much network traffic: is there a problem here?
Kevin O'Gorman
kogorman at gmail.com
Mon Apr 2 03:35:03 UTC 2012
On Sun, Apr 1, 2012 at 5:16 PM, Kevin O'Gorman <kogorman at gmail.com> wrote:
> I've been trying to debug a problem with local connections, and turned
> to tcpdump(8) for help.
>
> I'm quite surprised at the amount of traffic even when I think of the
> system as idle.
> I expected ARP, NTP, and web spider/crawler traffic, but not much.
> I'm signing in with xfce these days, but have bits of both gnome and
> KDE installed.
>
> I know enough to struggle through and start identifying things, but
> I'm not experienced in doing this and I wonder if there are guides,
> shortcuts or advice about figuring out if there's something bad
> happening.
Hmm. I may have answered my own question. I started using the -F
(filter file) option of tcpdump, to look only at TCP and UDP, omitting
all packets with ports mdns, smtp, www, ntp, and ipp. This got rid of
admin traffic and name resolution, email, web, time and printer
sharing traffic.
If anyone else wants to try this, the filter was
( udp or tcp ) and not src port domain and not src port mdns and not
src port www and not src port ntp and not src port ipp and not src
port smtp and not dst port www and not dst port domain and not dst
port mdns and not dst port ntp and not dst port ipp and not dst port
smtp
There was nothing left except chatter from my wife's Windows machine,
plus one conversation I cannot account for. Something is exchanging
packets with a184-30-247-238.deploy.akamaitechnologies.com.https. I'm
not fearful about akamai, but I'm gonna track down the program doing
the conversation anyway.
So I used
netstat -l -n -p -A inet
to see listening sockets, noting two things I did not expect:
avahi-daemon and dhclient. I'll have to look those up. Apparently
the akamai traffic is not on a listening socket.
Dropping the -l to get all active sockets, I see that firefox has the
port engaged with akamai. No huge surprise. Probably because I've
got a google+ window open.
A search informed me that dhclient handles the DHCP that connects me
with my cable modem. Duh. And avahi finds stuff without configuration
hassles. Both good things for me to be running.
Bottom line: there's a few packets per second on average, less than 1%
of available bandwidth, and it's no problem. But I feel better now
that I checked.
--
Kevin O'Gorman, PhD
More information about the ubuntu-users
mailing list