# continuous network activity -- what is it?

## dcljr

Around 26 hours ago, my system monitor panel applet (gnome-system-monitor) started showing constant network activity for no apparent reason (the computer had been on for several hours at that point, and I hadn't done anything strange, AFAIK). I checked the processes (that tab in the same system monitor) and didn't see anything out of the ordinary. Nothing was running that would be using the network except the weather panel applet (which did have some problems connecting for Austin, TX, information earlier in the evening -- but, anyway, it was sleeping), and whatever sundry daemons are fired up in the latest stable Gentoo / Gnome (2.20.3) desktop setup (see output below).

Anyway, concerned that maybe I was being "attacked" from without, I shut everything down and rebooted the machine. The same phenomenon was occurring. So I checked /var/log/* and didn't see anything strange being logged. After rebooting my cable modem (unplug, wait, plug back in) and then the computer again, it was still happening. So I just shutdown, unplugged the cable modem, and went to sleep, figuring it was a Time Warner problem that would clear up overnight.

Well, this evening when I plugged the cable modem back in and booted up, the same thing was happening. A constant 130-170 KBps stream of something being received from the net. I (think I) can tell it's actual internet activity and not simply internal ethernet communications because my cable modem's "recv" light is constantly on, as opposed to blinking intermittently.

A phone call to Time Warner tech support was not very helpful, but I finally got someone who could verify that they weren't sending anything special to my modem (like a firmware/software/whatever update). We also confirmed no packet loss or other errors, even after he "torture tested" the modem for a bit. It also doesn't seem to be adversely affecting my bandwidth when up- and downloading files.

Bottom line: a steady stream of data seems to be getting continuously received by my machine from startup to shutdown (with little or none being transmitted, except what I specifically request -- e.g., web browsing), but I have no idea what it is! So how can I tell what it is?? (More specific questions follow voluminous output below.)

Here's the output of top:

```
top - 02:20:07 up  2:58,  2 users,  load average: 0.13, 0.09, 0.26

Tasks:  80 total,   4 running,  76 sleeping,   0 stopped,   0 zombie

Cpu(s):  2.7%us,  0.3%sy,  0.0%ni, 96.7%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st

Mem:    645992k total,   333912k used,   312080k free,    10336k buffers

Swap:   749944k total,      168k used,   749776k free,   162716k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            

 6506 root      15   0  288m  11m 6448 R  2.0  1.8   0:32.29 X                  

 6852 dcljr     15   0  152m  52m  20m S  0.7  8.3   1:10.97 firefox-bin        

 6751 dcljr     15   0 44300  17m  13m S  0.3  2.8   0:04.65 gnome-panel        

 6829 dcljr     15   0 25008  10m 9036 R  0.3  1.7   0:01.81 multiload-apple    

    1 root      15   0  1600  548  472 S  0.0  0.1   0:00.85 init               

    2 root      34  19     0    0    0 S  0.0  0.0   0:15.63 ksoftirqd/0        

    3 root      10  -5     0    0    0 S  0.0  0.0   0:00.26 events/0           

    4 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khelper            

    5 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread            

    8 root      16  -5     0    0    0 S  0.0  0.0   0:00.00 kblockd/0          

    9 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid             

   94 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kseriod            

   95 root      14  -5     0    0    0 S  0.0  0.0   0:00.01 kgameportd         

   98 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd              

  165 root      25   0     0    0    0 S  0.0  0.0   0:00.00 pdflush            

  166 root      15   0     0    0    0 S  0.0  0.0   0:00.00 pdflush            

  167 root      10  -5     0    0    0 S  0.0  0.0   0:09.38 kswapd0
```

(I purposely stopped it when gnome-panel and multiload-applet were active -- they were only showing intermittent CPU usage and should be reflecting only the gnome-system-monitor activity, AFAIK.)

Here's ifconfig:

```
eth0      Link encap:Ethernet  HWaddr 00:0F:EA:FB:03:7A

          inet addr:70.<snip>.<snip>.<snip>  Bcast:255.255.255.255  Mask:255.255.224.0

          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1

          RX packets:5266545 errors:0 dropped:0 overruns:0 frame:0

          TX packets:15980 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:1749319181 (1668.2 Mb)  TX bytes:1923431 (1.8 Mb)

          Interrupt:17 Base address:0x2000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:8 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)
```

Note the 1.6 GB received in about 3 hours since my last boot -- almost all from this mysterious, continuous "background" network activity.

Here's rc-status -a:

```
Runlevel: boot

 alsasound                                                          [ started  ]

 bootmisc                                                           [ started  ]

 checkfs                                                            [ started  ]

 checkroot                                                          [ started  ]

 clock                                                              [ started  ]

 consolefont                                                        [ started  ]

 hostname                                                           [ started  ]

 keymaps                                                            [ started  ]

 localmount                                                         [ started  ]

 modules                                                            [ started  ]

 net.lo                                                             [ started  ]

 rmnologin                                                          [ started  ]

 urandom                                                            [ started  ]

Runlevel: default

 avahi-dnsconfd                                                     [ started  ]

 cupsd                                                              [ started  ]

 dbus                                                               [ started  ]

 hald                                                               [ started  ]

 local                                                              [ started  ]

 metalog                                                            [ started  ]

 net.eth0                                                           [ started  ]

 netmount                                                           [ started  ]

 vixie-cron                                                         [ started  ]

 xdm                                                                [ started  ]

Runlevel: nonetwork

 local                                                              [ started  ]

Runlevel: single

Runlevel: UNASSIGNED

 avahi-daemon                                                       [ started  ]

 consolekit                                                         [ stopped  ]

 crypto-loop                                                        [ stopped  ]

 device-mapper                                                      [ stopped  ]

 dmcrypt                                                            [ stopped  ]

 dmeventd                                                           [ stopped  ]

 esound                                                             [ stopped  ]

 gpm                                                                [ stopped  ]

 hdparm                                                             [ stopped  ]

 hotplug                                                            [ stopped  ]

 mit-krb5kadmind                                                    [ stopped  ]

 mit-krb5kdc                                                        [ stopped  ]

 nscd                                                               [ stopped  ]

 numlock                                                            [ stopped  ]

 pydoc-2.4                                                          [ stopped  ]

 pydoc-2.5                                                          [ stopped  ]

 rsyncd                                                             [ stopped  ]

 smartd                                                             [ stopped  ]

 sshd                                                               [ stopped  ]

 udev-postmount                                                     [ started  ]
```

And here's lspci -v, if that might help:

```
00:00.0 Host bridge: VIA Technologies, Inc. VT8377 [KT400/KT600 AGP] Host Bridge (rev 80)

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, 66MHz, medium devsel, latency 8

   Memory at e0000000 (32-bit, prefetchable) [size=128M]

   Capabilities: [80] AGP version 3.5

   Capabilities: [c0] Power Management version 2

   Kernel driver in use: agpgart-via

   Kernel modules: via-agp, ipmi_si

00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI Bridge (prog-if 00 [Normal decode])

   Flags: bus master, 66MHz, medium devsel, latency 0

   Bus: primary=00, secondary=01, subordinate=01, sec-latency=0

   Memory behind bridge: e8000000-eaffffff

   Prefetchable memory behind bridge: d0000000-dfffffff

   Capabilities: [80] Power Management version 2

   Kernel modules: ipmi_si

00:0f.0 RAID bus controller: VIA Technologies, Inc. VIA VT6420 SATA RAID Controller (rev 80)

   Subsystem: VIA Technologies, Inc. VIA VT6420 SATA RAID Controller

   Flags: bus master, medium devsel, latency 32, IRQ 18

   I/O ports at 9000 [size=8]

   I/O ports at 9400 [size=4]

   I/O ports at 9800 [size=8]

   I/O ports at 9c00 [size=4]

   I/O ports at a000 [size=16]

   I/O ports at a400 [size=256]

   Capabilities: [c0] Power Management version 2

   Kernel driver in use: sata_via

   Kernel modules: ipmi_si

00:0f.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06) (prog-if 8a [Master SecP PriP])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 18

   I/O ports at a800 [size=16]

   Capabilities: [c0] Power Management version 2

   Kernel driver in use: VIA_IDE

00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81) (prog-if 00 [UHCI])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 19

   I/O ports at ac00 [size=32]

   Capabilities: [80] Power Management version 2

   Kernel driver in use: uhci_hcd

   Kernel modules: ipmi_si

00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81) (prog-if 00 [UHCI])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 19

   I/O ports at b000 [size=32]

   Capabilities: [80] Power Management version 2

   Kernel driver in use: uhci_hcd

   Kernel modules: ipmi_si

00:10.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81) (prog-if 00 [UHCI])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 19

   I/O ports at b400 [size=32]

   Capabilities: [80] Power Management version 2

   Kernel driver in use: uhci_hcd

   Kernel modules: ipmi_si

00:10.3 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81) (prog-if 00 [UHCI])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 19

   I/O ports at b800 [size=32]

   Capabilities: [80] Power Management version 2

   Kernel driver in use: uhci_hcd

   Kernel modules: ipmi_si

00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 86) (prog-if 20 [EHCI])

   Subsystem: Giga-byte Technology GA-7VAX Mainboard

   Flags: bus master, medium devsel, latency 32, IRQ 19

   Memory at eb000000 (32-bit, non-prefetchable) [size=256]

   Capabilities: [80] Power Management version 2

   Kernel driver in use: ehci_hcd

   Kernel modules: ipmi_si

00:11.0 ISA bridge: VIA Technologies, Inc. VT8237 ISA bridge [KT600/K8T800/K8T890 South]

   Subsystem: Giga-byte Technology GA-7VT600 Motherboard

   Flags: bus master, stepping, medium devsel, latency 0

   Capabilities: [c0] Power Management version 2

   Kernel modules: ipmi_si

00:11.5 Multimedia audio controller: VIA Technologies, Inc. VT8233/A/8235/8237 AC97 Audio Controller (rev 60)

   Subsystem: Giga-byte Technology GA-7VAX Onboard Audio (Realtek ALC650)

   Flags: medium devsel, IRQ 20

   I/O ports at bc00 [size=256]

   Capabilities: [c0] Power Management version 2

   Kernel driver in use: VIA 82xx Audio

   Kernel modules: ipmi_si, snd-via82xx

00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 78)

   Subsystem: Giga-byte Technology Unknown device e000

   Flags: bus master, medium devsel, latency 32, IRQ 17

   I/O ports at c000 [size=256]

   Memory at eb001000 (32-bit, non-prefetchable) [size=256]

   Capabilities: [40] Power Management version 2

   Kernel driver in use: via-rhine

   Kernel modules: ipmi_si

01:00.0 VGA compatible controller: nVidia Corporation GeForce 6200 A-LE (rev a1) (prog-if 00 [VGA controller])

   Subsystem: eVga.com. Corp. Unknown device a295

   Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 16

   Memory at e8000000 (32-bit, non-prefetchable) [size=16M]

   Memory at d0000000 (32-bit, prefetchable) [size=256M]

   Memory at e9000000 (32-bit, non-prefetchable) [size=16M]

   [virtual] Expansion ROM at ea000000 [disabled] [size=128K]

   Capabilities: [60] Power Management version 2

   Capabilities: [44] AGP version 3.0

   Kernel driver in use: nvidiafb

   Kernel modules: ipmi_si
```

Here's a dmesg from my last reboot (looks like the top has been cut off):

```
(bus 0 bus_irq 9 global_irq 9 low level)

ACPI: IRQ0 used by override.

ACPI: IRQ2 used by override.

ACPI: IRQ9 used by override.

Enabling APIC mode:  Flat.  Using 1 I/O APICs

Using ACPI (MADT) for SMP configuration information

Allocating PCI resources starting at 30000000 (gap: 28000000:d6c00000)

Detected 1752.755 MHz processor.

Built 1 zonelists.  Total pages: 163824

Kernel command line: root=/dev/ram0 init=/linuxrc ramdisk=8192 real_root=/dev/hdb3 udev video=vesafb:mtrr:3,ywrap,800x600-32@60

mapped APIC to ffffd000 (fee00000)

mapped IOAPIC to ffffc000 (fec00000)

Enabling fast FPU save and restore... done.

Enabling unmasked SIMD FPU exception support... done.

Initializing CPU#0

PID hash table entries: 4096 (order: 12, 16384 bytes)

Console: colour VGA+ 80x25

Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)

Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)

Memory: 644548k/655296k available (2184k kernel code, 10136k reserved, 574k data, 268k init, 0k highmem)

Checking if this processor honours the WP bit even in supervisor mode... Ok.

Calibrating delay using timer specific routine.. 3507.17 BogoMIPS (lpj=1753588)

Mount-cache hash table entries: 512

CPU: After generic identify, caps: 0383fbff c1cbfbff 00000000 00000000 00000000 00000000 00000000

CPU: After vendor identify, caps: 0383fbff c1cbfbff 00000000 00000000 00000000 00000000 00000000

CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)

CPU: L2 Cache: 256K (64 bytes/line)

CPU: After all inits, caps: 0383fbff c1cbfbff 00000000 00000420 00000000 00000000 00000000

Intel machine check architecture supported.

Intel machine check reporting enabled on CPU#0.

CPU: AMD Sempron(tm)   2500+ stepping 01

Checking 'hlt' instruction... OK.

ACPI: Core revision 20060707

ENABLING IO-APIC IRQs

..TIMER: vector=0x31 apic1=0 pin1=2 apic2=-1 pin2=-1

checking if image is initramfs... it is

Freeing initrd memory: 949k freed

NET: Registered protocol family 16

EISA bus registered

ACPI: bus type pci registered

PCI: PCI BIOS revision 2.10 entry at 0xfb2f0, last bus=1

PCI: Using configuration type 1

Setting up standard PCI resources

ACPI: Interpreter enabled

ACPI: Using IOAPIC for interrupt routing

ACPI: PCI Root Bridge [PCI0] (0000:00)

PCI: Probing PCI hardware (bus 00)

Boot video device is 0000:01:00.0

ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT]

ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 6 7 10 11 12) *5

ACPI: PCI Interrupt Link [LNKB] (IRQs 3 4 *6 7 10 11 12)

ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 6 7 10 *11 12)

ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 6 7 10 11 12) *0, disabled.

ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 6 7 10 11 12) *0, disabled.

ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 6 7 10 11 12) *0, disabled.

ACPI: PCI Interrupt Link [LNK0] (IRQs 3 4 6 7 10 11 12) *0, disabled.

ACPI: PCI Interrupt Link [LNK1] (IRQs 3 4 6 7 10 11 12) *0, disabled.

ACPI: PCI Interrupt Link [ALKA] (IRQs 20) *0, disabled.

ACPI: PCI Interrupt Link [ALKB] (IRQs 21) *0, disabled.

ACPI: PCI Interrupt Link [ALKC] (IRQs 22) *0, disabled.

ACPI: PCI Interrupt Link [ALKD] (IRQs 23) *0, disabled.

Linux Plug and Play Support v0.97 (c) Adam Belay

pnp: PnP ACPI init

pnp: PnP ACPI: found 15 devices

SCSI subsystem initialized

usbcore: registered new driver usbfs

usbcore: registered new driver hub

PCI: Using ACPI for IRQ routing

PCI: If a device doesn't work, try "pci=routeirq".  If it helps, post a report

pnp: 00:02: ioport range 0x4000-0x407f could not be reserved

pnp: 00:02: ioport range 0x40f0-0x40ff could not be reserved

pnp: 00:02: ioport range 0x5000-0x500f has been reserved

PCI: Bridge: 0000:00:01.0

  IO window: disabled.

  MEM window: e8000000-eaffffff

  PREFETCH window: d0000000-dfffffff

PCI: Setting latency timer of device 0000:00:01.0 to 64

NET: Registered protocol family 2

IP route cache hash table entries: 32768 (order: 5, 131072 bytes)

TCP established hash table entries: 131072 (order: 7, 524288 bytes)

TCP bind hash table entries: 65536 (order: 6, 262144 bytes)

TCP: Hash tables configured (established 131072 bind 65536)

TCP reno registered

Machine check exception polling timer started.

squashfs: version 3.1 (2006/08/19) Phillip Lougher

Initializing Cryptographic API

io scheduler noop registered

io scheduler deadline registered (default)

PCI: Bypassing VIA 8237 APIC De-Assert Message

lp: driver loaded but no devices found

Real Time Clock Driver v1.12ac

ACPI: PCI Interrupt 0000:01:00.0[A] -> GSI 16 (level, low) -> IRQ 16

nvidiafb: Device ID: 10de0222 

nvidiafb: CRTC0 analog found

nvidiafb: CRTC1 analog not found

nvidiafb: EDID found from BUS1

nvidiafb: EDID found from BUS2

nvidiafb: CRTC 0 appears to have a CRT attached

nvidiafb: Using CRT on CRTC 0

nvidiafb: MTRR set to ON

Console: switching to colour frame buffer device 200x75

nvidiafb: PCI nVidia NV22 framebuffer (64MB @ 0xD0000000)

vesafb: NVIDIA Corporation, nv44 Board - p362h6  , Chip Rev    (OEM: NVIDIA)

vesafb: VBE version: 3.0

vesafb: protected mode interface info at c000:d3a0

vesafb: pmi: set display start = c00cd3d6, set palette = c00cd440

vesafb: pmi: ports = 3b4 3b5 3ba 3c0 3c1 3c4 3c5 3c6 3c7 3c8 3c9 3cc 3ce 3cf 3d0 3d1 3d2 3d3 3d4 3d5 3da 

vesafb: VBIOS/hardware supports DDC2 transfers

vesafb: monitor limits: vf = 75 Hz, hf = 81 kHz, clk = 170 MHz

vesafb: scrolling: ywrap using protected mode interface, yres_virtual=7864

vesafb: cannot reserve video memory at 0xd0000000

vesafb: framebuffer at 0xd0000000, mapped to 0xed980000, using 24576k, total 262144k

fb1: VESA VGA frame buffer device

isapnp: Scanning for PnP cards...

isapnp: No Plug & Play device found

Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled

serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

parport: PnPBIOS parport detected.

parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE,EPP]

lp0: using parport0 (interrupt-driven).

PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12

serio: i8042 AUX port at 0x60,0x64 irq 12

serio: i8042 KBD port at 0x60,0x64 irq 1

gameport: NS558 PnP Gameport is pnp00:0e/gameport0, io 0x201, speed 946kHz

mice: PS/2 mouse device common for all mice

input: AT Translated Set 2 keyboard as /class/input/input0

input: ImExPS/2 Generic Explorer Mouse as /class/input/input1

floppy0: no floppy controllers found

RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize

loop: loaded (max 8 devices)

via-rhine.c:v1.10-LK1.4.1 July-24-2006 Written by Donald Becker

ACPI: PCI Interrupt Link [ALKD] BIOS reported IRQ 0, using IRQ 23

ACPI: PCI Interrupt Link [ALKD] enabled at IRQ 23

ACPI: PCI Interrupt 0000:00:12.0[A] -> Link [ALKD] -> GSI 23 (level, low) -> IRQ 17

PCI: VIA IRQ fixup for 0000:00:12.0, from 5 to 1

eth0: VIA Rhine II at 0xeb001000, 00:0f:ea:fb:03:7a, IRQ 17.

eth0: MII PHY found at address 1, status 0x786d advertising 05e1 Link 45e1.

Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2

ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx

VP_IDE: IDE controller at PCI slot 0000:00:0f.1

ACPI: PCI Interrupt Link [ALKA] BIOS reported IRQ 0, using IRQ 20

ACPI: PCI Interrupt Link [ALKA] enabled at IRQ 20

ACPI: PCI Interrupt 0000:00:0f.1[A] -> Link [ALKA] -> GSI 20 (level, low) -> IRQ 18

PCI: VIA IRQ fixup for 0000:00:0f.1, from 255 to 2

VP_IDE: chipset revision 6

VP_IDE: not 100% native mode: will probe irqs later

VP_IDE: VIA vt8237 (rev 00) IDE UDMA133 controller on pci0000:00:0f.1

    ide0: BM-DMA at 0xa800-0xa807, BIOS settings: hda:pio, hdb:pio

    ide1: BM-DMA at 0xa808-0xa80f, BIOS settings: hdc:pio, hdd:pio

Probing IDE interface ide0...

hda: HL-DT-ST GCE-8483B, ATAPI CD/DVD-ROM drive

hdb: WDC WD800JB-00JJA0, ATA DISK drive

ide0 at 0x1f0-0x1f7,0x3f6 on irq 14

Probing IDE interface ide1...

Probing IDE interface ide1...

hdb: max request size: 128KiB

hdb: 156301488 sectors (80026 MB) w/8192KiB Cache, CHS=65535/16/63, UDMA(100)

hdb: cache flushes supported

 hdb: hdb1 hdb2 hdb3 hdb4 < hdb5 hdb6 hdb7 >

hda: ATAPI 48X CD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33)

Uniform CD-ROM driver Revision: 3.20

libata version 2.00 loaded.

sata_via 0000:00:0f.0: version 2.0

ACPI: PCI Interrupt 0000:00:0f.0[B] -> Link [ALKA] -> GSI 20 (level, low) -> IRQ 18

PCI: VIA IRQ fixup for 0000:00:0f.0, from 11 to 2

sata_via 0000:00:0f.0: routed to hard irq line 2

ata1: SATA max UDMA/133 cmd 0x9000 ctl 0x9402 bmdma 0xA000 irq 18

ata2: SATA max UDMA/133 cmd 0x9800 ctl 0x9C02 bmdma 0xA008 irq 18

scsi0 : sata_via

ata1: SATA link down 1.5 Gbps (SStatus 0 SControl 300)

ATA: abnormal status 0x7F on port 0x9007

scsi1 : sata_via

ata2: SATA link down 1.5 Gbps (SStatus 0 SControl 300)

ATA: abnormal status 0x7F on port 0x9807

ACPI: PCI Interrupt Link [ALKB] BIOS reported IRQ 0, using IRQ 21

ACPI: PCI Interrupt Link [ALKB] enabled at IRQ 21

ACPI: PCI Interrupt 0000:00:10.4[C] -> Link [ALKB] -> GSI 21 (level, low) -> IRQ 19

PCI: VIA IRQ fixup for 0000:00:10.4, from 11 to 3

ehci_hcd 0000:00:10.4: EHCI Host Controller

ehci_hcd 0000:00:10.4: new USB bus registered, assigned bus number 1

ehci_hcd 0000:00:10.4: irq 19, io mem 0xeb000000

ehci_hcd 0000:00:10.4: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004

usb usb1: configuration #1 chosen from 1 choice

hub 1-0:1.0: USB hub found

hub 1-0:1.0: 8 ports detected

USB Universal Host Controller Interface driver v3.0

ACPI: PCI Interrupt 0000:00:10.0[A] -> Link [ALKB] -> GSI 21 (level, low) -> IRQ 19

PCI: VIA IRQ fixup for 0000:00:10.0, from 5 to 3

uhci_hcd 0000:00:10.0: UHCI Host Controller

uhci_hcd 0000:00:10.0: new USB bus registered, assigned bus number 2

uhci_hcd 0000:00:10.0: irq 19, io base 0x0000ac00

usb usb2: configuration #1 chosen from 1 choice

hub 2-0:1.0: USB hub found

hub 2-0:1.0: 2 ports detected

ACPI: PCI Interrupt 0000:00:10.1[A] -> Link [ALKB] -> GSI 21 (level, low) -> IRQ 19

PCI: VIA IRQ fixup for 0000:00:10.1, from 5 to 3

uhci_hcd 0000:00:10.1: UHCI Host Controller

uhci_hcd 0000:00:10.1: new USB bus registered, assigned bus number 3

uhci_hcd 0000:00:10.1: irq 19, io base 0x0000b000

usb usb3: configuration #1 chosen from 1 choice

hub 3-0:1.0: USB hub found

hub 3-0:1.0: 2 ports detected

ACPI: PCI Interrupt 0000:00:10.2[B] -> Link [ALKB] -> GSI 21 (level, low) -> IRQ 19

PCI: VIA IRQ fixup for 0000:00:10.2, from 6 to 3

uhci_hcd 0000:00:10.2: UHCI Host Controller

uhci_hcd 0000:00:10.2: new USB bus registered, assigned bus number 4

uhci_hcd 0000:00:10.2: irq 19, io base 0x0000b400

usb usb4: configuration #1 chosen from 1 choice

hub 4-0:1.0: USB hub found

hub 4-0:1.0: 2 ports detected

ACPI: PCI Interrupt 0000:00:10.3[B] -> Link [ALKB] -> GSI 21 (level, low) -> IRQ 19

PCI: VIA IRQ fixup for 0000:00:10.3, from 6 to 3

uhci_hcd 0000:00:10.3: UHCI Host Controller

uhci_hcd 0000:00:10.3: new USB bus registered, assigned bus number 5

uhci_hcd 0000:00:10.3: irq 19, io base 0x0000b800

usb usb5: configuration #1 chosen from 1 choice

hub 5-0:1.0: USB hub found

hub 5-0:1.0: 2 ports detected

usbcore: registered new driver hiddev

usbcore: registered new driver usbhid

drivers/usb/input/hid-core.c: v2.6:USB HID core driver

i2c /dev entries driver

device-mapper: ioctl: 4.7.0-ioctl (2006-06-24) initialised: dm-devel<snip>redhat.com

EISA: Probing bus 0 at eisa.0

Cannot allocate resource for EISA slot 4

Cannot allocate resource for EISA slot 5

EISA: Detected 0 cards.

padlock: VIA PadLock not detected.

TCP bic registered

Initializing IPsec netlink socket

NET: Registered protocol family 1

NET: Registered protocol family 17

NET: Registered protocol family 15

Using IPI Shortcut mode

ACPI: (supports S0 S1 S4 S5)

Time: tsc clocksource has been installed.

Freeing unused kernel memory: 268k freed

Initializing USB Mass Storage driver...

usbcore: registered new driver usb-storage

USB Mass Storage support registered.

md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27

md: bitmap version 4.39

md: raid0 personality registered for level 0

md: raid1 personality registered for level 1

md: raid10 personality registered for level 10

ata1: SATA link down 1.5 Gbps (SStatus 0 SControl 300)

ATA: abnormal status 0x7F on port 0x9007

ata1: EH complete

kjournald starting.  Commit interval 5 seconds

EXT3-fs: mounted filesystem with ordered data mode.

Linux agpgart interface v0.101 (c) Dave Jones

input: PC Speaker as /class/input/input2

agpgart: Detected VIA KT400/KT400A/KT600 chipset

agpgart: AGP aperture is 128M @ 0xe0000000

ACPI: PCI Interrupt Link [ALKC] BIOS reported IRQ 0, using IRQ 22

ACPI: PCI Interrupt Link [ALKC] enabled at IRQ 22

ACPI: PCI Interrupt 0000:00:11.5[C] -> Link [ALKC] -> GSI 22 (level, low) -> IRQ 20

PCI: VIA IRQ fixup for 0000:00:11.5, from 11 to 4

PCI: Setting latency timer of device 0000:00:11.5 to 64

EXT3 FS on hdb3, internal journal

kjournald starting.  Commit interval 5 seconds

EXT3-fs warning: maximal mount count reached, running e2fsck is recommended

EXT3 FS on hdb6, internal journal

EXT3-fs: mounted filesystem with ordered data mode.

kjournald starting.  Commit interval 5 seconds

EXT3-fs warning: maximal mount count reached, running e2fsck is recommended

EXT3 FS on hdb7, internal journal

EXT3-fs: mounted filesystem with ordered data mode.

Adding 749944k swap on /dev/hdb2.  Priority:-1 extents:1 across:749944k

eth0: link up, 100Mbps, full-duplex, lpa 0x45E1

NET: Registered protocol family 10

lo: Disabled Privacy Extensions

IPv6 over IPv4 tunneling driver

kjournald starting.  Commit interval 5 seconds

EXT3-fs warning: maximal mount count reached, running e2fsck is recommended

EXT3 FS on hdb5, internal journal

EXT3-fs: mounted filesystem with ordered data mode.
```

And here's emerge --info (note that I haven't emerge'd anything since Sunday, and I boot and shutdown my machine every day):

```
Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.18-gentoo-r6tweak i686)

=================================================================

System uname: 2.6.18-gentoo-r6tweak i686 AMD Sempron(tm) 2500+

Timestamp of tree: Sat, 16 Aug 2008 20:00:01 +0000

app-shells/bash:     3.2_p33

dev-lang/python:     2.4.4-r13, 2.5.2-r5

dev-python/pycrypto: 2.0.1-r6

sys-apps/baselayout: 1.12.11.1

sys-apps/sandbox:    1.2.18.1-r2

sys-devel/autoconf:  2.13, 2.61-r2

sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1

sys-devel/binutils:  2.18-r3

sys-devel/gcc-config: 1.4.0-r4

sys-devel/libtool:   1.5.26

virtual/os-headers:  2.6.23-r3

ACCEPT_KEYWORDS="x86"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=athlon-xp -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"

CXXFLAGS="-O2 -march=athlon-xp -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://www.gtlib.gatech.edu/pub/gentoo http://mirror.phy.olemiss.edu/mirror/gentoo http://gentoo.mirrors.pair.com/"

LANG="en_US.UTF-8"

LC_ALL="en_US.UTF-8"

LDFLAGS="-Wl,-O1"

LINGUAS="en"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X acl acpi alsa avahi berkdb bluetooth branding bzip2 cairo cdr cjk cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session spell spl sse ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="via82xx" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv vesa vga fbdev"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
```

Again, my basic question is: How I can tell what the data being received over the cable modem actually is?

More specifically:

 How can I tell what processes are using ethernet for external communication with the internet, as opposed to internal, interprocess communication (which shouldn't be shown in the system monitor, right?)?

 How can I tell what my machine is actually doing (if anything) with the data being received over the cable modem?

 How can I tell what IP address the information is coming from (since Time Warner disavows any knowledge of its origins)? Or what port it's coming in on? Or, well, pretty much anything about it?

Sorry in advance for my ignorance... I'm going to shutdown now and check for answers in about 10-12 hours.

OBTW, if anyone notices anything strange in any of the output above, even if it doesn't have anything to do with my problem, please let me know.   :Smile: 

 - dcljr

----------

## bunder

check /var/log/auth.log... it was probably ssh bots trying to log into your machine.  it happens.  best thing to do is either lock down sshd to places you know you're going to connect from, or use fail2ban/alternate-ip-banning-method-here

cheers

things to try:

iftop/ntop

netstat -p

----------

## lesourbe

unknown network activity ?

sniff it !

NB : if you are unsure of your box, do it from ouside [your box].

EDIT : (I red again your post and the I understand you don't know how to sniff).

from your box install wireshark (or similar) and use it.

or from outside use wireshark connected on a hub (a switch would induce extra work)

----------

## Akkara

1.6GB in 3 hours is *a lot* of traffic, especially if you don't know where it is coming from.

Is it possible that something got stuck in a routing loop and that what you're seeing is the same traffic bouncing between your computer and the router several times?

I don't think these are ssh attempts - it is hard to generate 1.6GB in 3 hours with ssh attempts.

Also, if you've been hacked, I'd expect there would be a lot more outgoing data (a bot to send spam, for example).  Unless they're using your box as a ftp server, but even then, I'd expect a lot more outgoing.

Maybe try a lsof to see what files are open.  Check for unusual-looking ones.

Perhaps someone is trying to denial-of-service flood you for some reason. When you reset your modem, did you get a different ip address?  If not, try resetting until you do and see if the problem goes away.

Try tcpdump for a quick looksee of whats coming down the wire and from where.  Try it without any net activity that you caused.

----------

## lesourbe

 *Akkara wrote:*   

> 
> 
> Try tcpdump for a quick looksee of whats coming down the wire and from where.  Try it without any net activity that you caused.

 

similar result to wireshark, but as dcljr says is not an expert and he has a X running, wireshark (kinda tcpdump with a gui) would be a better advice.

----------

## nativemad

"netstat -npt", "iptraf" and "ntop" can also give you helpful infos...

----------

## dcljr

 *bunder wrote:*   

> check /var/log/auth.log... it was probably ssh bots trying to log into your machine.

 

Nope. Nothing unusual in /var/log/* (i.e., any of the logs that are newer than the last boot). I've had sshd disabled since last year (last failed login attempt Nov 26th), since I never log in remotely to my machine.

I'll post the results of the various suggested checks after I reboot (have been checking e-mail, web-browsing, and installing some suggested applications since I last booted -- will (re)start with a clean slate in a moment).

BTW, the problem's still happening, but I noticed I have a new IP address today, so that rules out an attack on that particular IP address I was on.

Oh, and I don't think I mentioned that the problem appears to be happening even when the computer is off! The "recv" light on the cable modem lights up solid from the moment the modem syncs until I disconnect the power cord. Even shutting down the computer doesn't result in any apparent change in the activity being shown on the cable modem itself. (Time Warner verified that this is not normal behavior.) Obviously (I would think) this is a big hint that the problem is not something caused by my computer!

 *Akkara wrote:*   

> Is it possible that something got stuck in a routing loop and that what you're seeing is the same traffic bouncing between your computer and the router several times?

 

How would I know? (I mean that literally, not sarcastically.) If this will show up when I do something already suggested, stand by for posted output. In any case, wouldn't that be unlikely since there's very little data being transmitted out? And now that my IP address has changed....

Anyway, back in a moment...

EDIT: No, sorry, this will have to wait till tomorrow...

 - dcljr

----------

## Hu

Since dcljr started out the thread without knowing about sniffing packets, it would be better to have him use net-analyzer/tcpdump to capture a sample of the traffic and post it for us to analyze, rather than expecting him to make sense of the output in Wireshark.

dcljr: once you have tcpdump installed, run it as tcpdump -p -c 1024 -w ~/noise.pcap.  It will default to capturing on eth0.  If that is not your external interface, you will need to add -i interface to specify the correct interface.  It will collect 1024 packets to ~/noise.pcap, then exit.  You can then run it as tcpdump -r ~/noise.pcap -v -n to print the results to console, or you can send the pcap to a knowledgeable person for them to examine.  Caution: this capture will also contain any legitimate network activity that occurs during the period, so do not send e-mail or send any information that you would object to being publicly known, such as using IRC in a private channel.

----------

## dcljr

 *Hu wrote:*   

> it would be better to have him use net-analyzer/tcpdump to capture a sample of the traffic and post it for us to analyze

 

Well, of course today it's doing something different. Same basic problem, but it's not continuous like it was before. Let's back up...

Last night I installed iptraf, along with the other things already suggested (except not tcpdump). I fired it (iptraf) up, and saw that I was getting a steady stream of 328-byte UDP packets -- actually, I should say a steady torrent, since getting up to 170 KBps with 328-byte packets means a rate of over 500 packets per second! (Although maybe I'm not taking all the traffic into account -- see below.) Anyway, they were coming from a 10.*.*.* IP address (I didn't write it down), which I whois'd to find that it's in a IANA-reserved range for "special purposes" (citing RFC 1918). So, I figured that probably meant it was indeed coming from a Time Warner machine, so I shutdown, unplugged the modem, and went to bed.

Today I plugged in the modem, and the "recv" light wasn't glowing constantly, as before; it was flickering intermittently. I booted up and saw that I'm getting not a torrent of data, but just a trickle: about 1.4-1.7 KBps.

iptraf now says:

```
UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (340 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (355 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (352 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (343 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (334 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (343 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (334 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0

UDP (343 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0
```

The IP address is probably the same as last night, but now the packets are not all 328 bytes, and the lines are appearing at only about 1 every 1-3 seconds (since they were all the same last night, I couldn't tell how quickly they were scrolling by, but the "Pkts captured" count was screaming -- now it's just plodding along at about 20 per second). This is all very odd because none of those numbers seem to match (300-something bytes every 1-3 seconds != 20 packets per second != 1.4-1.7 KBps). So clearly I don't know how to interpret this stuff...

Anyway, I called Time Warner and the guy I talked to confirmed that this was coming from one of their machines (apparently in Germany??), but he didn't know why. He said it looked like some kind of "popup" somethingerother that usually shows up on screen. (!?) I wonder if I would be seeing something pop up if I were using Windows....

The guy said the best thing to try at this point is to just get a new cable modem and see if that "fixes" the problem. Of course, the local office closed about 3 minutes before he said that. So I'll have to get it on Monday.

Of course, if the phenomenon changes later today or tomorrow, I'll post about it here, including more diagnostic output. I've installed tcpdump now, so I can do that the next time I reboot. (As before, I'd like to do all the diagnostics before I start browsing the web.)

So... if you're still interested, just Stand By and I'll post again maybe tomorrow or, if not, then on Monday. If the problem does clear up with the new modem, I'll be sure to let you know.

 - dcljr

----------

## Hu

 *dcljr wrote:*   

> So, I figured that probably meant it was indeed coming from a Time Warner machine, so I shutdown, unplugged the modem, and went to bed.

 

Generally, yes.  However, some ISPs have been known to have such poorly written egress filtering rules that traffic with a reserved source address can cross between ISPs.

 *dcljr wrote:*   

> iptraf now says:
> 
> ```
> UDP (328 bytes) from 10.65.192.1:67 to 255.255.255.255:68 on eth0
> 
> ...

 

These are all BOOTP/DHCP related.  They should not be sending it to you, but it is not dangerous and not an attack.

 *dcljr wrote:*   

> Anyway, I called Time Warner and the guy I talked to confirmed that this was coming from one of their machines (apparently in Germany??), but he didn't know why. He said it looked like some kind of "popup" somethingerother that usually shows up on screen. (!?) I wonder if I would be seeing something pop up if I were using Windows....

 

I am not aware of any commonly used application on Linux or Windows that would generate a popup in reaction to BOOTP.  It could be someone sending on the wrong port, but there would be no point to that.  Time Warner does have a recurring problem with people sending Windows Messenger popups, which may be what the technician saw.  

 *dcljr wrote:*   

> The guy said the best thing to try at this point is to just get a new cable modem and see if that "fixes" the problem. Of course, the local office closed about 3 minutes before he said that. So I'll have to get it on Monday.

 

Unless the traffic is originating from the cable modem itself, I doubt swapping out the modem will fix anything.

 *dcljr wrote:*   

> I've installed tcpdump now, so I can do that the next time I reboot.

 

The output from iptraf showed most of the interesting details.  You could continue using it unless you need to see the packet payload.

----------

## poly_poly-man

hmm... at one point I had a similar problem (not sure how much data) - turns out, it was ktorrent leaving DHT open....

I was going to suggest it until you figured it out...

my 2 cents.

----------

## wdsci

For what it's worth, Wireshark can save capture data in the same libpcap format used by tcpdump.  So I would still recommend installing Wireshark; for one thing, it's way easier to use than command-line tcpdump (since there are buttons and combo boxes for all the settings, you don't have to remember a bunch of command-line options); also, it will allow you to examine the packets yourself in an attractively colored GUI, if you'd like to learn about network traffic.  When you want to send someone a report of your network traffic, or post it on the forum  :Wink: , you can just use Wireshark to save the capture in your format of choice (libpcap, plain text, CSV, XML, etc.), and it will even let you pick out just the interesting part of the capture to save to the file, rather than the whole thing.

----------

## dcljr

Okay, here's where we stand: The phenomenon continues, but at such a low level, I don't know if it was doing this before I noticed the "torrent" (not of the "bit-" variety -- I haven't installed any P2P software on my machine) starting a few days ago, which prompted my original message.

Before, I said...

 *dcljr wrote:*   

> now the packets are not all 328 bytes, and the lines are appearing at only about 1 every 1-3 seconds (since they were all the same last night, I couldn't tell how quickly they were scrolling by, but the "Pkts captured" count was screaming -- now it's just plodding along at about 20 per second). This is all very odd because none of those numbers seem to match (300-something bytes every 1-3 seconds != 20 packets per second != 1.4-1.7 KBps).

 

But then I discovered you can turn on monitoring of different kinds of traffic, so now I'm seeing a bunch of ARP requests mixed in among the UDP's (this explains the discrepancy in the packet counts and rates mentioned above).

In lieu of iptraf output, which I don't know how to dump to a file, here's what tcpdump -p -c 1024 -w ~/noise.pcap ; tcpdump -r ~/noise.pcap -v -n turned up right after booting up this evening -- which basically matches what I'm now seeing in iptraf (I used 256 instead of the suggested 1024 because the traffic has slowed so much):

```
22:37:35.749298 arp who-has 70.112.229.102 tell 70.112.224.1

22:37:35.758308 arp who-has 72.177.52.198 tell 72.177.48.1

22:37:35.783419 arp who-has 70.112.238.229 tell 70.112.224.1

22:37:35.825209 arp who-has 70.112.251.144 tell 70.112.224.1

22:37:35.903982 IP (tos 0x0, ttl 255, id 1433, offset 0, flags [none], proto UDP (17), length 328) 10.65.192.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x62edbea0, Flags [Broadcast]

     Your-IP 70.112.255.149

     Gateway-IP 10.65.192.1

     Client-Ethernet-Address 00:0f:66:8b:aa:20 [|bootp]

22:37:35.927336 arp who-has 70.112.241.126 tell 70.112.224.1

22:37:35.954418 arp who-has 70.112.240.219 tell 70.112.224.1

22:37:36.183379 arp who-has 70.112.231.115 tell 70.112.224.1

22:37:36.218011 arp who-has 70.112.229.198 tell 70.112.224.1

22:37:36.299193 arp who-has 70.112.240.0 tell 70.112.224.1

22:37:36.351120 arp who-has 72.177.54.38 tell 72.177.48.1

22:37:36.507503 arp who-has 70.112.248.1 tell 70.112.224.1

22:37:36.508196 arp who-has 70.112.248.3 tell 70.112.224.1

22:37:36.508853 arp who-has 70.112.248.5 tell 70.112.224.1

22:37:36.510147 arp who-has 70.112.248.6 tell 70.112.224.1

22:37:36.510838 arp who-has 70.112.248.10 tell 70.112.224.1

22:37:36.511842 arp who-has 70.112.248.12 tell 70.112.224.1

22:37:36.512881 arp who-has 70.112.248.13 tell 70.112.224.1

22:37:36.513147 arp who-has 70.112.248.14 tell 70.112.224.1

22:37:36.513589 arp who-has 70.112.248.15 tell 70.112.224.1

22:37:36.514050 arp who-has 70.112.248.17 tell 70.112.224.1

22:37:36.515356 arp who-has 70.112.248.19 tell 70.112.224.1

22:37:36.516012 arp who-has 70.112.248.18 tell 70.112.224.1

22:37:36.516474 arp who-has 70.112.248.20 tell 70.112.224.1

22:37:36.516746 arp who-has 70.112.248.22 tell 70.112.224.1

22:37:36.518011 arp who-has 70.112.248.23 tell 70.112.224.1

22:37:36.519073 arp who-has 70.112.248.25 tell 70.112.224.1

22:37:36.520595 arp who-has 70.112.248.27 tell 70.112.224.1

22:37:36.521302 arp who-has 70.112.248.28 tell 70.112.224.1

22:37:36.521569 arp who-has 70.112.248.33 tell 70.112.224.1

22:37:36.522753 arp who-has 70.112.248.41 tell 70.112.224.1

22:37:36.523020 arp who-has 70.112.248.46 tell 70.112.224.1

22:37:36.523459 arp who-has 70.112.248.47 tell 70.112.224.1

22:37:36.524977 arp who-has 70.112.248.52 tell 70.112.224.1

22:37:36.526331 arp who-has 70.112.248.55 tell 70.112.224.1

22:37:36.526788 arp who-has 70.112.248.57 tell 70.112.224.1

22:37:36.527246 arp who-has 70.112.248.58 tell 70.112.224.1

22:37:36.527518 arp who-has 70.112.248.60 tell 70.112.224.1

22:37:36.527957 arp who-has 70.112.248.66 tell 70.112.224.1

22:37:36.530709 arp who-has 70.112.248.67 tell 70.112.224.1

22:37:36.531171 arp who-has 70.112.248.69 tell 70.112.224.1

22:37:36.532710 arp who-has 70.112.248.73 tell 70.112.224.1

22:37:36.534337 arp who-has 70.112.248.74 tell 70.112.224.1

22:37:36.534605 arp who-has 70.112.248.75 tell 70.112.224.1

22:37:36.534779 arp who-has 70.112.248.78 tell 70.112.224.1

22:37:36.535467 arp who-has 70.112.248.79 tell 70.112.224.1

22:37:36.536163 arp who-has 70.112.248.81 tell 70.112.224.1

22:37:36.537317 arp who-has 70.112.248.82 tell 70.112.224.1

22:37:36.538090 arp who-has 70.112.248.85 tell 70.112.224.1

22:37:36.538358 arp who-has 70.112.248.86 tell 70.112.224.1

22:37:36.539868 arp who-has 70.112.248.87 tell 70.112.224.1

22:37:36.540136 arp who-has 70.112.248.88 tell 70.112.224.1

22:37:36.540947 arp who-has 70.112.248.89 tell 70.112.224.1

22:37:36.541215 arp who-has 70.112.248.90 tell 70.112.224.1

22:37:36.543311 arp who-has 70.112.248.91 tell 70.112.224.1

22:37:36.543578 arp who-has 70.112.248.94 tell 70.112.224.1

22:37:36.544015 arp who-has 70.112.248.93 tell 70.112.224.1

22:37:36.544723 arp who-has 70.112.248.96 tell 70.112.224.1

22:37:36.544990 arp who-has 70.112.248.95 tell 70.112.224.1

22:37:36.546329 arp who-has 70.112.248.97 tell 70.112.224.1

22:37:36.546787 arp who-has 70.112.248.98 tell 70.112.224.1

22:37:36.547439 arp who-has 70.112.248.99 tell 70.112.224.1

22:37:36.548094 arp who-has 70.112.248.101 tell 70.112.224.1

22:37:36.548363 arp who-has 70.112.248.102 tell 70.112.224.1

22:37:36.548804 arp who-has 70.112.248.105 tell 70.112.224.1

22:37:36.549103 arp who-has 70.112.248.108 tell 70.112.224.1

22:37:36.549783 arp who-has 70.112.248.109 tell 70.112.224.1

22:37:36.550050 arp who-has 70.112.248.111 tell 70.112.224.1

22:37:36.550839 arp who-has 70.112.248.114 tell 70.112.224.1

22:37:36.551108 arp who-has 70.112.248.118 tell 70.112.224.1

22:37:36.551281 arp who-has 70.112.248.123 tell 70.112.224.1

22:37:36.551455 arp who-has 70.112.248.125 tell 70.112.224.1

22:37:36.552443 arp who-has 70.112.248.124 tell 70.112.224.1

22:37:36.552905 arp who-has 70.112.248.126 tell 70.112.224.1

22:37:36.553563 arp who-has 70.112.248.127 tell 70.112.224.1

22:37:36.554563 arp who-has 70.112.248.128 tell 70.112.224.1

22:37:36.554831 arp who-has 70.112.248.129 tell 70.112.224.1

22:37:36.555280 arp who-has 70.112.248.131 tell 70.112.224.1

22:37:36.555552 arp who-has 70.112.248.134 tell 70.112.224.1

22:37:36.555727 arp who-has 70.112.248.138 tell 70.112.224.1

22:37:36.555900 arp who-has 70.112.248.140 tell 70.112.224.1

22:37:36.557285 arp who-has 70.112.248.143 tell 70.112.224.1

22:37:36.557552 arp who-has 70.112.248.145 tell 70.112.224.1

22:37:36.557727 arp who-has 70.112.248.146 tell 70.112.224.1

22:37:36.557905 arp who-has 70.112.248.147 tell 70.112.224.1

22:37:36.558076 arp who-has 70.112.248.148 tell 70.112.224.1

22:37:36.558251 arp who-has 70.112.248.150 tell 70.112.224.1

22:37:36.558422 arp who-has 70.112.248.149 tell 70.112.224.1

22:37:36.559354 arp who-has 70.112.248.154 tell 70.112.224.1

22:37:36.560024 arp who-has 70.112.248.156 tell 70.112.224.1

22:37:36.560296 arp who-has 70.112.248.157 tell 70.112.224.1

22:37:36.560742 arp who-has 70.112.248.160 tell 70.112.224.1

22:37:36.561404 arp who-has 70.112.248.162 tell 70.112.224.1

22:37:36.561671 arp who-has 70.112.248.163 tell 70.112.224.1

22:37:36.561845 arp who-has 70.112.248.164 tell 70.112.224.1

22:37:36.562019 arp who-has 70.112.248.165 tell 70.112.224.1

22:37:36.562925 arp who-has 70.112.248.166 tell 70.112.224.1

22:37:36.563929 arp who-has 70.112.248.168 tell 70.112.224.1

22:37:36.564197 arp who-has 70.112.248.173 tell 70.112.224.1

22:37:36.564370 arp who-has 70.112.248.175 tell 70.112.224.1

22:37:36.564835 arp who-has 70.112.248.177 tell 70.112.224.1

22:37:36.565107 arp who-has 70.112.248.180 tell 70.112.224.1

22:37:36.565284 arp who-has 70.112.248.181 tell 70.112.224.1

22:37:36.565944 arp who-has 70.112.248.182 tell 70.112.224.1

22:37:36.566215 arp who-has 70.112.248.183 tell 70.112.224.1

22:37:36.566659 arp who-has 70.112.248.185 tell 70.112.224.1

22:37:36.567120 arp who-has 70.112.248.184 tell 70.112.224.1

22:37:36.568749 arp who-has 70.112.248.187 tell 70.112.224.1

22:37:36.569253 arp who-has 70.112.248.191 tell 70.112.224.1

22:37:36.569714 arp who-has 70.112.248.193 tell 70.112.224.1

22:37:36.570798 arp who-has 70.112.248.195 tell 70.112.224.1

22:37:36.571071 arp who-has 70.112.248.196 tell 70.112.224.1

22:37:36.571246 arp who-has 70.112.248.199 tell 70.112.224.1

22:37:36.572103 arp who-has 70.112.248.200 tell 70.112.224.1

22:37:36.572370 arp who-has 70.112.248.201 tell 70.112.224.1

22:37:36.572545 arp who-has 70.112.248.203 tell 70.112.224.1

22:37:36.573517 arp who-has 70.112.248.205 tell 70.112.224.1

22:37:36.573786 arp who-has 70.112.248.208 tell 70.112.224.1

22:37:36.574429 arp who-has 70.112.248.209 tell 70.112.224.1

22:37:36.575127 arp who-has 70.112.248.212 tell 70.112.224.1

22:37:36.575394 arp who-has 70.112.248.213 tell 70.112.224.1

22:37:36.575569 arp who-has 70.112.248.214 tell 70.112.224.1

22:37:36.575745 arp who-has 70.112.248.218 tell 70.112.224.1

22:37:36.576464 arp who-has 70.112.248.217 tell 70.112.224.1

22:37:36.577496 arp who-has 70.112.248.223 tell 70.112.224.1

22:37:36.577762 arp who-has 70.112.248.224 tell 70.112.224.1

22:37:36.578207 arp who-has 70.112.248.227 tell 70.112.224.1

22:37:36.706886 arp who-has 72.177.51.144 tell 72.177.48.1

22:37:36.878466 arp who-has 70.112.243.145 tell 70.112.224.1

22:37:37.013576 arp who-has 70.112.253.116 tell 70.112.224.1

22:37:37.023865 arp who-has 72.180.197.29 tell 72.180.192.1

22:37:37.041072 arp who-has 70.112.239.237 tell 70.112.224.1

22:37:37.242141 arp who-has 70.112.252.49 tell 70.112.224.1

22:37:37.402135 arp who-has 70.112.243.59 tell 70.112.224.1

22:37:37.492726 arp who-has 70.112.254.0 tell 70.112.224.1

22:37:37.880484 arp who-has 70.112.251.246 tell 70.112.224.1

22:37:37.906811 arp who-has 72.177.51.79 tell 72.177.48.1

22:37:37.982995 arp who-has 70.112.233.173 tell 70.112.224.1

22:37:37.986197 arp who-has 63.246.181.47 tell 63.246.181.1

22:37:38.159263 arp who-has 70.112.254.248 tell 70.112.224.1

22:37:38.174144 arp who-has 70.112.240.79 tell 70.112.224.1

22:37:38.328353 arp who-has 70.112.229.237 tell 70.112.224.1

22:37:38.328854 arp who-has 67.79.118.75 tell 67.79.118.65

22:37:38.438873 arp who-has 70.112.235.67 tell 70.112.224.1

22:37:38.439185 arp who-has 70.112.253.46 tell 70.112.224.1

22:37:38.463148 IP (tos 0x0, ttl 255, id 1571, offset 0, flags [none], proto UDP (17), length 328) 10.65.192.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x2e377390, Flags [Broadcast]

     Your-IP 72.177.49.244

     Gateway-IP 10.65.192.1

     Client-Ethernet-Address 00:0c:41:41:22:47 [|bootp]

22:37:38.529935 arp who-has 70.112.224.166 tell 70.112.224.1

22:37:38.590656 arp who-has 63.246.181.251 tell 63.246.181.1

22:37:38.760419 arp who-has 70.112.250.121 tell 70.112.224.1

22:37:38.859217 arp who-has 69.91.82.105 tell 69.91.82.1

22:37:38.882336 arp who-has 72.177.49.116 tell 72.177.48.1

22:37:38.918948 arp who-has 70.112.255.235 tell 70.112.224.1

22:37:38.940336 arp who-has 70.112.255.58 tell 70.112.224.1

22:37:38.959536 arp who-has 72.180.196.63 tell 72.180.192.1

22:37:39.045405 arp who-has 70.112.230.210 tell 70.112.224.1

22:37:39.071132 arp who-has 70.112.232.226 tell 70.112.224.1

22:37:39.132284 arp who-has 67.79.119.52 tell 67.79.119.1

22:37:39.353674 arp who-has 70.112.246.220 tell 70.112.224.1

22:37:39.501726 arp who-has 63.246.181.135 tell 63.246.181.1

22:37:39.578750 arp who-has 70.112.245.109 tell 70.112.224.1

22:37:39.736447 arp who-has 70.112.244.6 tell 70.112.224.1

22:37:39.890670 arp who-has 70.112.243.145 tell 70.112.224.1

22:37:39.950017 arp who-has 63.246.181.95 tell 63.246.181.1

22:37:40.043977 arp who-has 70.112.244.155 tell 70.112.224.1

22:37:40.078953 arp who-has 70.112.240.232 tell 70.112.224.1

22:37:40.095911 arp who-has 70.112.242.115 tell 70.112.224.1

22:37:40.174484 arp who-has 70.112.250.201 tell 70.112.224.1

22:37:40.210552 arp who-has 70.112.229.221 tell 70.112.224.1

22:37:40.542123 arp who-has 67.79.118.75 tell 67.79.118.65

22:37:40.559087 arp who-has 70.112.224.166 tell 70.112.224.1

22:37:40.623298 arp who-has 70.112.252.21 tell 70.112.224.1

22:37:40.790652 arp who-has 70.112.227.70 tell 70.112.224.1

22:37:41.127406 arp who-has 72.177.50.251 tell 72.177.48.1

22:37:41.131534 arp who-has 72.177.55.133 tell 72.177.48.1

22:37:41.133508 arp who-has 70.112.255.58 tell 70.112.224.1

22:37:41.136363 arp who-has 67.79.119.52 tell 67.79.119.1

22:37:41.173298 arp who-has 69.91.82.99 tell 69.91.82.1

22:37:41.173568 arp who-has 70.112.240.79 tell 70.112.224.1

22:37:41.229998 arp who-has 70.112.253.170 tell 70.112.224.1

22:37:41.243901 arp who-has 70.112.251.239 tell 70.112.224.1

22:37:41.261206 arp who-has 70.112.253.56 tell 70.112.224.1

22:37:41.319564 arp who-has 72.177.49.133 tell 72.177.48.1

22:37:41.491938 arp who-has 70.112.230.210 tell 70.112.224.1

22:37:41.584431 arp who-has 70.112.249.134 tell 70.112.224.1

22:37:41.649839 arp who-has 72.177.51.79 tell 72.177.48.1

22:37:41.766213 arp who-has 70.112.229.237 tell 70.112.224.1

22:37:41.820010 arp who-has 70.112.250.154 tell 70.112.224.1

22:37:41.846126 arp who-has 70.112.250.121 tell 70.112.224.1

22:37:41.860006 arp who-has 70.112.236.189 tell 70.112.224.1

22:37:41.918750 arp who-has 70.112.242.206 tell 70.112.224.1

22:37:41.934313 arp who-has 70.112.255.235 tell 70.112.224.1

22:37:42.055490 arp who-has 70.112.232.226 tell 70.112.224.1

22:37:42.229484 arp who-has 70.112.244.6 tell 70.112.224.1

22:37:42.352469 arp who-has 70.112.246.220 tell 70.112.224.1

22:37:42.367016 arp who-has 70.112.233.36 tell 70.112.224.1

22:37:42.372064 arp who-has 70.112.252.220 tell 70.112.224.1

22:37:42.433244 arp who-has 72.177.51.85 tell 72.177.48.1

22:37:42.485004 arp who-has 70.112.254.0 tell 70.112.224.1

22:37:42.655922 arp who-has 70.112.251.242 tell 70.112.224.1

22:37:42.946773 arp who-has 70.112.253.116 tell 70.112.224.1

22:37:42.964791 arp who-has 70.112.245.183 tell 70.112.224.1

22:37:43.107436 arp who-has 70.112.248.46 tell 70.112.224.1

22:37:43.162891 arp who-has 72.177.55.133 tell 72.177.48.1

22:37:43.193575 arp who-has 70.112.227.29 tell 70.112.224.1

22:37:43.234368 arp who-has 72.180.170.255 tell 72.180.168.1

22:37:43.486907 arp who-has 70.112.252.216 tell 70.112.224.1

22:37:43.567878 arp who-has 72.177.49.116 tell 72.177.48.1

22:37:43.627782 arp who-has 70.112.254.248 tell 70.112.224.1

22:37:43.945204 arp who-has 70.112.254.75 tell 70.112.224.1

22:37:44.191996 arp who-has 70.112.225.133 tell 70.112.224.1

22:37:44.238247 arp who-has 72.177.50.136 tell 72.177.48.1

22:37:44.247048 arp who-has 70.112.253.170 tell 70.112.224.1

22:37:44.254266 arp who-has 70.112.255.235 tell 70.112.224.1

22:37:44.433067 arp who-has 70.112.235.67 tell 70.112.224.1

22:37:44.526416 arp who-has 70.112.230.156 tell 70.112.224.1

22:37:44.589845 arp who-has 70.112.224.166 tell 70.112.224.1

22:37:44.595932 arp who-has 63.246.181.196 tell 63.246.181.1

22:37:44.794475 arp who-has 70.112.250.37 tell 70.112.224.1

22:37:44.807528 IP (tos 0x0, ttl 255, id 1658, offset 0, flags [none], proto UDP (17), length 328) 10.65.192.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x62edbea0, Flags [Broadcast]

     Your-IP 70.112.255.149

     Gateway-IP 10.65.192.1

     Client-Ethernet-Address 00:0f:66:8b:aa:20 [|bootp]

22:37:44.828708 arp who-has 70.112.254.216 tell 70.112.224.1

22:37:44.857766 arp who-has 70.112.236.189 tell 70.112.224.1

22:37:44.982333 arp who-has 70.112.251.199 tell 70.112.224.1

22:37:45.070734 arp who-has 70.112.229.239 tell 70.112.224.1

22:37:45.105323 arp who-has 72.177.51.79 tell 72.177.48.1

22:37:45.198116 arp who-has 72.177.52.198 tell 72.177.48.1

22:37:45.198395 arp who-has 72.177.54.113 tell 72.177.48.1

22:37:45.262287 arp who-has 72.180.170.255 tell 72.180.168.1

22:37:45.532635 arp who-has 70.112.228.49 tell 70.112.224.1

22:37:45.718311 arp who-has 70.112.253.173 tell 70.112.224.1

22:37:45.759381 arp who-has 70.112.254.248 tell 70.112.224.1

22:37:45.810383 arp who-has 70.112.245.183 tell 70.112.224.1

22:37:45.875014 arp who-has 70.112.244.133 tell 70.112.224.1

22:37:45.887907 arp who-has 70.112.229.237 tell 70.112.224.1

22:37:45.900099 arp who-has 70.112.227.29 tell 70.112.224.1

22:37:45.923617 arp who-has 70.112.243.145 tell 70.112.224.1

22:37:46.070728 arp who-has 72.177.49.133 tell 72.177.48.1

22:37:46.171880 arp who-has 70.112.250.157 tell 70.112.224.1

22:37:46.420106 arp who-has 70.112.236.6 tell 70.112.224.1

22:37:46.536913 arp who-has 70.112.235.26 tell 70.112.224.1

22:37:46.573514 arp who-has 70.112.239.140 tell 70.112.224.1

22:37:46.681198 arp who-has 70.112.249.134 tell 70.112.224.1

22:37:46.711595 arp who-has 70.112.241.212 tell 70.112.224.1

22:37:46.967866 arp who-has 70.112.254.75 tell 70.112.224.1

22:37:47.011996 arp who-has 70.112.252.216 tell 70.112.224.1

22:37:47.132908 arp who-has 63.246.181.179 tell 63.246.181.1

22:37:47.138250 arp who-has 72.177.55.133 tell 72.177.48.1

22:37:47.157612 arp who-has 70.112.240.79 tell 70.112.224.1

22:37:47.274359 IP (tos 0x0, ttl 255, id 1729, offset 0, flags [none], proto UDP (17), length 328) 10.65.192.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x2e377390, Flags [Broadcast]

     Your-IP 72.177.49.244

     Gateway-IP 10.65.192.1

     Client-Ethernet-Address 00:0c:41:41:22:47 [|bootp]

22:37:47.311534 arp who-has 70.112.230.210 tell 70.112.224.1

22:37:47.486277 arp who-has 72.177.51.79 tell 72.177.48.1

22:37:47.486773 arp who-has 70.112.254.0 tell 70.112.224.1

22:37:47.493725 arp who-has 70.112.251.238 tell 70.112.224.1

22:37:47.515980 arp who-has 70.112.250.37 tell 70.112.224.1

22:37:47.845885 arp who-has 70.112.255.235 tell 70.112.224.1

22:37:47.943238 arp who-has 70.112.234.254 tell 70.112.224.1

22:37:48.176510 arp who-has 72.177.49.116 tell 72.177.48.1
```

Now, the curious thing about this output is, none of the IP addresses (IPv4, anyway) shown above are (or even have been, since I started keeping track) the IP address of my machine (which has changed again today). What the hell??

Could my problem have anything to do with ARP spoofing?

Apparently, there's a limit on the length of posts here, so I'll post the rest in separate messages...

 - dcljr

----------

## dcljr

[continued...]

For good measure, here's some other stuff people suggested I check...

The command netstat -npt didn't return anything useful (my version of the program doesn't appear to have the "t" option), so here's netstat -a, instead:

```
Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 <host>.<domain>:ipp        *:*                     LISTEN      

tcp        0      0 <host>.<domain>:ipp        *:*                     LISTEN      

udp        0      0 *:32768                 *:*                                 

udp        0      0 *:mdns                  *:*                                 

udp        0      0 *:ipp                   *:*                                 

udp        0      0 *:32769                 *:*                                 

udp        0      0 *:mdns                  *:*                                 

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ACC ]     STREAM     LISTENING     7938   /var/run/cups/cups.sock

unix  2      [ ACC ]     STREAM     LISTENING     7699   /tmp/.X11-unix/X0

unix  2      [ ACC ]     STREAM     LISTENING     7724   /var/run/avahi-daemon/socket

unix  2      [ ACC ]     STREAM     LISTENING     6350   @/var/run/hald/dbus-sHNuzE9yCS

unix  2      [ ]         DGRAM                    1624   @/org/kernel/udev/udevd

unix  2      [ ACC ]     STREAM     LISTENING     6353   @/var/run/hald/dbus-Mxqevx2SZJ

unix  2      [ ACC ]     STREAM     LISTENING     6242   /var/run/dbus/system_bus_socket

unix  2      [ ACC ]     STREAM     LISTENING     7623   /var/run/gdm_socket

unix  2      [ ]         DGRAM                    6363   @/org/freedesktop/hal/udev_event

unix  7      [ ]         DGRAM                    6101   /dev/log

unix  2      [ ]         DGRAM                    8309   

unix  3      [ ]         STREAM     CONNECTED     8298   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     8297   

unix  3      [ ]         STREAM     CONNECTED     8250   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     8249   

unix  2      [ ]         DGRAM                    8051   

unix  2      [ ]         DGRAM                    7812   

unix  3      [ ]         STREAM     CONNECTED     7811   /var/run/avahi-daemon/socket

unix  3      [ ]         STREAM     CONNECTED     7810   

unix  3      [ ]         STREAM     CONNECTED     7727   /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     7726   

unix  3      [ ]         STREAM     CONNECTED     7721   

unix  3      [ ]         STREAM     CONNECTED     7720   

unix  2      [ ]         DGRAM                    7718   

unix  3      [ ]         STREAM     CONNECTED     8238   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     7709   

unix  2      [ ]         DGRAM                    7403   

unix  3      [ ]         STREAM     CONNECTED     6934   @/var/run/hald/dbus-sHNuzE9yCS

unix  3      [ ]         STREAM     CONNECTED     6933   

unix  3      [ ]         STREAM     CONNECTED     6932   /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     6931   

unix  3      [ ]         STREAM     CONNECTED     6851   @/var/run/hald/dbus-sHNuzE9yCS

unix  3      [ ]         STREAM     CONNECTED     6850   

unix  3      [ ]         STREAM     CONNECTED     6839   @/var/run/hald/dbus-sHNuzE9yCS

unix  3      [ ]         STREAM     CONNECTED     6702   

unix  3      [ ]         STREAM     CONNECTED     6358   @/var/run/hald/dbus-Mxqevx2SZJ

unix  3      [ ]         STREAM     CONNECTED     6357   

unix  3      [ ]         STREAM     CONNECTED     6352   /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     6351   

unix  3      [ ]         STREAM     CONNECTED     6245   

unix  3      [ ]         STREAM     CONNECTED     6244   

unix  3      [ ]         STREAM     CONNECTED     6106   

unix  3      [ ]         STREAM     CONNECTED     6105   

unix  3      [ ]         STREAM     CONNECTED     6104   

unix  3      [ ]         STREAM     CONNECTED     6103   
```

The strings "<host>" and "<domain>" in the first two lines above (after the headers) were added by me in place of my chosen machine name and domain name, as specified in /etc/conf.d/hostname and /etc/conf.d/hostname, respectively. Same thing applies to the following output. I've also edited my current IP address, as will be obvious in the below output.

Here's lsof -i:

```
COMMAND    PID  USER   FD   TYPE DEVICE SIZE NODE NAME

avahi-dae 5293 avahi   14u  IPv4   7728       UDP *:mdns 

avahi-dae 5293 avahi   15u  IPv6   7747       UDP *:mdns 

avahi-dae 5293 avahi   16u  IPv4   7748       UDP *:32768 

avahi-dae 5293 avahi   17u  IPv6   7749       UDP *:32769 

cupsd     5405  root    3u  IPv4   7936       TCP <host>.<domain>:ipp (LISTEN)

cupsd     5405  root    4u  IPv6   7937       TCP <host>.<domain>:ipp (LISTEN)

cupsd     5405  root    6u  IPv4   7940       UDP *:ipp 
```

I'll post the much, much longer output of just lsof separately.

Finally, here's the contents of /var/log/eveything/current, with much irrelevant dmesg-type output removed:

```
Aug 24 22:34:58 [kernel] Linux version 2.6.18-gentoo-r6tweak (root@<host>) (gcc version 4.1.1 (Gentoo 4.1.1-r1)) #3 Fri Jan 12 07:25:12 CST 2007

<snip>

Aug 24 22:34:59 [kernel] NET: Registered protocol family 16

<snip>

Aug 24 22:34:59 [kernel] NET: Registered protocol family 2

Aug 24 22:34:59 [kernel] IP route cache hash table entries: 32768 (order: 5, 131072 bytes)

Aug 24 22:34:59 [kernel] TCP established hash table entries: 131072 (order: 7, 524288 bytes)

Aug 24 22:34:59 [kernel] TCP bind hash table entries: 65536 (order: 6, 262144 bytes)

Aug 24 22:34:59 [kernel] TCP: Hash tables configured (established 131072 bind 65536)

Aug 24 22:34:59 [kernel] TCP reno registered

<snip>

Aug 24 22:34:59 [kernel] via-rhine.c:v1.10-LK1.4.1 July-24-2006 Written by Donald Becker

<snip>

Aug 24 22:34:59 [kernel] eth0: VIA Rhine II at 0xeb001000, 00:0f:ea:fb:03:7a, IRQ 17.

Aug 24 22:34:59 [kernel] eth0: MII PHY found at address 1, status 0x786d advertising 05e1 Link 45e1.

<snip>

Aug 24 22:34:59 [kernel] TCP bic registered

Aug 24 22:34:59 [kernel] Initializing IPsec netlink socket

Aug 24 22:34:59 [kernel] NET: Registered protocol family 1

Aug 24 22:34:59 [kernel] NET: Registered protocol family 17

Aug 24 22:34:59 [kernel] NET: Registered protocol family 15

<snip>

Aug 24 22:35:01 [kernel] eth0: link up, 100Mbps, full-duplex, lpa 0x45E1

Aug 24 22:35:02 [rc-scripts] Configuration not set for eth0 - assuming DHCP

Aug 24 22:35:02 [dhcpcd] eth0: dhcpcd 3.2.3 starting

Aug 24 22:35:02 [dhcpcd] eth0: hardware address = 00:0f:ea:fb:03:7a

Aug 24 22:35:02 [dhcpcd] eth0: DUID = 00:01:00:01:0e:e3:54:1b:00:0f:ea:fb:03:7a

Aug 24 22:35:02 [dhcpcd] eth0: broadcasting for a lease

Aug 24 22:35:02 [dhcpcd] eth0: offered 72.<snip>.<snip>.<snip> from 10.65.192.1

Aug 24 22:35:03 [dhcpcd] eth0: checking 72.<snip>.<snip>.<snip> is available on attached networks

Aug 24 22:35:04 [dhcpcd] eth0: leased 72.<snip>.<snip>.<snip> for 3600 seconds

Aug 24 22:35:04 [dhcpcd] eth0: adding IP address 72.<snip>.<snip>.<snip>/21

Aug 24 22:35:04 [dhcpcd] eth0: adding default route via 72.177.48.1 metric 0

Aug 24 22:35:04 [dhcpcd] eth0: exiting

Aug 24 22:35:06 [avahi-daemon] Found user 'avahi' (UID 103) and group 'avahi' (GID 1005).

Aug 24 22:35:06 [avahi-daemon] Successfully dropped root privileges.

Aug 24 22:35:06 [avahi-daemon] avahi-daemon 0.6.22 starting up.

Aug 24 22:35:06 [avahi-daemon] WARNING: No NSS support for mDNS detected, consider installing nss-mdns!

Aug 24 22:35:06 [avahi-daemon] Successfully called chroot().

Aug 25 03:35:06 [avahi-daemon] Successfully dropped remaining capabilities.

Aug 25 03:35:06 [avahi-daemon] Loading service file /services/sftp-ssh.service.

Aug 25 03:35:06 [avahi-daemon] Loading service file /services/ssh.service.

Aug 24 22:35:06 [kernel] NET: Registered protocol family 10

Aug 24 22:35:06 [kernel] lo: Disabled Privacy Extensions

Aug 24 22:35:06 [kernel] IPv6 over IPv4 tunneling driver

Aug 25 03:35:06 [avahi-daemon] Joining mDNS multicast group on interface eth0.IPv4 with address 72.<snip>.<snip>.<snip>.

Aug 25 03:35:06 [avahi-daemon] New relevant interface eth0.IPv4 for mDNS.

Aug 25 03:35:06 [avahi-daemon] Network interface enumeration completed.

Aug 25 03:35:06 [avahi-daemon] Registering new address record for 72.<snip>.<snip>.<snip> on eth0.IPv4.

Aug 25 03:35:06 [avahi-daemon] Registering HINFO record with values 'I686'/'LINUX'.

Aug 24 22:35:06 [avahi-dnsconfd] Successfully connected to Avahi daemon.

Aug 25 03:35:07 [avahi-daemon] Server startup complete. Host name is <host>.local. Local service cookie is 2578007394.

Aug 25 03:35:08 [avahi-daemon] Service "<host>" (/services/ssh.service) successfully established.

Aug 25 03:35:08 [avahi-daemon] Service "SFTP File Transfer on <host>" (/services/sftp-ssh.service) successfully established.

Aug 24 22:35:08 [cron] (CRON) STARTUP (V5.0)

Aug 24 22:35:21 [login] pam_unix(login:session): session opened for user root by LOGIN(uid=0)

Aug 24 22:35:21 [login] ROOT LOGIN  on 'tty1'
```

Okay... why do I need Avahi-provided SSH and SFTP services, seeing as how I've already disabled sshd to prevent login attempts on my machine?

 - dcljr

----------

## dcljr

[continued...]

Here's the much, much longer output of just lsof, split over two posts:

```
COMMAND    PID       USER   FD      TYPE     DEVICE    SIZE       NODE NAME

init         1       root  cwd       DIR       3,67    4096          2 /

init         1       root  rtd       DIR       3,67    4096          2 /

init         1       root  txt       REG       3,67   35000     146928 /sbin/init

init         1       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

init         1       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

init         1       root   10u     FIFO       0,12               3728 /dev/initctl

ksoftirqd    2       root  cwd       DIR       3,67    4096          2 /

ksoftirqd    2       root  rtd       DIR       3,67    4096          2 /

ksoftirqd    2       root  txt   unknown                               /proc/2/exe

events/0     3       root  cwd       DIR       3,67    4096          2 /

events/0     3       root  rtd       DIR       3,67    4096          2 /

events/0     3       root  txt   unknown                               /proc/3/exe

khelper      4       root  cwd       DIR       3,67    4096          2 /

khelper      4       root  rtd       DIR       3,67    4096          2 /

khelper      4       root  txt   unknown                               /proc/4/exe

kthread      5       root  cwd       DIR       3,67    4096          2 /

kthread      5       root  rtd       DIR       3,67    4096          2 /

kthread      5       root  txt   unknown                               /proc/5/exe

kblockd/0    8       root  cwd       DIR       3,67    4096          2 /

kblockd/0    8       root  rtd       DIR       3,67    4096          2 /

kblockd/0    8       root  txt   unknown                               /proc/8/exe

kacpid       9       root  cwd       DIR       3,67    4096          2 /

kacpid       9       root  rtd       DIR       3,67    4096          2 /

kacpid       9       root  txt   unknown                               /proc/9/exe

kseriod     94       root  cwd       DIR       3,67    4096          2 /

kseriod     94       root  rtd       DIR       3,67    4096          2 /

kseriod     94       root  txt   unknown                               /proc/94/exe

kgameport   95       root  cwd       DIR       3,67    4096          2 /

kgameport   95       root  rtd       DIR       3,67    4096          2 /

kgameport   95       root  txt   unknown                               /proc/95/exe

khubd       98       root  cwd       DIR       3,67    4096          2 /

khubd       98       root  rtd       DIR       3,67    4096          2 /

khubd       98       root  txt   unknown                               /proc/98/exe

pdflush    165       root  cwd       DIR       3,67    4096          2 /

pdflush    165       root  rtd       DIR       3,67    4096          2 /

pdflush    165       root  txt   unknown                               /proc/165/exe

pdflush    166       root  cwd       DIR       3,67    4096          2 /

pdflush    166       root  rtd       DIR       3,67    4096          2 /

pdflush    166       root  txt   unknown                               /proc/166/exe

kswapd0    167       root  cwd       DIR       3,67    4096          2 /

kswapd0    167       root  rtd       DIR       3,67    4096          2 /

kswapd0    167       root  txt   unknown                               /proc/167/exe

aio/0      168       root  cwd       DIR       3,67    4096          2 /

aio/0      168       root  rtd       DIR       3,67    4096          2 /

aio/0      168       root  txt   unknown                               /proc/168/exe

vesafb     272       root  cwd       DIR       3,67    4096          2 /

vesafb     272       root  rtd       DIR       3,67    4096          2 /

vesafb     272       root  txt   unknown                               /proc/272/exe

kpsmoused  303       root  cwd       DIR       3,67    4096          2 /

kpsmoused  303       root  rtd       DIR       3,67    4096          2 /

kpsmoused  303       root  txt   unknown                               /proc/303/exe

ata/0      356       root  cwd       DIR       3,67    4096          2 /

ata/0      356       root  rtd       DIR       3,67    4096          2 /

ata/0      356       root  txt   unknown                               /proc/356/exe

ata_aux    357       root  cwd       DIR       3,67    4096          2 /

ata_aux    357       root  rtd       DIR       3,67    4096          2 /

ata_aux    357       root  txt   unknown                               /proc/357/exe

scsi_eh_0  359       root  cwd       DIR       3,67    4096          2 /

scsi_eh_0  359       root  rtd       DIR       3,67    4096          2 /

scsi_eh_0  359       root  txt   unknown                               /proc/359/exe

scsi_eh_1  360       root  cwd       DIR       3,67    4096          2 /

scsi_eh_1  360       root  rtd       DIR       3,67    4096          2 /

scsi_eh_1  360       root  txt   unknown                               /proc/360/exe

kcryptd/0  408       root  cwd       DIR       3,67    4096          2 /

kcryptd/0  408       root  rtd       DIR       3,67    4096          2 /

kcryptd/0  408       root  txt   unknown                               /proc/408/exe

kmirrord  1062       root  cwd       DIR       3,67    4096          2 /

kmirrord  1062       root  rtd       DIR       3,67    4096          2 /

kmirrord  1062       root  txt   unknown                               /proc/1062/exe

kjournald 1504       root  cwd       DIR       3,67    4096          2 /

kjournald 1504       root  rtd       DIR       3,67    4096          2 /

kjournald 1504       root  txt   unknown                               /proc/1504/exe

udevd     2392       root  cwd       DIR       3,67    4096          2 /

udevd     2392       root  rtd       DIR       3,67    4096          2 /

udevd     2392       root  txt       REG       3,67   79516     148082 /sbin/udevd

udevd     2392       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

udevd     2392       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

udevd     2392       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

udevd     2392       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

udevd     2392       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

udevd     2392       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

udevd     2392       root    0u      CHR        1,3               1547 /dev/null

udevd     2392       root    1u      CHR        1,3               1547 /dev/null

udevd     2392       root    2u      CHR        1,3               1547 /dev/null

udevd     2392       root    3r      DIR        0,8       0        396 inotify

udevd     2392       root    4u     unix 0xdfc07de0               1624 socket

udevd     2392       root    5u     sock        0,4               1625 can't identify protocol

udevd     2392       root    6r     FIFO        0,5               1626 pipe

udevd     2392       root    7w     FIFO        0,5               1626 pipe

kjournald 2835       root  cwd       DIR       3,67    4096          2 /

kjournald 2835       root  rtd       DIR       3,67    4096          2 /

kjournald 2835       root  txt   unknown                               /proc/2835/exe

kjournald 2837       root  cwd       DIR       3,67    4096          2 /

kjournald 2837       root  rtd       DIR       3,67    4096          2 /

kjournald 2837       root  txt   unknown                               /proc/2837/exe

metalog   4520       root  cwd       DIR       3,67    4096          2 /

metalog   4520       root  rtd       DIR       3,67    4096          2 /

metalog   4520       root  txt       REG       3,67   23872     961538 /usr/sbin/metalog

metalog   4520       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

metalog   4520       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

metalog   4520       root  mem       REG       3,67  156908     897834 /usr/lib/libpcre.so.0.0.1

metalog   4520       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

metalog   4520       root    0r      CHR        1,3               1547 /dev/null

metalog   4520       root    1w      CHR        1,3               1547 /dev/null

metalog   4520       root    2w      CHR        1,3               1547 /dev/null

metalog   4520       root    3u     unix 0xdfc07c60               6101 /dev/log

metalog   4520       root    4u     unix 0xdfc07ae0               6103 socket

metalog   4520       root    5u     unix 0xdfc07960               6104 socket

metalog   4520       root    6u     unix 0xdfc077e0               6105 socket

metalog   4520       root    7u     unix 0xdfc07660               6106 socket

metalog   4520       root    8w      REG       3,70   22759     890597 /var/log/everything/current

metalog   4520       root    9w      REG       3,70   22327     890576 /var/log/kernel/current

metalog   4520       root   10w      REG       3,70      45     890610 /var/log/crond/current

metalog   4520       root   11w      REG       3,70     140     890583 /var/log/telnet/current

metalog   4521       root  cwd       DIR       3,67    4096          2 /

metalog   4521       root  rtd       DIR       3,67    4096          2 /

metalog   4521       root  txt       REG       3,67   23872     961538 /usr/sbin/metalog

metalog   4521       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

metalog   4521       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

metalog   4521       root  mem       REG       3,67  156908     897834 /usr/lib/libpcre.so.0.0.1

metalog   4521       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

metalog   4521       root    0r      CHR        1,3               1547 /dev/null

metalog   4521       root    1w      CHR        1,3               1547 /dev/null

metalog   4521       root    2w      CHR        1,3               1547 /dev/null

metalog   4521       root    3u     unix 0xdfc07c60               6101 /dev/log

metalog   4521       root    4u     unix 0xdfc07ae0               6103 socket

metalog   4521       root    5u     unix 0xdfc07960               6104 socket

dbus-daem 4579 messagebus  cwd       DIR       3,67    4096          2 /

dbus-daem 4579 messagebus  rtd       DIR       3,67    4096          2 /

dbus-daem 4579 messagebus  txt       REG       3,67  375152     896711 /usr/bin/dbus-daemon

dbus-daem 4579 messagebus  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

dbus-daem 4579 messagebus  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

dbus-daem 4579 messagebus  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

dbus-daem 4579 messagebus  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

dbus-daem 4579 messagebus  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

dbus-daem 4579 messagebus  mem       REG       3,67  126448     899831 /usr/lib/libexpat.so.1.5.2

dbus-daem 4579 messagebus  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

dbus-daem 4579 messagebus    0u      CHR        1,3               1547 /dev/null

dbus-daem 4579 messagebus    1u      CHR        1,3               1547 /dev/null

dbus-daem 4579 messagebus    2u      CHR        1,3               1547 /dev/null

dbus-daem 4579 messagebus    3u     unix 0xdfc074e0               6242 /var/run/dbus/system_bus_socket

dbus-daem 4579 messagebus    4u      CHR        1,3               1547 /dev/null

dbus-daem 4579 messagebus    5r      DIR        0,8       0        396 inotify

dbus-daem 4579 messagebus    6u     unix 0xdfc07360               6244 socket

dbus-daem 4579 messagebus    7u     unix 0xdfc071e0               6245 socket

dbus-daem 4579 messagebus    8u     unix 0xdfc5ec80               6352 /var/run/dbus/system_bus_socket

dbus-daem 4579 messagebus    9u     unix 0xe6f35ca0               6932 /var/run/dbus/system_bus_socket

dbus-daem 4579 messagebus   10u     unix 0xe66ee840               7727 /var/run/dbus/system_bus_socket

hald      4638  haldaemon  cwd       DIR       3,67    4096          2 /

hald      4638  haldaemon  rtd       DIR       3,67    4096          2 /

hald      4638  haldaemon  txt       REG       3,67  278216     963082 /usr/sbin/hald

hald      4638  haldaemon  mem       REG       3,70  148212     113480 /var/lib/cache/hald/fdi-cache

hald      4638  haldaemon  mem       REG       3,67  171840     976713 /usr/share/misc/usb.ids

hald      4638  haldaemon  mem       REG       3,67  462596     975577 /usr/share/misc/pci.ids

hald      4638  haldaemon  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67   25486     910348 /usr/lib/gconv/gconv-modules.cache

hald      4638  haldaemon  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

hald      4638  haldaemon  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

hald      4638  haldaemon  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

hald      4638  haldaemon  mem       REG       3,67  108992     896700 /usr/lib/libdbus-glib-1.so.2.1.0

hald      4638  haldaemon  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

hald      4638  haldaemon  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

hald      4638  haldaemon    0u      CHR        1,3               1547 /dev/null

hald      4638  haldaemon    1u      CHR        1,3               1547 /dev/null

hald      4638  haldaemon    2u      CHR        1,3               1547 /dev/null

hald      4638  haldaemon    5r     FIFO        0,5               6349 pipe

hald      4638  haldaemon    6w     FIFO        0,5               6349 pipe

hald      4638  haldaemon    7u     unix 0xdfc07060               6350 socket

hald      4638  haldaemon    8u     unix 0xdfc5ee00               6351 socket

hald      4638  haldaemon    9u     unix 0xdfc5eb00               6353 socket

hald      4638  haldaemon   10u     unix 0xdfc5e800               6358 socket

hald      4638  haldaemon   11u     unix 0xdfc5e680               6363 socket

hald      4638  haldaemon   12r      REG        0,3       0  303955986 /proc/4638/mounts

hald      4638  haldaemon   13r      DIR        0,8       0        396 inotify

hald      4638  haldaemon   14u     unix 0xdfc5e500               6839 socket

hald      4638  haldaemon   15u     unix 0xdfc5e080               6851 socket

hald      4638  haldaemon   16u     unix 0xe6f359a0               6934 socket

hald-runn 4639       root  cwd       DIR       3,67    4096          2 /

hald-runn 4639       root  rtd       DIR       3,67    4096          2 /

hald-runn 4639       root  txt       REG       3,67   13800     963071 /usr/libexec/hald-runner

hald-runn 4639       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

hald-runn 4639       root  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

hald-runn 4639       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

hald-runn 4639       root  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

hald-runn 4639       root  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

hald-runn 4639       root  mem       REG       3,67  108992     896700 /usr/lib/libdbus-glib-1.so.2.1.0

hald-runn 4639       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

hald-runn 4639       root    0r      CHR        1,3               1547 /dev/null

hald-runn 4639       root    1u      CHR        1,3               1547 /dev/null

hald-runn 4639       root    2u      CHR        1,3               1547 /dev/null

hald-runn 4639       root    3u     unix 0xdfc5e980               6357 socket

hald-addo 4645  haldaemon  cwd       DIR       3,67    4096     960766 /usr/libexec

hald-addo 4645  haldaemon  rtd       DIR       3,67    4096          2 /

hald-addo 4645  haldaemon  txt       REG       3,67   13688     962762 /usr/libexec/hald-addon-keyboard

hald-addo 4645  haldaemon  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

hald-addo 4645  haldaemon  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

hald-addo 4645  haldaemon  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

hald-addo 4645  haldaemon  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

hald-addo 4645  haldaemon  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

hald-addo 4645  haldaemon  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

hald-addo 4645  haldaemon  mem       REG       3,67   50540     897208 /usr/lib/libhal.so.1.0.0

hald-addo 4645  haldaemon  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

hald-addo 4645  haldaemon    0r      CHR        1,3               1547 /dev/null

hald-addo 4645  haldaemon    1u      CHR        1,3               1547 /dev/null

hald-addo 4645  haldaemon    2u      CHR        1,3               1547 /dev/null

hald-addo 4645  haldaemon    3u     unix 0xdfc5e380               6702 socket

hald-addo 4645  haldaemon    4r      CHR      13,64               2658 /dev/input/event0

hald-addo 4648  haldaemon  cwd       DIR       3,67    4096     960766 /usr/libexec

hald-addo 4648  haldaemon  rtd       DIR       3,67    4096          2 /

hald-addo 4648  haldaemon  txt       REG       3,67    9556     962765 /usr/libexec/hald-addon-acpi

hald-addo 4648  haldaemon  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

hald-addo 4648  haldaemon  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

hald-addo 4648  haldaemon  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

hald-addo 4648  haldaemon  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

hald-addo 4648  haldaemon  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

hald-addo 4648  haldaemon  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

hald-addo 4648  haldaemon  mem       REG       3,67   50540     897208 /usr/lib/libhal.so.1.0.0

hald-addo 4648  haldaemon  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

hald-addo 4648  haldaemon    0r      CHR        1,3               1547 /dev/null

hald-addo 4648  haldaemon    1u      CHR        1,3               1547 /dev/null

hald-addo 4648  haldaemon    2u      CHR        1,3               1547 /dev/null

hald-addo 4648  haldaemon    3u     unix 0xdfc5e200               6850 socket

hald-addo 4653       root  cwd       DIR       3,67    4096     960766 /usr/libexec

hald-addo 4653       root  rtd       DIR       3,67    4096          2 /

hald-addo 4653       root  txt       REG       3,67   17916     962763 /usr/libexec/hald-addon-storage

hald-addo 4653       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

hald-addo 4653       root  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

hald-addo 4653       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

hald-addo 4653       root  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

hald-addo 4653       root  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

hald-addo 4653       root  mem       REG       3,67  108992     896700 /usr/lib/libdbus-glib-1.so.2.1.0

hald-addo 4653       root  mem       REG       3,67   50540     897208 /usr/lib/libhal.so.1.0.0

hald-addo 4653       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

hald-addo 4653       root    0r      CHR        1,3               1547 /dev/null

hald-addo 4653       root    1u      CHR        1,3               1547 /dev/null

hald-addo 4653       root    2u      CHR        1,3               1547 /dev/null

hald-addo 4653       root    3u     unix 0xe6f35e20               6931 socket

hald-addo 4653       root    4u     unix 0xe6f35b20               6933 socket

dhcpcd    5076       root  cwd       DIR       3,67    4096          2 /

dhcpcd    5076       root  rtd       DIR       3,67    4096          2 /

dhcpcd    5076       root  txt       REG       3,67   59564     146424 /sbin/dhcpcd

dhcpcd    5076       root  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

dhcpcd    5076       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

dhcpcd    5076       root  mem       REG       3,67   30552     878922 /lib/librt-2.6.1.so

dhcpcd    5076       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

dhcpcd    5076       root    0u      CHR        1,3               1547 /dev/null

dhcpcd    5076       root    1u      CHR        1,3               1547 /dev/null

dhcpcd    5076       root    2u      CHR        1,3               1547 /dev/null

dhcpcd    5076       root    3w      REG       3,70       4     615299 /var/run/dhcpcd-eth0.pid

dhcpcd    5076       root    4u     unix 0xe6f356a0               7403 socket

dhcpcd    5076       root    5r     FIFO        0,5               7406 pipe

dhcpcd    5076       root    6w     FIFO        0,5               7406 pipe

gdm       5235       root  cwd       DIR       3,70    4096     437185 /var/gdm

gdm       5235       root  rtd       DIR       3,67    4096          2 /

gdm       5235       root  txt       REG       3,67  306604     967426 /usr/sbin/gdm-binary

gdm       5235       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

gdm       5235       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

gdm       5235       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

gdm       5235       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

gdm       5235       root  mem       REG       3,67  165652     894509 /usr/lib/libpixman-1.so.0.10.0

gdm       5235       root  mem       REG       3,67   34276     896080 /usr/lib/libXcursor.so.1.0.2

gdm       5235       root  mem       REG       3,67   21928     896046 /usr/lib/libXrandr.so.2.1.0

gdm       5235       root  mem       REG       3,67   30064     897572 /usr/lib/libXi.so.6.0.0

gdm       5235       root  mem       REG       3,67   14856     895971 /usr/lib/libXfixes.so.3.1.0

gdm       5235       root  mem       REG       3,67    6592     896795 /usr/lib/libXdamage.so.1.1.0

gdm       5235       root  mem       REG       3,67    9376     897289 /usr/lib/libXcomposite.so.1.0.0

gdm       5235       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

gdm       5235       root  mem       REG       3,67    9624     878939 /lib/libutil-2.6.1.so

gdm       5235       root  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

gdm       5235       root  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

gdm       5235       root  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

gdm       5235       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

gdm       5235       root  mem       REG       3,67  108992     896700 /usr/lib/libdbus-glib-1.so.2.1.0

gdm       5235       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

gdm       5235       root  mem       REG       3,67   18348     895571 /usr/lib/libXdmcp.so.6.0.0

gdm       5235       root  mem       REG       3,67    7708     894322 /usr/lib/libXau.so.6.0.0

gdm       5235       root  mem       REG       3,67  969700     894301 /usr/lib/libX11.so.6.2.0

gdm       5235       root  mem       REG       3,67   53612     895620 /usr/lib/libXext.so.6.4.0

gdm       5235       root  mem       REG       3,67   13632     896774 /usr/lib/libgmodule-2.0.so.0.1600.3

gdm       5235       root  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

gdm       5235       root  mem       REG       3,67   29776     895823 /usr/lib/libXrender.so.1.3.0

gdm       5235       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

gdm       5235       root  mem       REG       3,67  141004     898108 /usr/lib/libpng12.so.0.26.0

gdm       5235       root  mem       REG       3,67 1176092     896692 /usr/lib/libxml2.so.2.6.32

gdm       5235       root  mem       REG       3,67  518180     898149 /usr/lib/libfreetype.so.6.3.18

gdm       5235       root  mem       REG       3,67  170720     896510 /usr/lib/libfontconfig.so.1.3.0

gdm       5235       root  mem       REG       3,67  387076     896586 /usr/lib/libcairo.so.2.17.5

gdm       5235       root  mem       REG       3,67  244448     897773 /usr/lib/libpango-1.0.so.0.2002.1

gdm       5235       root  mem       REG       3,67  157840     897780 /usr/lib/libpangoft2-1.0.so.0.2002.1

gdm       5235       root  mem       REG       3,67   34504     897832 /usr/lib/libpangocairo-1.0.so.0.2002.1

gdm       5235       root  mem       REG       3,67   91848     896637 /usr/lib/libgdk_pixbuf-2.0.so.0.1200.9

gdm       5235       root  mem       REG       3,67  536084     896674 /usr/lib/libgdk-x11-2.0.so.0.1200.9

gdm       5235       root  mem       REG       3,67  104300     896511 /usr/lib/libatk-1.0.so.0.2009.1

gdm       5235       root  mem       REG       3,67 3567204     896683 /usr/lib/libgtk-x11-2.0.so.0.1200.9

gdm       5235       root  mem       REG       3,67   27864     878023 /lib/libwrap.so.0.7.6

gdm       5235       root  mem       REG       3,67   42448     878900 /lib/libpam.so.0.81.12

gdm       5235       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

gdm       5235       root    0r      CHR        1,3               1547 /dev/null

gdm       5235       root    1u      CHR        1,3               1547 /dev/null

gdm       5235       root    2u      CHR        1,3               1547 /dev/null

gdm       5235       root    3u     FIFO       3,70             437187 /var/gdm/.gdmfifo

gdm       5235       root    4r     FIFO        0,5               7622 pipe

gdm       5235       root    5w     FIFO        0,5               7622 pipe

gdm       5235       root    6u     unix 0xe6f35820               7623 /var/run/gdm_socket

gdm       5235       root    8w     FIFO        0,5               7626 pipe

gdm       5247       root  cwd       DIR       3,70    4096     437185 /var/gdm

gdm       5247       root  rtd       DIR       3,67    4096          2 /

gdm       5247       root  txt       REG       3,67  306604     967426 /usr/sbin/gdm-binary

gdm       5247       root  mem       REG       3,67   30092     878940 /lib/libcrack.so.2.8.0

gdm       5247       root  mem       REG       3,67   21836     878905 /lib/libcrypt-2.6.1.so

gdm       5247       root  mem       REG       3,67    5196     877986 /lib/security/pam_deny.so

gdm       5247       root  mem       REG       3,67   13616     878661 /lib/security/pam_limits.so

gdm       5247       root  mem       REG       3,67   42524     878009 /lib/security/pam_unix.so

gdm       5247       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

gdm       5247       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

gdm       5247       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

gdm       5247       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

gdm       5247       root  mem       REG       3,67  165652     894509 /usr/lib/libpixman-1.so.0.10.0

gdm       5247       root  mem       REG       3,67   34276     896080 /usr/lib/libXcursor.so.1.0.2

gdm       5247       root  mem       REG       3,67   21928     896046 /usr/lib/libXrandr.so.2.1.0

gdm       5247       root  mem       REG       3,67   30064     897572 /usr/lib/libXi.so.6.0.0

gdm       5247       root  mem       REG       3,67   14856     895971 /usr/lib/libXfixes.so.3.1.0

gdm       5247       root  mem       REG       3,67    6592     896795 /usr/lib/libXdamage.so.1.1.0

gdm       5247       root  mem       REG       3,67    9376     897289 /usr/lib/libXcomposite.so.1.0.0

gdm       5247       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

gdm       5247       root  mem       REG       3,67    9624     878939 /lib/libutil-2.6.1.so

gdm       5247       root  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

gdm       5247       root  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

gdm       5247       root  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

gdm       5247       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

gdm       5247       root  mem       REG       3,67  108992     896700 /usr/lib/libdbus-glib-1.so.2.1.0

gdm       5247       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

gdm       5247       root  mem       REG       3,67   18348     895571 /usr/lib/libXdmcp.so.6.0.0

gdm       5247       root  mem       REG       3,67    7708     894322 /usr/lib/libXau.so.6.0.0

gdm       5247       root  mem       REG       3,67  969700     894301 /usr/lib/libX11.so.6.2.0

gdm       5247       root  mem       REG       3,67   53612     895620 /usr/lib/libXext.so.6.4.0

gdm       5247       root  mem       REG       3,67   13632     896774 /usr/lib/libgmodule-2.0.so.0.1600.3

gdm       5247       root  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

gdm       5247       root  mem       REG       3,67   29776     895823 /usr/lib/libXrender.so.1.3.0

gdm       5247       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

gdm       5247       root  mem       REG       3,67  141004     898108 /usr/lib/libpng12.so.0.26.0

gdm       5247       root  mem       REG       3,67 1176092     896692 /usr/lib/libxml2.so.2.6.32

gdm       5247       root  mem       REG       3,67  518180     898149 /usr/lib/libfreetype.so.6.3.18

gdm       5247       root  mem       REG       3,67  170720     896510 /usr/lib/libfontconfig.so.1.3.0

gdm       5247       root  mem       REG       3,67  387076     896586 /usr/lib/libcairo.so.2.17.5

gdm       5247       root  mem       REG       3,67  244448     897773 /usr/lib/libpango-1.0.so.0.2002.1

gdm       5247       root  mem       REG       3,67  157840     897780 /usr/lib/libpangoft2-1.0.so.0.2002.1

gdm       5247       root  mem       REG       3,67   34504     897832 /usr/lib/libpangocairo-1.0.so.0.2002.1

gdm       5247       root  mem       REG       3,67   91848     896637 /usr/lib/libgdk_pixbuf-2.0.so.0.1200.9

gdm       5247       root  mem       REG       3,67  536084     896674 /usr/lib/libgdk-x11-2.0.so.0.1200.9

gdm       5247       root  mem       REG       3,67  104300     896511 /usr/lib/libatk-1.0.so.0.2009.1

gdm       5247       root  mem       REG       3,67 3567204     896683 /usr/lib/libgtk-x11-2.0.so.0.1200.9

gdm       5247       root  mem       REG       3,67   27864     878023 /lib/libwrap.so.0.7.6

gdm       5247       root  mem       REG       3,67   42448     878900 /lib/libpam.so.0.81.12

gdm       5247       root  mem       REG       3,67   13540     877946 /lib/security/pam_cracklib.so

gdm       5247       root  mem       REG       3,67    5284     877997 /lib/security/pam_nologin.so

gdm       5247       root  mem       REG       3,67   13508     878000 /lib/security/pam_env.so

gdm       5247       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

gdm       5247       root    0r      CHR        1,3               1547 /dev/null

gdm       5247       root    1u      CHR        1,3               1547 /dev/null

gdm       5247       root    2u      CHR        1,3               1547 /dev/null

gdm       5247       root    3u     unix 0xe6f353a0               7709 socket

gdm       5247       root    5w     FIFO        0,5               7622 pipe

gdm       5247       root    6w      CHR        5,1               1545 /dev/console

gdm       5247       root    7r     FIFO        0,5               7626 pipe

gdm       5247       root    8w     FIFO        0,5               8245 pipe

gdm       5247       root    9r     FIFO        0,5               8246 pipe

X         5267       root  cwd       DIR       3,70    4096     437185 /var/gdm

X         5267       root  rtd       DIR       3,67    4096          2 /

X         5267       root  txt       REG       3,67 1730776     896067 /usr/bin/Xorg

X         5267       root  mem       CHR        1,1               2456 /dev/mem

X         5267       root  DEL       REG        0,7              65537 /SYSV00000000

X         5267       root  DEL       REG        0,7              32768 /SYSV00000000

X         5267       root  mem       REG       3,67  316516     929466 /usr/lib/xorg/modules/libxaa.so

X         5267       root  mem       REG       3,67  232012     928269 /usr/lib/xorg/modules/libfb.so

X         5267       root  mem       REG       3,67   22688     929050 /usr/lib/xorg/modules/libvgahw.so

X         5267       root  mem       REG       3,67   30384     928242 /usr/lib/xorg/modules/libint10.so

X         5267       root  mem       REG       3,67   44164     928704 /usr/lib/xorg/modules/input/mouse_drv.so

X         5267       root  mem       REG       3,67  157424     929573 /usr/lib/xorg/modules/drivers/nv_drv.so

X         5267       root  mem       REG       3,67  125316     929542 /usr/lib/xorg/modules/extensions/libextmod.so

X         5267       root  mem       REG       3,67  379472     928256 /usr/lib/xorg/modules/libpcidata.so

X         5267       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

X         5267       root  mem       REG       3,67   42348     131349 /usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libgcc_s.so.1

X         5267       root  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

X         5267       root  mem       REG       3,67   18348     895571 /usr/lib/libXdmcp.so.6.0.0

X         5267       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

X         5267       root  mem       REG       3,67   20324     895959 /usr/lib/libfontenc.so.1.0.0

X         5267       root  mem       REG       3,67    7708     894322 /usr/lib/libXau.so.6.0.0

X         5267       root  mem       REG       3,67  518180     898149 /usr/lib/libfreetype.so.6.3.18

X         5267       root  mem       REG       3,67  382640     896813 /usr/lib/libXfont.so.1.4.1

X         5267       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

X         5267       root  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

X         5267       root  mem       REG       3,67   11972     929138 /usr/lib/xorg/modules/input/kbd_drv.so

X         5267       root  mem       REG       3,67    5388     929476 /usr/lib/xorg/modules/fonts/libfreetype.so

X         5267       root  mem       REG       3,67   17796     929058 /usr/lib/xorg/modules/extensions/libdbe.so

X         5267       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

X         5267       root    0w      REG       3,70   39326     890601 /var/log/Xorg.0.log

X         5267       root    1u     unix 0xe6f35520               7699 /tmp/.X11-unix/X0

X         5267       root    2w      REG       3,70     770     890598 /var/log/gdm/:0.log

X         5267       root    3u      CHR        4,7               2981 /dev/tty7

X         5267       root    4u      REG        0,3     256 4026532198 /proc/bus/pci/00/01.0

X         5267       root    5w      REG        0,3       0 4026532085 /proc/mtrr

X         5267       root    7u     unix 0xe6f35220               8238 /tmp/.X11-unix/X0

X         5267       root    8u     unix 0xe67f4ce0               8250 /tmp/.X11-unix/X0

X         5267       root    9u     unix 0xe67f49e0               8298 /tmp/.X11-unix/X0

avahi-dae 5293      avahi  cwd       DIR       3,67    4096     201654 /etc/avahi

avahi-dae 5293      avahi  rtd       DIR       3,67    4096     201654 /etc/avahi

avahi-dae 5293      avahi  txt       REG       3,67  113056     961752 /usr/sbin/avahi-daemon

avahi-dae 5293      avahi  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

avahi-dae 5293      avahi  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

avahi-dae 5293      avahi  mem       REG       3,67    9576     878941 /lib/libcap.so.1.10

avahi-dae 5293      avahi  mem       REG       3,67  126448     899831 /usr/lib/libexpat.so.1.5.2

avahi-dae 5293      avahi  mem       REG       3,67   17796     896196 /usr/lib/libdaemon.so.0.3.1

avahi-dae 5293      avahi  mem       REG       3,67  203300     898318 /usr/lib/libavahi-core.so.5.0.4

avahi-dae 5293      avahi  mem       REG       3,67   46684     897387 /usr/lib/libavahi-common.so.3.5.0

avahi-dae 5293      avahi  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

avahi-dae 5293      avahi    0r      CHR        1,3               1547 /dev/null

avahi-dae 5293      avahi    1w      CHR        1,3               1547 /dev/null

avahi-dae 5293      avahi    2w      CHR        1,3               1547 /dev/null

avahi-dae 5293      avahi    3u     unix 0xe66ee540               7811 /var/run/avahi-daemon/socket

avahi-dae 5293      avahi    5u     unix 0xe6f350a0               7718 socket

avahi-dae 5293      avahi    6u     unix 0xe66eee40               7720 socket

avahi-dae 5293      avahi    7r     FIFO        0,5               7722 pipe

avahi-dae 5293      avahi    8w     FIFO        0,5               7722 pipe

avahi-dae 5293      avahi    9r     FIFO        0,5               7723 pipe

avahi-dae 5293      avahi   10w     FIFO        0,5               7723 pipe

avahi-dae 5293      avahi   11u     unix 0xe66eeb40               7724 /var/run/avahi-daemon/socket

avahi-dae 5293      avahi   12u     unix 0xe66ee9c0               7726 socket

avahi-dae 5293      avahi   13r      DIR        0,8       0        396 inotify

avahi-dae 5293      avahi   14u     IPv4       7728                UDP *:mdns 

avahi-dae 5293      avahi   15u     IPv6       7747                UDP *:mdns 

avahi-dae 5293      avahi   16u     IPv4       7748                UDP *:32768 

avahi-dae 5293      avahi   17u     IPv6       7749                UDP *:32769 

avahi-dae 5293      avahi   18u     sock        0,4               7750 can't identify protocol

avahi-dae 5294      avahi  cwd       DIR       3,67    4096          2 /

avahi-dae 5294      avahi  rtd       DIR       3,67    4096          2 /

avahi-dae 5294      avahi  txt       REG       3,67  113056     961752 /usr/sbin/avahi-daemon

avahi-dae 5294      avahi  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

avahi-dae 5294      avahi  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

avahi-dae 5294      avahi  mem       REG       3,67    9576     878941 /lib/libcap.so.1.10

avahi-dae 5294      avahi  mem       REG       3,67  126448     899831 /usr/lib/libexpat.so.1.5.2

avahi-dae 5294      avahi  mem       REG       3,67   17796     896196 /usr/lib/libdaemon.so.0.3.1

avahi-dae 5294      avahi  mem       REG       3,67  203300     898318 /usr/lib/libavahi-core.so.5.0.4

avahi-dae 5294      avahi  mem       REG       3,67   46684     897387 /usr/lib/libavahi-common.so.3.5.0

avahi-dae 5294      avahi  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

avahi-dae 5294      avahi    0r      CHR        1,3               1547 /dev/null

avahi-dae 5294      avahi    1w      CHR        1,3               1547 /dev/null

avahi-dae 5294      avahi    2w      CHR        1,3               1547 /dev/null

avahi-dae 5294      avahi    5u     unix 0xe6f350a0               7718 socket

avahi-dae 5294      avahi    7u     unix 0xe66eecc0               7721 socket

avahi-dns 5350       root  cwd       DIR       3,67    4096          2 /

avahi-dns 5350       root  rtd       DIR       3,67    4096          2 /

avahi-dns 5350       root  txt       REG       3,67   17896     961753 /usr/sbin/avahi-dnsconfd

avahi-dns 5350       root  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

avahi-dns 5350       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

avahi-dns 5350       root  mem       REG       3,67   17796     896196 /usr/lib/libdaemon.so.0.3.1

avahi-dns 5350       root  mem       REG       3,67   46684     897387 /usr/lib/libavahi-common.so.3.5.0

avahi-dns 5350       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

avahi-dns 5350       root    0r      CHR        1,3               1547 /dev/null

avahi-dns 5350       root    1w      CHR        1,3               1547 /dev/null

avahi-dns 5350       root    2w      CHR        1,3               1547 /dev/null

avahi-dns 5350       root    3u     unix 0xe66ee3c0               7812 socket

avahi-dns 5350       root    5r     FIFO        0,5               7809 pipe

avahi-dns 5350       root    6w     FIFO        0,5               7809 pipe

avahi-dns 5350       root    7u     unix 0xe66ee6c0               7810 socket

cupsd     5405       root  cwd       DIR       3,67    4096          2 /

cupsd     5405       root  rtd       DIR       3,67    4096          2 /

cupsd     5405       root  txt       REG       3,67  375812     962946 /usr/sbin/cupsd

cupsd     5405       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

cupsd     5405       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

cupsd     5405       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

cupsd     5405       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

cupsd     5405       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

cupsd     5405       root  mem       REG       3,67   30384     898437 /usr/lib/libkrb5support.so.0.1

cupsd     5405       root  mem       REG       3,67  153296     898441 /usr/lib/libk5crypto.so.3.1

cupsd     5405       root  mem       REG       3,67   12359     877972 /lib/libcom_err.so.2.1

cupsd     5405       root  mem       REG       3,67  573896     898444 /usr/lib/libkrb5.so.3.3

cupsd     5405       root  mem       REG       3,67  166788     898451 /usr/lib/libgssapi_krb5.so.2.2

cupsd     5405       root  mem       REG       3,67   63196     898319 /usr/lib/libavahi-client.so.3.2.4

cupsd     5405       root  mem       REG       3,67   46684     897387 /usr/lib/libavahi-common.so.3.5.0

cupsd     5405       root  mem       REG       3,67 1319452     895885 /usr/lib/libcrypto.so.0.9.8

cupsd     5405       root  mem       REG       3,67  295524     895739 /usr/lib/libssl.so.0.9.8

cupsd     5405       root  mem       REG       3,67   63232     878919 /lib/libresolv-2.6.1.so

cupsd     5405       root  mem       REG       3,67   50776     894155 /usr/lib/liblber-2.3.so.0.2.31

cupsd     5405       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

cupsd     5405       root  mem       REG       3,67   21836     878905 /lib/libcrypt-2.6.1.so

cupsd     5405       root  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

cupsd     5405       root  mem       REG       3,67  118677     878918 /lib/libpthread-2.6.1.so

cupsd     5405       root  mem       REG       3,67  211284     897158 /usr/lib/libcups.so.2

cupsd     5405       root  mem       REG       3,67   31212     898324 /usr/lib/libdns_sd.so.1.0.0

cupsd     5405       root  mem       REG       3,67  219024     896584 /usr/lib/libdbus-1.so.3.4.0

cupsd     5405       root  mem       REG       3,67   10628     896218 /usr/lib/libpaper.so.1.1.2

cupsd     5405       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

cupsd     5405       root  mem       REG       3,67   42448     878900 /lib/libpam.so.0.81.12

cupsd     5405       root  mem       REG       3,67  216492     897321 /usr/lib/libldap-2.3.so.0.2.31

cupsd     5405       root  mem       REG       3,67   13468     894276 /usr/lib/libgpg-error.so.0.4.0

cupsd     5405       root  mem       REG       3,67  444244     897549 /usr/lib/libgcrypt.so.11.4.3

cupsd     5405       root  mem       REG       3,67   63020     898181 /usr/lib/libtasn1.so.3.0.14

cupsd     5405       root  mem       REG       3,67  495580     896636 /usr/lib/libgnutls.so.26.1.6

cupsd     5405       root  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

cupsd     5405       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

cupsd     5405       root    0r     0000        0,9       0       7920 eventpoll

cupsd     5405       root    1r      CHR        1,9               2538 /dev/urandom

cupsd     5405       root    2u      REG       3,70  641333     890798 /var/log/cups/error_log

cupsd     5405       root    3u     IPv4       7936                TCP <host>.<domain>:ipp (LISTEN)

cupsd     5405       root    4u     IPv6       7937                TCP <host>.<domain>:ipp (LISTEN)

cupsd     5405       root    5u     unix 0xe66ee240               7938 /var/run/cups/cups.sock

cupsd     5405       root    6u     IPv4       7940                UDP *:ipp 

cupsd     5405       root    7r     FIFO        0,5               7941 pipe

cupsd     5405       root    8w     FIFO        0,5               7941 pipe

cron      5462       root  cwd       DIR       3,70    4096      64774 /var/spool/cron

cron      5462       root  rtd       DIR       3,67    4096          2 /

cron      5462       root  txt       REG       3,67   34192     961450 /usr/sbin/cron

cron      5462       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

cron      5462       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

cron      5462       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

cron      5462       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

cron      5462       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

cron      5462       root  mem       REG       3,67   42448     878900 /lib/libpam.so.0.81.12

cron      5462       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

cron      5462       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

cron      5462       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

cron      5462       root    0u      CHR        1,3               1547 /dev/null

cron      5462       root    1u      CHR        1,3               1547 /dev/null

cron      5462       root    2u      CHR        1,3               1547 /dev/null

cron      5462       root    3u      REG       3,70       5     615303 /var/run/cron.pid

cron      5462       root    4u     unix 0xe66ee0c0               8051 socket

login     5527       root  cwd       DIR       0,12    3720       1539 /dev

login     5527       root  rtd       DIR       3,67    4096          2 /

login     5527       root  txt       REG       3,67   30772     455216 /bin/login

login     5527       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

login     5527       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

login     5527       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

login     5527       root  mem       REG       3,67   30092     878940 /lib/libcrack.so.2.8.0

login     5527       root  mem       REG       3,67    5196     877986 /lib/security/pam_deny.so

login     5527       root  mem       REG       3,67   13616     878661 /lib/security/pam_limits.so

login     5527       root  mem       REG       3,67    9400     878669 /lib/security/pam_mail.so

login     5527       root  mem       REG       3,67    5288     877996 /lib/security/pam_motd.so

login     5527       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

login     5527       root  mem       REG       3,67    9624     878939 /lib/libutil-2.6.1.so

login     5527       root  mem       REG       3,67    9424     877991 /lib/security/pam_lastlog.so

login     5527       root  mem       REG       3,67   13540     877946 /lib/security/pam_cracklib.so

login     5527       root  mem       REG       3,67   42524     878009 /lib/security/pam_unix.so

login     5527       root  mem       REG       3,67   13508     878000 /lib/security/pam_env.so

login     5527       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

login     5527       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

login     5527       root  mem       REG       3,67   42448     878900 /lib/libpam.so.0.81.12

login     5527       root  mem       REG       3,67    9504     878903 /lib/libpam_misc.so.0.81.3

login     5527       root  mem       REG       3,67   21836     878905 /lib/libcrypt-2.6.1.so

login     5527       root  mem       REG       3,67   13840     877974 /lib/security/pam_access.so

login     5527       root  mem       REG       3,67    5284     877997 /lib/security/pam_nologin.so

login     5527       root  mem       REG       3,67    5276     878880 /lib/security/pam_shells.so

login     5527       root  mem       REG       3,67    9428     878006 /lib/security/pam_tally.so

login     5527       root  mem       REG       3,67    9384     878674 /lib/security/pam_securetty.so

login     5527       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

login     5527       root    0u      CHR        4,1               1546 /dev/tty1

login     5527       root    1u      CHR        4,1               1546 /dev/tty1

login     5527       root    2u      CHR        4,1               1546 /dev/tty1

login     5527       root    3u     unix 0xe67f4860               8309 socket

login     5527       root    4u      REG       3,70   24024     890580 /var/log/faillog

login     5527       root    5r      REG       3,67    1549     731649 /etc/passwd

agetty    5528       root  cwd       DIR       0,12    3720       1539 /dev

agetty    5528       root  rtd       DIR       3,67    4096          2 /

agetty    5528       root  txt       REG       3,67   18204     146376 /sbin/agetty

agetty    5528       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

agetty    5528       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

agetty    5528       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

agetty    5528       root    0u      CHR        4,2               2744 /dev/tty2

agetty    5528       root    1u      CHR        4,2               2744 /dev/tty2

agetty    5528       root    2u      CHR        4,2               2744 /dev/tty2

agetty    5529       root  cwd       DIR       0,12    3720       1539 /dev

agetty    5529       root  rtd       DIR       3,67    4096          2 /

agetty    5529       root  txt       REG       3,67   18204     146376 /sbin/agetty

agetty    5529       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

agetty    5529       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

agetty    5529       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

agetty    5529       root    0u      CHR        4,3               2796 /dev/tty3

agetty    5529       root    1u      CHR        4,3               2796 /dev/tty3

agetty    5529       root    2u      CHR        4,3               2796 /dev/tty3

agetty    5530       root  cwd       DIR       0,12    3720       1539 /dev

agetty    5530       root  rtd       DIR       3,67    4096          2 /

agetty    5530       root  txt       REG       3,67   18204     146376 /sbin/agetty

agetty    5530       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

agetty    5530       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

agetty    5530       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

agetty    5530       root    0u      CHR        4,4               2845 /dev/tty4

agetty    5530       root    1u      CHR        4,4               2845 /dev/tty4

agetty    5530       root    2u      CHR        4,4               2845 /dev/tty4

agetty    5531       root  cwd       DIR       0,12    3720       1539 /dev

agetty    5531       root  rtd       DIR       3,67    4096          2 /

agetty    5531       root  txt       REG       3,67   18204     146376 /sbin/agetty

agetty    5531       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

agetty    5531       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

agetty    5531       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

agetty    5531       root    0u      CHR        4,5               2902 /dev/tty5

agetty    5531       root    1u      CHR        4,5               2902 /dev/tty5

agetty    5531       root    2u      CHR        4,5               2902 /dev/tty5

agetty    5532       root  cwd       DIR       0,12    3720       1539 /dev

agetty    5532       root  rtd       DIR       3,67    4096          2 /

agetty    5532       root  txt       REG       3,67   18204     146376 /sbin/agetty

agetty    5532       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

agetty    5532       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

agetty    5532       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

agetty    5532       root    0u      CHR        4,6               2961 /dev/tty6

agetty    5532       root    1u      CHR        4,6               2961 /dev/tty6

agetty    5532       root    2u      CHR        4,6               2961 /dev/tty6

gdmlogin  5548        gdm  cwd       DIR       3,70    4096     437185 /var/gdm

gdmlogin  5548        gdm  rtd       DIR       3,67    4096          2 /

gdmlogin  5548        gdm  txt       REG       3,67  153044     962851 /usr/libexec/gdmlogin

gdmlogin  5548        gdm  DEL       REG        0,7              65537 /SYSV00000000

gdmlogin  5548        gdm  DEL       REG        0,7              32768 /SYSV00000000

gdmlogin  5548        gdm  mem       REG       3,67 9935068    1040546 /usr/share/icons/gnome/icon-theme.cache

gdmlogin  5548        gdm  mem       REG       3,67 1355144    1042266 /usr/share/icons/hicolor/icon-theme.cache

gdmlogin  5548        gdm  mem       REG       3,67    9780     358249 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so

gdmlogin  5548        gdm  mem       REG       3,67   17820     928428 /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-png.so

gdmlogin  5548        gdm  mem       REG       3,70   22896     469990 /var/cache/fontconfig/87f5e051180a7a75f16eb6fe7dbd3749-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70  334504     471274 /var/cache/fontconfig/b505adbf72d7253408dd67084a8aa967-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    7008     472000 /var/cache/fontconfig/f55bbeb01d684dc5b5f7b2c347cc42d9-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    8112     471470 /var/cache/fontconfig/76fa4b957c916922374347f144bde9da-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   21504     469633 /var/cache/fontconfig/4460665c0f3e88acdd4c85aa2f409b99-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   17320     471139 /var/cache/fontconfig/13b1dbba6fddd92c4cadec669df29583-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   55440     471112 /var/cache/fontconfig/8d4af663993b81a124ee82e610bb31f9-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    6480     470465 /var/cache/fontconfig/1a21276ee10c19eef148b044d48c5704-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   11392     470391 /var/cache/fontconfig/a336a40326b5f097d6a660e43ed65741-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    8240     470377 /var/cache/fontconfig/b7b96da43d018c777cd824110a0f12ee-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   48304     470385 /var/cache/fontconfig/221fd1126b80b777db535aea535e87ba-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    6048     470296 /var/cache/fontconfig/f04ac44db50c3d34682c8aebe15a38e7-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   23776     470003 /var/cache/fontconfig/12b26b760a24f8b4feb03ad48a333a72-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   76168     470088 /var/cache/fontconfig/4b5cf4386f1cde02a336ba961b4ac82d-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   17312     470083 /var/cache/fontconfig/61c91b4f4892ffae4bc0efef540a1e5d-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   12248     469971 /var/cache/fontconfig/374b958dfa195bf54eaa9332f068d728-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70   27376     469950 /var/cache/fontconfig/f73c51d6200a78c2054c26a5b2398976-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    4896     469897 /var/cache/fontconfig/066fcef0148c817f44791de82dd13637-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    4944     469875 /var/cache/fontconfig/0d18838e2eb2d05c78885ab659ed50db-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70    9944     469697 /var/cache/fontconfig/d62e99ef547d1d24cdb1bd22ec1a2976-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70  138184     469643 /var/cache/fontconfig/17090aa38d5c6f09fb8c5c354938f1d7-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,70  138664     469676 /var/cache/fontconfig/df311e82a1a24c41a75c2c930223552e-x86.cache-2

gdmlogin  5548        gdm  mem       REG       3,67   97092     896610 /usr/lib/libglade-2.0.so.0.0.7

gdmlogin  5548        gdm  mem       REG       3,67   65932     963475 /usr/share/fonts/ttf-bitstream-vera/Vera.ttf

gdmlogin  5548        gdm  mem       REG       3,67   26156     897179 /usr/lib/libgailutil.so.18.0.1

gdmlogin  5548        gdm  mem       REG       3,67  304324     948280 /usr/lib/gtk-2.0/modules/libgail.so

gdmlogin  5548        gdm  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67   13676     947593 /usr/lib/gtk-2.0/modules/libdwellmouselistener.so

gdmlogin  5548        gdm  mem       REG       3,67   17784     947208 /usr/lib/gtk-2.0/modules/libkeymouselistener.so

gdmlogin  5548        gdm  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

gdmlogin  5548        gdm  mem       REG       3,67  165652     894509 /usr/lib/libpixman-1.so.0.10.0

gdmlogin  5548        gdm  mem       REG       3,67   34276     896080 /usr/lib/libXcursor.so.1.0.2

gdmlogin  5548        gdm  mem       REG       3,67   21928     896046 /usr/lib/libXrandr.so.2.1.0

gdmlogin  5548        gdm  mem       REG       3,67   14856     895971 /usr/lib/libXfixes.so.3.1.0

gdmlogin  5548        gdm  mem       REG       3,67    6592     896795 /usr/lib/libXdamage.so.1.1.0

gdmlogin  5548        gdm  mem       REG       3,67    9376     897289 /usr/lib/libXcomposite.so.1.0.0

gdmlogin  5548        gdm  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67    9624     878939 /lib/libutil-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67  149256     878895 /lib/libm-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67   70264     877869 /lib/libz.so.1.2.3

gdmlogin  5548        gdm  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67 1176092     896692 /usr/lib/libxml2.so.2.6.32

gdmlogin  5548        gdm  mem       REG       3,67  518180     898149 /usr/lib/libfreetype.so.6.3.18

gdmlogin  5548        gdm  mem       REG       3,67  170720     896510 /usr/lib/libfontconfig.so.1.3.0

gdmlogin  5548        gdm  mem       REG       3,67   18348     895571 /usr/lib/libXdmcp.so.6.0.0

gdmlogin  5548        gdm  mem       REG       3,67    7708     894322 /usr/lib/libXau.so.6.0.0

gdmlogin  5548        gdm  mem       REG       3,67  969700     894301 /usr/lib/libX11.so.6.2.0

gdmlogin  5548        gdm  mem       REG       3,67   53612     895620 /usr/lib/libXext.so.6.4.0

gdmlogin  5548        gdm  mem       REG       3,67   30064     897572 /usr/lib/libXi.so.6.0.0

gdmlogin  5548        gdm  mem       REG       3,67  837912     896758 /usr/lib/libglib-2.0.so.0.1600.3

gdmlogin  5548        gdm  mem       REG       3,67   13632     896774 /usr/lib/libgmodule-2.0.so.0.1600.3

gdmlogin  5548        gdm  mem       REG       3,67  235324     897641 /usr/lib/libgobject-2.0.so.0.1600.3

gdmlogin  5548        gdm  mem       REG       3,67   91848     896637 /usr/lib/libgdk_pixbuf-2.0.so.0.1200.9

gdmlogin  5548        gdm  mem       REG       3,67  244448     897773 /usr/lib/libpango-1.0.so.0.2002.1

gdmlogin  5548        gdm  mem       REG       3,67   29776     895823 /usr/lib/libXrender.so.1.3.0

gdmlogin  5548        gdm  mem       REG       3,67  141004     898108 /usr/lib/libpng12.so.0.26.0

gdmlogin  5548        gdm  mem       REG       3,67  387076     896586 /usr/lib/libcairo.so.2.17.5

gdmlogin  5548        gdm  mem       REG       3,67  157840     897780 /usr/lib/libpangoft2-1.0.so.0.2002.1

gdmlogin  5548        gdm  mem       REG       3,67   34504     897832 /usr/lib/libpangocairo-1.0.so.0.2002.1

gdmlogin  5548        gdm  mem       REG       3,67  536084     896674 /usr/lib/libgdk-x11-2.0.so.0.1200.9

gdmlogin  5548        gdm  mem       REG       3,67  104300     896511 /usr/lib/libatk-1.0.so.0.2009.1

gdmlogin  5548        gdm  mem       REG       3,67 3567204     896683 /usr/lib/libgtk-x11-2.0.so.0.1200.9

gdmlogin  5548        gdm  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

gdmlogin  5548        gdm  mem       REG       3,67   25486     910348 /usr/lib/gconv/gconv-modules.cache

gdmlogin  5548        gdm  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

gdmlogin  5548        gdm    0r     FIFO        0,5               8245 pipe

gdmlogin  5548        gdm    1w     FIFO        0,5               8246 pipe

gdmlogin  5548        gdm    2u      CHR        1,3               1547 /dev/null

gdmlogin  5548        gdm    3u     unix 0xe67f4e60               8249 socket

gdmlogin  5548        gdm    4u     unix 0xe67f4b60               8297 socket

gdmlogin  5548        gdm    5w     FIFO        0,5               7622 pipe

gdmlogin  5548        gdm    7r     FIFO        0,5               7626 pipe

<snip>
```

- dcljrLast edited by dcljr on Mon Aug 25, 2008 6:41 am; edited 1 time in total

----------

## dcljr

[continued...]

lsof, continued:

```
<snip>

bash      5553       root  cwd       DIR       3,67    4096     942849 /root

bash      5553       root  rtd       DIR       3,67    4096          2 /

bash      5553       root  txt       REG       3,67  663436     455235 /bin/bash

bash      5553       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

bash      5553       root  mem       REG       3,67   34244     878912 /lib/libnss_files-2.6.1.so

bash      5553       root  mem       REG       3,67   34280     878931 /lib/libnss_nis-2.6.1.so

bash      5553       root  mem       REG       3,67   79544     878915 /lib/libnsl-2.6.1.so

bash      5553       root  mem       REG       3,67   26260     878932 /lib/libnss_compat-2.6.1.so

bash      5553       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

bash      5553       root  mem       REG       3,67    9612     878908 /lib/libdl-2.6.1.so

bash      5553       root  mem       REG       3,67  270232     877903 /lib/libncurses.so.5.6

bash      5553       root  mem       REG       3,67   25486     910348 /usr/lib/gconv/gconv-modules.cache

bash      5553       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

bash      5553       root    0u      CHR        4,1               1546 /dev/tty1

bash      5553       root    1u      CHR        4,1               1546 /dev/tty1

bash      5553       root    2u      CHR        4,1               1546 /dev/tty1

bash      5553       root  255u      CHR        4,1               1546 /dev/tty1

lsof      5564       root  cwd       DIR       3,67    4096     942849 /root

lsof      5564       root  rtd       DIR       3,67    4096          2 /

lsof      5564       root  txt       REG       3,67  108708     898622 /usr/bin/lsof

lsof      5564       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

lsof      5564       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

lsof      5564       root  mem       REG       3,67   25486     910348 /usr/lib/gconv/gconv-modules.cache

lsof      5564       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

lsof      5564       root    0u      CHR        4,1               1546 /dev/tty1

lsof      5564       root    1w      REG       3,67       0     947824 /root/lsof.txt

lsof      5564       root    2u      CHR        4,1               1546 /dev/tty1

lsof      5564       root    3r      DIR        0,3       0          1 /proc

lsof      5564       root    4r      DIR        0,3       0  364642314 /proc/5564/fd

lsof      5564       root    5w     FIFO        0,5               8583 pipe

lsof      5564       root    6r     FIFO        0,5               8584 pipe

lsof      5565       root  cwd       DIR       3,67    4096     942849 /root

lsof      5565       root  rtd       DIR       3,67    4096          2 /

lsof      5565       root  txt       REG       3,67  108708     898622 /usr/bin/lsof

lsof      5565       root  mem       REG       3,67 1520480     910349 /usr/lib/locale/locale-archive

lsof      5565       root  mem       REG       3,67 1237276     878882 /lib/libc-2.6.1.so

lsof      5565       root  mem       REG       3,67  108996     878886 /lib/ld-2.6.1.so

lsof      5565       root    4r     FIFO        0,5               8583 pipe

lsof      5565       root    7w     FIFO        0,5               8584 pipe
```

Yeah.

So, now I don't think I should switch cable modems, unless the ARP info above gave anyone ideas (please, someone explain). I feel like I should call Time Warner one more time, but I'm not sure what I would tell them now.

 - dcljr

P.S. - This is the last post in this sequence. Replies now welcome...   :Very Happy: 

----------

## jcat

Arp broadcast requests are quite normal, I certainly don't think they're a cause for concern here.

Cheers,

jcat

----------

## lesourbe

 *jcat wrote:*   

> Arp broadcast requests are quite normal, I certainly don't think they're a cause for concern here.
> 
> Cheers,
> 
> jcat

 

well  *Quote:*   

> 22:37:36.299193 arp who-has 70.112.240.0 tell 70.112.224.1 
> 
> 22:37:36.351120 arp who-has 72.177.54.38 tell 72.177.48.1

 

theses two are not on the same network, WTF ???

----------

## jcat

 *lesourbe wrote:*   

> 
> 
> well  *Quote:*   22:37:36.299193 arp who-has 70.112.240.0 tell 70.112.224.1 
> 
> 22:37:36.351120 arp who-has 72.177.54.38 tell 72.177.48.1 
> ...

 

Well I see what you're saying, but I just meant that they are certainly not harmful.

Do we even know what the network details are?

Cheers,

jcat

----------

## lesourbe

Is it not one of your neighbour ARP spoofing 70.112.224.1 ?

 *Quote:*   

>      Your-IP 70.112.255.149 
> 
>      Gateway-IP 10.65.192.1

 

again, WTF ?

EDIT : that's QotD string ...

If I were you I'll double check the arp table of my box.

----------

## jcat

I'm no expert in spoofing techniques, but what would be the point in spoofing that IP?  A reverse lookup reveals it's just a random IP used by Road Runner (some American ISP).

I'm not flaming, just trying to help logic it out  :Smile: 

Cheers,

jcat

----------

## dcljr

 *lesourbe wrote:*   

> Is it not one of your neighbour ARP spoofing 70.112.224.1 ?
> 
>  *Quote:*        Your-IP 70.112.255.149 
> 
>      Gateway-IP 10.65.192.1 
> ...

 

I don't understand the meaning of your "EDIT" line, but I see that I can check my ARP table with arp. So what am I looking for?

Okay, let me attempt an explanation, based on my limited understanding of what we've seen here (and what I've Googled):

 Some machine somewhere started sending out tons of ARP and/or UDP messages Wed night.

 They were being broadcast to "everyone" and only would be replied to by the machine(s) relevant to the request(s).

 This is why almost nothing was being sent out by my machine.

 Even though "everyone" was getting this traffic, I was the only one who called Time Warner about it (at least, the only one who had spoken to those particular tech guys about it).

 After a few days, the requester gave up or got satisfactory replies, and so stopped flooding the net with requests.

 The activity level I'm now seeing is probably roughly normal and I just never noticed it before.

Does this seem right?

I guess I understand what the ARP messages are for, but I still don't get what the UDP ones were/are.

 - dcljr

----------

## jcat

 *dcljr wrote:*   

> 
> 
> Does this seem right?
> 
> 

 

Seems like it could be quite likely.  Besides, as long as your firewalled, up to date and take sensible precautions, there's nothing much anyone can do to actually harm your system.  No disrespect, but I doubt you're a target for any serious hacker  :Smile: 

Cheers,

jcat

----------

## dcljr

 *jcat wrote:*   

> as long as your firewalled

 

No firewall.

 *jcat wrote:*   

> No disrespect, but I doubt you're a target for any serious hacker

 

Security through obscurity?   :Wink: 

----------

## jcat

Ok, you _need_ a firewall.

http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

Obscurity won't protect you from script kiddies etc   :Wink: 

Cheers,

jcat

----------

## lesourbe

 *jcat wrote:*   

> I'm no expert in spoofing techniques, but what would be the point in spoofing that IP?  A reverse lookup reveals it's just a random IP used by Road Runner (some American ISP).
> 
> I'm not flaming, just trying to help logic it out 
> 
> Cheers,
> ...

 

ARP spoofing :

Hacker computer to LAN : I am the gateway I am the gateway !!!

take a look at the manpage of ettercap 

all traffic go through is computer and he is now fully capable to sniff it or dns spoof the lan, ...

I red that arp who-has request can be used as probe to know if such port is open or not.

I have only little knowledge of all this, is there a true "expert" out there ?

----------

## AngelKnight

 *dcljr wrote:*   

> Okay, here's where we stand: The phenomenon continues, but at such a low level, I don't know if it was doing this before I noticed the "torrent" (not of the "bit-" variety -- I haven't installed any P2P software on my machine) starting a few days ago, which prompted my original message.
> 
> (lots of ARP traffic snipped)
> 
> Now, the curious thing about this output is, none of the IP addresses (IPv4, anyway) shown above are (or even have been, since I started keeping track) the IP address of my machine (which has changed again today). What the hell??
> ...

 

It's not uncommon on a cable modem segment (at least in Northern America) that you're going to see ARP broadcasts on the LAN interface of a cable modem.  Most of the ARP reqs are coming out on behalf of the L3 device at the other end of your provider's DOCSIS concentrator.  Just ignore those.  This is assuming that your default router is set to 70.112.224.1 (if your Gentoo box is plugged directly into the cable modem, try "ip route show | fgrep default").

I'm more interested in the previous issue where your modem's activity light was lit up.  Those bootPs for example.  Chances are someone (maybe your cable company) noticed it was happening and took steps to stop it.  It's not standard practice as far as I'm aware of to attempt to BOOTP a workstation off of a residential cable network.

----------

## dcljr

 *dcljr wrote:*   

>  *jcat wrote:*   No disrespect, but I doubt you're a target for any serious hacker 
> 
> Security through obscurity?  

 

 *jcat wrote:*   

> Obscurity won't protect you from script kiddies etc   

 

No, I meant that's what it sounded like you were saying... Nevermind.

 *jcat wrote:*   

> Ok, you _need_ a firewall.
> 
> http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml
> 
> http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

 

You've got to be kidding me. Unless I'm missing something, this seems like way more work than I'm willing to devote to this. Thanks, but...

Meanwhile...

 *AngelKnight wrote:*   

> This is assuming that your default router is set to 70.112.224.1 (if your Gentoo box is plugged directly into the cable modem, try "ip route show | fgrep default").

 

Umm, I don't seem to have that command. I'm guessing it's equivalent to:

```
# route | grep default

default         cpe-72-177-48-1 0.0.0.0         UG    0      0        0 eth0
```

If so, then the answer seems to be no, that's not my default router. Here's a traceroute, if that would be relevant:

```
# traceroute google.com

traceroute to google.com (72.14.207.99), 30 hops max, 40 byte packets

 1  10.65.192.1 (10.65.192.1)  7.036 ms  14.164 ms  20.689 ms

 2  gig12-1-0.austtxrdcsc-rtr1.austin.rr.com (24.27.12.186)  21.238 ms  21.353 ms  21.409 ms

 3  gig6-3-0.hstntxl3-rtr1.texas.rr.com (72.179.205.78)  27.883 ms  28.078 ms  28.193 ms

 4  ae-2-0.cr0.hou30.tbone.rr.com (66.109.6.108)  28.114 ms  27.956 ms  28.218 ms

 5  ae-0-0.pr0.dfw10.tbone.rr.com (66.109.6.181)  32.256 ms  32.175 ms  32.017 ms

 6  74.125.48.65 (74.125.48.65)  32.279 ms  17.146 ms  18.025 ms

 7  66.249.94.94 (66.249.94.94)  22.053 ms  27.264 ms  27.382 ms

 8  72.14.238.243 (72.14.238.243)  50.031 ms  49.167 ms  49.601 ms

 9  216.239.48.68 (216.239.48.68)  65.575 ms  65.811 ms  65.943 ms

10  209.85.248.217 (209.85.248.217)  90.273 ms  71.492 ms  71.608 ms

11  72.14.233.113 (72.14.233.113)  83.946 ms  84.069 ms  85.823 ms

12  66.249.94.92 (66.249.94.92)  76.507 ms 66.249.94.90 (66.249.94.90)  75.431 ms  75.940 ms

13  66.249.94.50 (66.249.94.50)  85.013 ms  103.030 ms 72.14.236.130 (72.14.236.130)  86.986 ms

14  eh-in-f99.google.com (72.14.207.99)  87.035 ms  89.368 ms  89.211 ms
```

Anyway, the phenomenon continues at the same low level as before, with the tcpdump output tonight looking almost identical to what I posted before. Oh, well... I guess maybe I should just mark this as "SOLVED" and forget about it....

----------

## jcat

 *dcljr wrote:*   

> 
> 
>  *jcat wrote:*   Obscurity won't protect you from script kiddies etc    
> 
> No, I meant that's what it sounded like you were saying... Nevermind.
> ...

 

Hey, er, that was a joke.  Hence the wink..

 *dcljr wrote:*   

>  *jcat wrote:*   Ok, you _need_ a firewall.
> 
> http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml
> 
> http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
> ...

 

 :Shocked: 

Welcome to Gentoo my friend,  I'd be happy (as I'm sure many people here would) to assist you.  It's really not that hard   :Smile: 

However, if you think you don't need a firewall between Lan and the Internet, good luck.

Cheers,

jcat

----------

## Hu

 *dcljr wrote:*   

>  *jcat wrote:*   Ok, you _need_ a firewall.
> 
> http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml
> 
> http://gentoo-wiki.com/HOWTO_Iptables_for_newbies 
> ...

 

You may be overestimating how much is involved.  I glanced through the second link you quoted and you could have a decent packet filter working if you stopped after reading the first 30% of the page.  Most of that first 30% is fluff showing the kernel options you need enabled.  Linux defaults to a permissive policy, so you can build packet filtering support into the kernel and boot that kernel without any of your traffic being filtered.  Once your kernel supports it, just insert some general rules and you are done.  The /etc/iptables.bak listing shows a packet filter that should work, and has comments about which lines you enable if you want to host particular services.  Before you begin, run iptables-save > ~/default.iptables.  If you run into any problems, you can revert to your starting state by doing iptables-restore < ~/default.iptables.

As jcat mentioned, there are plenty of people here who would help if you want to set up a firewall.  You might even find an adequate set of rules by searching my old posts.  I tend to join iptables threads quite often.

 *dcljr wrote:*   

>  *AngelKnight wrote:*   This is assuming that your default router is set to 70.112.224.1 (if your Gentoo box is plugged directly into the cable modem, try "ip route show | fgrep default"). 
> 
> Umm, I don't seem to have that command. I'm guessing it's equivalent to:
> 
> ```
> ...

 

Yes, that is roughly equivalent.  You can get /sbin/ip from sys-apps/iproute2.

----------

## Etal

Just a question... If I don't have any services on any ports (except instant messenger) on my laptop, what's the risk if I don't have a firewall?

----------

## Hu

Very little.  Your main risk is that you will start a network facing listener, perhaps unknowingly or accidentally, and it will be exposed.  Also, your machine will actively refuse connection attempts, which makes it faster for worms to decide that you are not interesting and move on.  By dropping their probes, you may encourage them to spend more time waiting for a response - time which they could otherwise use to harass someone else.

----------

## jcat

I think the point is that you can remain in "stealth mode", and keep an eye on what's happening with the firewalll logs.  Also, it's an extra layer of protection, for instance if you have 1 open port and you wish to stop some IP's from accessing (due to DOS attempt or whatever).  It can also help protect you from any accidents after mis-configuration of some service you are running (say you accidentally opened up a port).

And don't forget, the firewall controls traffic in more than one direction, it can also stop you from broadcasting (or even forwarding) traffic that is not desirable (buy you or a trojen or whatever).

I think there's obviously a case for saying "I have everything configured perfectly, I don't need a firewall", and in some ways you'd be right.  But the world's not perfect, and it's a little like saying "I'm a perfect driver, I don't need insurance".  One day, you might just wish you'd done things differently   :Wink: 

Cheers,

jcat

----------

## Etal

Thanks for the info. I've been quite busy lately, but I'll consider adding it sometime.

----------

