# [SOLVED, mostly]Continuous small load on eth0

## tobim

Hi, everyone,

My gkrellm shows a continuous small download of about 8K on my eth0 wired network card. This persists even if I shut down all programs and daemons that I think would want to access the network (except dhcpcd, of course). Two questions:

1) Should I be worried that something malicious is going on?

2) For my own personal learning: what is a good way to figure out what processes that are currently running access a particular device (for example eth0)?

Thanks!Last edited by tobim on Fri Jul 06, 2007 8:34 pm; edited 1 time in total

----------

## di1bert

To check what's running on the interface you can install net-analyzer/tcpdump

and run the following:

```

tcpdump -n -i eth0

```

That'll show you exactly what's running over that link. If the console scares you a 

little, check out net-analyzer/wireshark which is a great X network analyzer.

To check what's listening, run the following:

```

netstat -natp | grep LIST

```

for TCP traffic. For UDP, run:

```

netstat -aun 

```

That should give you enough to start with. 

-m

----------

## tobim

Thanks for these, di1bert. Always nice to learn something new.

```
netstat -natp
```

doesn't show that anything is listening when I have my various daemons shut down, so I'm guessing nothing too malicious is going on. I have to do some manual reading in order to figure out how to interpret the output from tcpdump, and I guess if I can do that, I might be able to figure out what's causing this 8K continuous download.

----------

## di1bert

Paste a few lines from the output and we can go through it. I found tcpdump a little daunting when 

I first started using it so I know how you feel...

-m

----------

## tobim

Thanks for the offer, di1bert!

Here's 50 packets. Let me know if you want more.

```
# tcpdump -n -i eth0 -c 50 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

13:35:40.355750 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 3736958537 win 65535

13:35:40.360078 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 2905 win 65535

13:35:40.362295 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 4357 win 65535

13:35:40.366680 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 7261 win 65535

13:35:40.368961 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 8713 win 65535

13:35:40.373801 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 11617 win 65535

13:35:40.376074 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 13069 win 65535

13:35:40.380872 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 15973 win 65535

13:35:40.382682 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 17425 win 65535

13:35:40.386714 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 19719 win 65535

13:35:40.390998 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 22623 win 65535

13:35:40.393028 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 24075 win 65535

13:35:40.393633 802.1d unknown version

13:35:40.395478 02:1f:81:4f:7a:31 > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x886f), length 1510: 

        0x0000:  bf01 dec0 0402 0000 1f00 0000 814f 7a31  .............Oz1

        0x0010:  814f 7a27 1e00 1e00 0100 0200 e94f 8f43  .Oz'.........O.C

        0x0020:  5c7d 8d01 0000 0000 0000 0000 00f0 ff6f  \}.............o

        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................

        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................

        0x0050:  0000                                     ..

13:35:40.397797 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 26979 win 65535

13:35:40.399959 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 28431 win 65535

13:35:40.404253 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 31335 win 65535

13:35:40.406263 IP 129.79.201.127.2637 > 129.79.121.231.443: . ack 189238621 win 16591

13:35:40.406418 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 32787 win 65535

13:35:40.406839 IP 129.79.201.127.2637 > 129.79.121.231.443: . ack 2 win 16591

13:35:40.410849 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 35691 win 65535

13:35:40.413598 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 37143 win 65535

13:35:40.418199 IP 122.167.198.29.3031 > 129.79.121.231.80: . ack 3328579856 win 65535

13:35:40.418265 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 40047 win 65535

13:35:40.420487 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 41499 win 65535

13:35:40.424665 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 44403 win 65535

13:35:40.428562 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 45855 win 65535

13:35:40.433087 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 48759 win 65535

13:35:40.435194 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 50211 win 65535

13:35:40.439183 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 52505 win 65535

13:35:40.443342 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 55409 win 65535

13:35:40.445619 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 56861 win 65535

13:35:40.450732 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 59765 win 65535

13:35:40.453031 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 61217 win 65535

13:35:40.457173 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 64121 win 65535

13:35:40.459359 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 65573 win 65535

13:35:40.463841 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 68477 win 65535

13:35:40.466798 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 69929 win 65535

13:35:40.469733 02:20:81:4f:7a:31 > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x886f), length 1510: 

        0x0000:  bf01 dec0 0402 0000 2000 0000 814f 7a31  .............Oz1

        0x0010:  814f 7a24 1f00 1e00 0100 0200 2329 8f43  .Oz$........#).C

        0x0020:  747d 8d01 0000 0000 0000 0000 00f0 ff6f  t}.............o

        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................

        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................

        0x0050:  0000                                     ..

13:35:40.471209 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 72833 win 65535

13:35:40.473519 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 74285 win 65535

13:35:40.477513 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 77189 win 65535

13:35:40.479792 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 78641 win 65535

13:35:40.484500 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 81545 win 65535

13:35:40.486632 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 82997 win 65535

13:35:40.490480 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 85291 win 65535

13:35:40.492823 IP 62.169.96.181.1378 > 129.79.121.231.80: . ack 1370129516 win 17520

13:35:40.494795 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 88195 win 65535

13:35:40.496899 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 89647 win 65535

13:35:40.500313 arp who-has 129.79.121.103 tell 129.79.121.231

50 packets captured

100 packets received by filter

0 packets dropped by kernel

```

Thanks!

----------

## di1bert

Looks like your traffic is simply https traffic to 129.79.121.231 (kelley.iu.edu)

Let's break it down a little...

 *Quote:*   

> 
> 
> 13:35:40.355750 IP 75.55.80.100.3087 > 129.79.121.231.443: . ack 3736958537 win 65535 
> 
> 

 

The first bit (13:35:40.355750) is simply the time...then there's the protocol as far as I remember (IP)

then it's the client connection with the port tagged onto the end (75.55.80.100.3087) and where it's connecting to (129.79.121.231.443).

I'm not sure what the last two fields are....my memory is a little shaky of late  :Wink: 

What's running on your system that would be making an HTTPS connection out ? Checking mail perhaps ?

-m

----------

## tobim

Thank you for this, di1bert.

Not sure what's making that connection. I'll have to investigate. Shouldn't have been checking mail at that time, since I thought I had turned off everything I could think of. But since most of those connections are to my business school's server, it shouldn't be too threatening, unless that is under the control of a botmaster, but, you know what? In that case, kudos to him (or her? is she hot?) \begin{daydream} \end{daydream}

I'll have to see what's doing this when I'm back at the office, which won't be for another week, as before then I can't turn off all services remotely and stay connected to my machine, since the famous final communication with your remote server, of course is

```
killall sshd
```

 :Smile: 

Once again,  I appreciate the help.

----------

