nethogs shows strange connections, what are they?

Asked by Redmar on 2010-06-08

I recently noticed strange network usage on my pc while I thought nothing was active. I found nethogs that shows the processes using the most bandwith. Running this it shows more than 10 processes using the network, but I do not understand the output:

PID USER PROGRAM
0 root ..17439-24.31.245.163:46730
0 root ..7439-96.245.108.247:40823

It seems these connections are related to a port I opened for Transmission (p2p), namely 17439. These connections still show up when I dont start transmission. Firestarter does show these connections getting blocked.

`sudo ps -ef` does not show any program with PID 0, so i'm still clueless as to what is going on here. Any suggestions/pointers would be appreciated.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu nethogs Edit question
Assignee:
No assignee Edit question
Solved by:
GREG T.
Solved:
2010-06-11
Last query:
2010-06-11
Last reply:
2010-06-10

You can know a bit more about them:
Open a Terminal and type

ps -fe

That should hint the command that launched them
Try killing them and seeing what happens

GREG T. (ubuntuer) said : #2

found this
NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. NetHogs does not rely on a special kernel module to be loaded. If there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this. This makes it easy to indentify programs that have gone wild and are suddenly taking up your bandwidth.

Since NetHogs heavily relies on /proc, it currently runs on Linux only.
 in my eyes this is[ for a desktop or laptop pc ] a waste of cup usage . you have system monitor that will work the same way.

Redmar (redmar) said : #3

@Federico Tello Gentile

ps -fe does not show any program with PID 0.

I have however found out that 17439 is the port transmission uses, which I have opened in the firewall of my router. So I think the output of nethogs is truncated, I tried running it in fullscreen but this did not change the size of the output.

I still would very much like to know what these strange connections are, am I hacked or something?

GREG T. (ubuntuer) said : #4

 go to the system monitor and click the resources tab take a look at the network history , to see if there is really traffic flow .

Redmar (redmar) said : #5

When transmission is running these programs do show upload activity, when Transmission is not active I only see incoming traffic.

I have disabled Transmission but left the port in my router open to see what would happen. I still see connections from this weird 'program', but now only incoming (low) traffic. When I installed Firestarter it showed that these connections get blocked.
Could it be that packets that are blocked get handled by something in the kernel that shows up as PID 0 root? I know very little of this and google hasn't been of much help.

Thanks for your time

GREG T. (ubuntuer) said : #6

i don`t know a lot about this ether . but these ports on your pc are not on mine . i would say if you can close them in the router do so .

Redmar (redmar) said : #7

That port is used for torrents, so I cant really close it. I'll edit the question and wait and see if somebody else knows what's going on, thanks for your time.

GREG T. (ubuntuer) said : #8

if that torrent is not able to be turned off and on as needed , then it is an open path into your system just waiting to be used

Redmar (redmar) said : #9

I use that to upload ubuntu and other free content, so its basically always on. I dont think ill be hacked just because I have one extra port open in my router, lots of people use torrents.
But I still would like to know what these weird 'programs' are though.

Best GREG T. (ubuntuer) said : #10

you could mark this as solved and re ask the question ,like " need help from long time linux user "
 or need help tracking down these open ports or need help from a very schooled linux user
 or something along these lines to get a person that helps with programming .

Redmar (redmar) said : #11

Thanks greg, that solved my question.

Usama Akkad (damascene) said : #12

I've similar problem. I'm using rtorrent in 'screen'. I've noticed that some connection just start after reboot without running any program. Is this a security attack or what? I've just installed firestarter to check it. I've opened port 62535 from my router and gufw.

###
Running rtorrent user 'tery' in 'screen' and running Nethogs from 'my-user'

NetHogs version 0.7.0

  PID USER PROGRAM DEV SENT RECEIVED
0 root ..:62535-41.99.69.133:58054 0.119 0.119 KB/sec
3650 tery rtorrent wlan0 0.014 0.011 KB/sec
0 root ..:62535-41.99.69.133:57981 0.000 0.000 KB/sec
0 root ..2535-124.13.103.203:15069 0.000 0.000 KB/sec
0 root ..:62535-41.99.69.133:57926 0.000 0.000 KB/sec
5325 my-user xchat-gnome wlan0 0.000 0.000 KB/sec
0 root ..:62535-41.99.69.133:57784 0.000 0.000 KB/sec
0 root ..:62535-41.99.69.133:57191 0.000 0.000 KB/sec
0 root ..:62535-41.99.69.133:57715 0.000 0.000 KB/sec
0 root ..:62535-41.99.69.133:57152 0.000 0.000 KB/sec
0 root unknown TCP 0.000 0.000 KB/sec

  TOTAL 0.133 0.129 KB/sec

raboof (arnouten) said : #13

The 'PID 0' is a bit misleading: nethogs shows a PID of 0 when it could not determine which program owns this connection.

This can commonly happen for programs that may use many short-lived connections, such as bittorrent clients and web browsers.

I changed nethogs to show '?' instead of '0', perhaps that might reduce the confusion

Alejandro R. Mosteo (mosteo) said : #14

I'm seeing the same with nethogs on the port I use for transmission. The problem is that these 'phantom' connections are taking as much as ~20kB/s of outgoing bandwidth (the BW use is more or less symmetrical). These connections happen many minutes after closing transmission. They don't have associated process, only the IP, nor wireless interface, yet they show in nethogs for the active wifi device.

I too was fearful of having been rooted. The only other possibility I can think of is that these are incoming attempts from former clients-in-touch, and some form of congestion control is responsible for the outbound part. I cannot make anything out with wireshark.

The '?' improvement on nethogs is worthwhile, and if someone could say if my second theory holds any water...

King Benny (allley-cat) said : #15

i detected something similar but i'm a total noob when it comes to this so i just did some observing with nethogs
with me it's definitely to do with torrents, the difference is visible immediately when running vuze or not
the theory i read that it has to do with delayed delivery because of congestion seems to make sense, when you run vuze and play around with the max number of global connections, set them to three or so a pattern becomes visible in netthogs output
maybe these torrents/connections are detected as separate processes?

what i see
the output is like this:
0 root ..:62535-41.99.69.133:57981 0.000 0.000 KB/sec
0 root ..2535-124.13.103.203:15069 0.000 0.000 KB/sec

if you turn down the number of connections the first numbers e.g the ..62535- and the ..2535- part keeps repeating but the rest which i suppose are ip-adresses and port numbers keep changing

like i said i'm far from an expert so pls dont burn me for my lack of technicality. I just thought i'd share what i observed and hope maybe it helps someone.
If an experienced user happens by here, i have als8o noticed that when my vpn is up i have about 15 to sometimes 30 percent more traffic over wlan0 than over ppp0 and no clue what this is ? Anyone could point me in the right direction there that would be greatly appreciated