At some time the traffic on my ADSL connection eth0 is very active although I am doing nothing on the net. Okay, I have Skype running and ntpd is looking after the time but that cannot be the reason for the many exchanges between my computer and the net. The KNemo gives a fair idea what is going on without giving any clue with what it is connecting and what it seems to do exactly. Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
On Sunday 05 February 2006 00:00, C. Brouerius van Nidek wrote:
Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
When you're logged into Skype, your system is essentially attached to a p2p network. So, even when you're not engaged in a call, traffic on that network is passing through your system. To confirm this, you can log out and close Skype to see if the network activity drops off. If you log back on and the activity reappears, that answers your question. If you want to take a look at the traffic, you can take a snapshot with Ethereal. "man ethereal" or Google for more information. regards, Carl
On Sunday 05 February 2006 12:31, Carl Hartung wrote:
On Sunday 05 February 2006 00:00, C. Brouerius van Nidek wrote:
Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
When you're logged into Skype, your system is essentially attached to a p2p network. So, even when you're not engaged in a call, traffic on that network is passing through your system. To confirm this, you can log out and close Skype to see if the network activity drops off. If you log back on and the activity reappears, that answers your question. If you want to take a look at the traffic, you can take a snapshot with Ethereal. "man ethereal" or Google for more information.
Thanks. Traffic from Skype is very low as I found out. Will have a look at Ethereal.
Carl, On Saturday 04 February 2006 21:31, Carl Hartung wrote:
On Sunday 05 February 2006 00:00, C. Brouerius van Nidek wrote:
Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
When you're logged into Skype, your system is essentially attached to a p2p network. So, even when you're not engaged in a call, traffic on that network is passing through your system. To confirm this, you can log out and close Skype to see if the network activity drops off. If you log back on and the activity reappears, that answers your question. If you want to take a look at the traffic, you can take a snapshot with Ethereal. "man ethereal" or Google for more information.
That doesn't make any sense. Why would traffic get routed through a leaf node in the network? It's not like a BitTorrent distribution system, all the traffic is point-to-point. There's nothing to be gained and much to be lost by sending voice call that are going between, say, you and me through Mr. van Nidek's host, right? The most likely source of ongoing traffic in the absence of anything initiated at your end is a remote login attack. They're common and are merely an attempt to guess passwords. If your passwords are strong, they won't get it. Occassionally you'll get attempts to exploit old buffer overflow bugs in various Web servers, but since those are growing ever less common, the amount of attempts to use them seems to be dropping as well.
regards,
Carl
Randall Schulz
On Sunday 05 February 2006 00:44, Randall R Schulz wrote:
That doesn't make any sense. Why would traffic get routed through a leaf node in the network?
Hi Randall, Why? They're probably taking bandwidth wherever they can find it to distribute the traffic as smoothly as possible. VOIP doesn't deal well with congestion. And "leaf" as in "final destination" and "source" aren't that relevant. It may or may not be voice traffic... I haven't dug that deeply into it... but I have literally watched for hours in fascination as connections make, wait, talk and break between my box and boxes all over the planet... a *lot* of telco servers... one and two or even three at a time, in a pattern that I think is best described as "polling". It could be looking for "Skype Me" flagged subscribers... could be distributing routing data or traffic quality assurance data... who knows? But to say it "makes no sense" is not true, since I've already verified that /that/ is exactly what it does when you're logged in but not engaged in a call. It never stops. For the record, I used sysinternals' tcpview and process explorer to study this as yet unexplained network activity with Skype running under XP <shudder.> I am very diligent about taking strong security precautions on XP so I had these utilities running when I first installed and tested Skype/XP. I still fire them up when I run Skype on XP now... watching the traffic is almost as fun as watching a lava lamp! :-) And now that we've got all these marvelous network traffic forensics posts in one thread, I think I'm going to experiment with watching Skype's activities on SUSE! regards, Carl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-02-05 at 09:51 -0500, Carl Hartung wrote:
On Sunday 05 February 2006 00:44, Randall R Schulz wrote:
That doesn't make any sense. Why would traffic get routed through a leaf node in the network?
Why? They're probably taking bandwidth wherever they can find it to distribute the traffic as smoothly as possible. VOIP doesn't deal well with congestion.
It doesn't make sense for voip trafic itself, ie, conversations, unless you are a router. It may make sense for other things, as you mention, like discovering who is there and where.
And now that we've got all these marvelous network traffic forensics posts in one thread, I think I'm going to experiment with watching Skype's activities on SUSE!
I feel that will be more informative than XP ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD5h5NtTMYHG2NR9URAmuDAJ0ceHDPa6hJ9sAuW2YES3cVSvEMvACghg5A wLUS8YS3HheZScxJ4xNZkbY= =6dYg -----END PGP SIGNATURE-----
C. Brouerius van Nidek wrote:
Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
tcpdump -i eth0 It's may be a lot of data, but it'll give you (once you've deciphered the output) an exact picture of what's happening. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-02-05 at 12:00 +0700, C. Brouerius van Nidek wrote:
Is there something I can do to find out what kind of traffic is going on.
ntop. It runs as a daemon (rcntop start), and is configured through "/etc/sysconfig/ntop". It gathers statistics about outgoing and ingoing connections, ports, networks, services, traffic... It gives a better overall picture than using ethereal or tcdump. Then, if the information is not enough, get details with those tools. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD5eT+tTMYHG2NR9URAtMqAJ9ns/M5IlYuzN6wTNMGZ5Urz9ZBrgCfcJJD Z87TQkAwG0IdwVX0lxmR3lo= =f5k1 -----END PGP SIGNATURE-----
C. Brouerius van Nidek wrote:
At some time the traffic on my ADSL connection eth0 is very active although I am doing nothing on the net. Okay, I have Skype running and ntpd is looking after the time but that cannot be the reason for the many exchanges between my computer and the net. The KNemo gives a fair idea what is going on without giving any clue with what it is connecting and what it seems to do exactly. Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
Try running ethereal, to see what's happening. It's included with SUSE.
Sun, 05 Feb 2006, by cbroueriusvannidek@gmail.com:
At some time the traffic on my ADSL connection eth0 is very active although I am doing nothing on the net. Okay, I have Skype running and ntpd is looking after the time but that cannot be the reason for the many exchanges between my computer and the net. The KNemo gives a fair idea what is going on without giving any clue with what it is connecting and what it seems to do exactly. Is there something I can do to find out what kind of traffic is going on. Perhaps somebody who is trying to get access to my computer?
Others suggested ntop or ethereal,but I think both are either too basic or too much. I'd try 'iptraf' instead, it shows realtime traffic-flow.on your network. TCP Connections (Source Host:Port) Packets Bytes Flags Iface l85.159.184.40:80 > 3602 4019223 -PA- eth0 192.168.2.1:1246 > 3601 193816 --A- eth0 81.197.65.159:57227 > 6 791 -PA- eth0 192.168.2.1:1036 > 7 384 --A- eth0 192.168.2.1:2455 > 2 80 --A- eth0 66.249.93.104:80 > 1 46 --A- eth0 192.168.2.1:2456 > 2 80 --A- eth0 66.249.93.104:80 > 1 46 --A- eth0 192.168.2.1:2457 > 2 80 --A- eth0 66.249.93.104:80 > 1 46 --A- eth0 TCP: 5 entries Active UDP (117 bytes) from 192.168.2.1:1026 to 192.168.2.2:161 on eth0 UDP (150 bytes) from 192.168.2.2:161 to 192.168.2.1:1026 on eth0 UDP (72 bytes) from 192.168.2.2:520 to 192.168.255.255:520 on eth0 UDP (72 bytes) from 192.168.2.2:520 to 192.168.255.255:520 on eth0 UDP (72 bytes) from 192.168.2.2:520 to 192.168.255.255:520 on eth0 Bottom Elapsed time: 0:03 Pkts captured (all interfaces): 7250 x TCP flow rate: 149.60 kbits/s There are lots of other settings for filtering etc aswell. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-02-05 at 15:02 +0100, Theo v. Werkhoven wrote:
Others suggested ntop or ethereal,but I think both are either too basic or too much.
I'd try 'iptraf' instead, it shows realtime traffic-flow.on your network.
True enough, it is easy and fast to use. But it doesn't do things like watching every connection, for hours on end, and totalling the bytes sent to any destination, and telling you things about them; ntop is more complete. I use iptraf a lot. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD5h9stTMYHG2NR9URAqYvAKCLvJainLlRzN8BBHVykeGr6Cx49QCgh6JC TMCzpdvA8YqkyTGT6DvFvXo= =MtEs -----END PGP SIGNATURE-----
participants (7)
-
C. Brouerius van Nidek -
Carl Hartung -
Carlos E. R. -
James Knott -
Per Jessen -
Randall R Schulz -
Theo v. Werkhoven