017; UDP; eth0; 127 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:51486 Thu Jul 13 20:04:36 2017; UDP; eth0; 182 bytes; from 250.red-80-58-61.staticip.rima-tde.net:53 to 192.168.1.33:54612
Same thing, reverse direction. Telefonica DNS are in 80.58.61.250 and 80.58.61.254
Thu Jul 13 20:04:36 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:36 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 138 bytes; from venus.local:5353 to ff02::fb:5353 Thu Jul 13 20:04:38 2017; UDP; eth0; 118 bytes; from 192.168.1.33:5353 to 224.0.0.251:5353 Thu Jul 13 20:04:40 2017; UDP; eth0; 69 bytes; from 192.168.1.33:57325 to 250.red-80-58-61.staticip.rima-tde.net:53
I see it talks to telefonica (my provider, 80.58.61.250), but why? And why is there sop much traffic with staticip.rima-tde.net?
That's the reverse domain name of the IP of the DNS server. They haven't bothered to set the proper reverse name.
...
It seem strange to me and I am a bit worried - or is this normal and why?
Seems normal :-) -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Daniel Bauer -
James Knott