Frightened: My Network manager and conky are both showing high levels of network activity, even when idle

Asked by AFarris01 on 2008-09-07

Ok, ive got an issue thats scaring me, that just started today, this morning. My system monitor, as well as my conky are both reporting very high levels of internet usage, even when the computer is idle.

both are reporting a usage rate of around 180kbps downspeed, even if the network cable is completely unplugged, and networking is disabled.

Ive checked for open ports/strange system processes using Network tools/system monitor, both of which turned up nothing, and i've been monitoring my Firestarter logs ever since this happened, but nothing has turned up...

whats going on here??

Andrew

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ntop Edit question
Assignee:
No assignee Edit question
Solved by:
AFarris01
Solved:
2008-09-08
Last query:
2008-09-08
Last reply:
2008-09-08
colinb (chbrown23) said : #1

If you want an easy way to see what you are connecting to on the internet, i'd use ntop.

Install by:-

     sudo install ntop

To start the app, open a terminal and:-

     sudo ntop -u root.

ntop needs to be started as root as it requires privileged access to your network card or device. It starts a browser based application which displays pretty much everything you need to know about you network. In a browser go to http://localhost:3000. Select the hosts option off the Summary menu ( http://localhost:3000/hostsInfo.html ) to give an idea as to which machines on the internet you are connecting to. The screen displayed off IP -> Summary -> Traffic also shows some useful information.

AFarris01 (afarris01) said : #2

thanks very much colinb for that wonderful program. this is just the sort of thing i was looking for. now i have a few updates:

Ive noted a few times that ive been sitting here that the network activity drops to zero for about a minute or 2, before ramping back up to 180 kbps... and in addition, there's an extra entry under the network connections listed in firestarter i never saw before... its labeled as wmaster0. never seen this before, and i have no idea what it is, but it's inactive, not doing anything, and after a quick forum search, ive seen a few posts that this is related to wireless connection issues...don't know if its important or not, just thought id include it.

according to ntop, all my current *-to-local connections are using less than 5 kbps, they at this time, my conky and system manager are both reporting btwn 179-180 kbps download speed, with the remote-to-local bandwidth currently in use currently resting at around 2.7-2.8 kbps...

also, from the conky reports, if the current download rate was correct, that ive downloaded around 3.5 GB of data today alone, and about 1.4 GB since i rebooted the computer last. However, the used disk space on all of my partitions is holding constant at 7.57GB for /, 44.02 for /home, 74.32 for my media drive, and 218.32 for my general stuff drive. Ive put this info here more for myself than anything else to make sure that it actually doesn't change... but it hasn't so far, so i doubt it will in the near future.

Also, i tried disconnecting with my wired network, and i connected to the network with wireless, and when i did this, the 180 kbps continued to show on the wired connection, and at the same time, on the wireless connection, the download rate ramped up to about 115 kbps, even before DHCP had responded.... and the reaction speed of the internet was ridiculously slow. however, the wireless activity dropped back to zero after i disconnected from that network.
the remote-to-local bandwidth reported by ntop actually dropped to 2.3 kbps on the wireless connection

finally, looking through the downloaded amounts listed in ntop, the totals dont even go above 100 mb of data downloaded today, as opposed to the 1.4 GB that the conky reports being downloaded in the last 2 hours.

so.......

ive sort of come to the conclusion that this is a bug of some sort, but its still making me kinda nervous... is there any way i can make it stop?

andrew

AFarris01 (afarris01) said : #3

in addition, i just checked back on my firestarter log, and in the past 20 min i just had a huge number of blocked connections (about 3-5 per second) from widely varying addresses, using a 'unknown' service, and using a ICMP protocol. i suspect this could be related, but i still have no clue... i looked up some of the hostnames, and i'll include them here:

cs124.msg.mud.yahoo.com
ftp.belnet.be
hanwater.com
www.nic.funet.fi
ftpserv.tudelft.nl
fmasft.if.usp.br
mirror.cambrium.nl
archimeded.ds.karen.hj.se
ftp.sh.cvut.cz

plus there were many more that i tried to do the lookup thing on, that failed. keep in mind, this is while completely idle, not on the internet, not playing games, nothing...just sitting here, watching the messages pop up.

is it possible that my computer is being attacked?

Charles Profitt (cprofitt) said : #4

If you have a second computer...

Run zenmap (a GUI front end for nmap) against the computer you are having issues with... see what ports it says are in use...

You might also want to use wireshark on the second computer and do some packet captures between your computer and the router.

also run one or both of these:

chkrootkit
Rootkit Hunter

Tronyx (tronyx) said : #5

Hello,

Per the notion of PrivateVoid, are you familiar with Wireshark? I ask because it can be somewhat of a maze for a new user to navigate but it will record any network activity so you can discover what it is that is causing these weird bumps in traffic. For a start, I would close all browsers, chat protocols, P2P applications, etc and simply start a capture. You will most likely see some of the usual stuff like DHCP stuff or traffic from your router (assuming you are behind one) but as for other stuff...well, that is what we need to find out.

Is this machine simply a home machine or is it used as a web server too or any other public services?

Thanks

AFarris01 (afarris01) said : #6

Firstly, i'd like to thank everybody for all the help and quick responses i've been getting.

This computer is only used as a regular home computer. the only special service i have on here is that i share my printer with my small home network.

now on with details...i ran chkrootkit and it didn't discover anything suspicious on my computer. thanks for the tip though!
I'm not familiar with Wireshark, and have actually never heard of it before. i was going to give it a try, but i decided to try calling my ISP to see if they could track bandwidth usage (to see if i was actually downloading stuff at 180 kbps, or if it was a bug), which they couldn't. however, the tech i talked to suggested rebooting the modem and router, to see if they had possibly got stuck in a loop of some sort. so i went ahead and shut them down, let them cool off, then restarted them, and tada! no more downloads being reported!

I went ahead and ran zenmap from my laptop against my computer anyway, and this was all it found:
631/tcp open ipp CUPS 1.2

which is understandable, since i do share my print server on the network...

i think the issue is resolved now though... I'll re-open the question should the need arise, but i believe the ghost is gone from this machine!

thanks everyone who offered input! This is why i love being a member of this community :)

Case Closed!

Andrew

Charles Profitt (cprofitt) said : #7

Glad your mind is at ease... you can always run the zenmap tool against it on occasions to confirm.

AFarris01 (afarris01) said : #8

I finally discovered what the real problem was just a day or so ago, and i thought i'd share with everyone...

This started happening again a few days ago, so i panicked again, and went through all the steps up above, but it wouldn't go away....i ran zenmap again, looked at ntop, nothing... so i started looking to alternative causes, and made a discovery...

basically it boils down to my own negligence, and to my incessant need to tinker with things. Heres what happened:

a few weeks before this incident first occurred, i had been experimenting with pulseaudio's network-streaming abilities, because my dad has been wanting to put a computer into his entertainment center so he could dub his old record albums onto CDs, and so he could play CDs over our living room's sound system when we've got guests over. However, usually he would just borrow my brother's compy for playing them, since it's already closer to where everyone gathers anyway, and he's got a 5.1 surround system. Then i had the thought: if i put the computer on our network, i could set up pulseaudio to stream music from my computer, my brothers computer, or the entertainment center's computer across the TV sound system, my 5.1 system, and my brother's 5.1 system, effectively covering the whole house in sound.

So, i began tinkering with the setup on my brother's computer and my own as a testbed, before i actually set anything bigger in motion. basically, i couldn't get it to work, so i disabled all the pulseaudio networking stuff on my computer and forgot about it.

the problem came when my brother started listening to a lot more music than normal... because i foolishly forgot to disable all the network stuff on his end too, so every time he'd fire up rythmbox, he would flood the network with the live audio stream, slowing everything down, and since it was trying to loop to my local speakers, it would ruin my net connection worst of all, show a tremendous download rate, but my disks would keep a constant space availability. this because the stream was just trying to write to the local sink, then just drop :)

so, i disabled the network streaming on my brother's computer, and THAT is case closed... now it actually has stopped. i even re-enabled it to make sure that was the cause, and as soon as i did, the download rate fired back up.

so...now that that's taken care of, im seriously considering stripping pulseaudio off my computer, and just going back to using straight ALSA...i just never figured out how to get my 5.1 to work correctly with it...

anyway, thanks to everyone once again who helped me out. greatly appreciate it!

Andrew