# steady 175K/s outbound stream to 224.0.0.56

## splurben

I'm running Gentoo x86_64:

```
3.13.6-gentoo #2 SMP Mon Mar 10 13:42:12 WST 2014 x86_64 Intel(R) Core(TM) i7-3820 CPU @ 3.60GHz GenuineIntel GNU/Linux
```

Profile: 

```
13.0/Desktop
```

I apologise if this thread should have been under Multimedia, but as far as I'm concerned it's a network problem.

I've noticed that I have a constant stream of data (175K/sec) going out from this machine to 224.0.0.56.

I'm in Australia and all broadband is metered so 175K/s 24 hours a day is adding up.

How do I determine what is causing this?

There is some conjecture that it may be PulseAudio; if it is PA I have searched high and low and I can't find a way to disable this steady outbound stream by reviewing the USE flags.

Emerge Info: http://pastebin.com/1kAnXbCE

PulseAudio Package USE Flags: 

```
[ebuild   R    ] media-sound/pulseaudio-5.0  USE="X alsa asyncns avahi bluetooth caps dbus gdbm glib gnome gtk ipv6 libsamplerate orc qt4 ssl tcpd udev webrtc-aec -doc -equalizer -jack -lirc (-neon) (-oss) -realtime (-system-wide) -systemd {-test} -xen" ABI_X86="(64) -32 (-x32)" 0 kB
```

I have just installed NTOP and am allowing it to aggregate data, but I'm not sure that's the right tool for this.

Any help is greatly appreciated,

Kirk

----------

## 666threesixes666

https://wiki.gentoo.org/wiki/Ufw

add this

and then emerge ufwfrontends

then ufw-gtk and block the traffic from going out until you can figure out what is causing the traffic.  ill buy you some time   :Twisted Evil: 

----------

## splurben

 *666threesixes666 wrote:*   

> https://wiki.gentoo.org/wiki/Ufw
> 
> add this
> 
> and then emerge ufwfrontends
> ...

 

Thank you, I'll report back when I have a result.

K

----------

## khayyam

splurben ...

I can't think why 666threesixes666 is suggesting iptables (ufw) for network analysis, its the wrong tool for the job ... there are various tools out there for such a task, net-analyzer/tcpdump or net-analyzer/wireshark to name two.

```
# tcpdump -i eth0
```

Anyhow, 244.0.0.56 is a muticast address, so my guess would be Multicast RTP (given you seem to think its pulseaudio). Not ever having used PA I can only guess what might be the issue but I would grep it's config file(s) for "rtp" and disable it.

best ... khay

----------

## 666threesixes666

im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam...

----------

## khayyam

 *666threesixes666 wrote:*   

> im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam...

 

You mean "immediately" after emerging pygtk and and its dependencies?

```
iptables -I OUTPUT -o eth0 -d 244.0.0.56 -j DROP
```

... and btw, the next time you refer to me as 'kazam' I will be hitting the report button.

khay

----------

## blu3bird

```
netstat -apn | grep 224.0.0.56
```

Unless it's some sort of rootkit, this will show you which pid/process is sending the data.

----------

## splurben

 *blu3bird wrote:*   

> 
> 
> ```
> netstat -apn | grep 244.0.0.56
> ```
> ...

 

Thank you EVERYONE for all the suggestions. I have already made a comprehensive check for a rootkit but I'm still not ruling it out.

I was fortunate to be able to turn the system off for a few days over my weekend, but it normally needs to stay on 24/7.

I'm 90% certain it's PulseAudio. If it is PA I'll try to cut out RTP as suggested by khayyam or determine if the PA has some malware using it for clandestine purposes. I vaguely remember encountering 'net sinks' for PA, so with that and RTP to work from, we should be good soon.

I will post results.

----------

## Hu

If you have a suspicion about the culprit and can afford temporary degradation of service, you could SIGSTOP the suspected culprit.  If you are right, outbound traffic will cease while the culprit is suspended by the SIGSTOP.  If you are wrong, you lose only the time taken for the test.  Use SIGCONT when you are ready to resume the process, either because you were wrong and want to restore service or because you were right and you want to gracefully exit it.

----------

## splurben

The netstat command with 224.0.0.56 shows three PulseAudio processes.

I've instructed pfSense to throw away the packets so they don't accrue WAN bandwidth and will research stopping PulseAudio's RTP Multicast (probably PA Net Sinks).

Thank you everyone for your help.

If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later.

Cheers,

Kirk

----------

## blu3bird

 *splurben wrote:*   

> If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later.

 

Done

----------

## splurben

For whatever reason, although I've configured my firewall to throw out this traffic, so it's no longer an issue for our Internet connection, I still haven't found a way to tell pulseaudio to disable its network sinks.

Has anyone done this successfully once they're already running?

----------

## khayyam

 *splurben wrote:*   

> I still haven't found a way to tell pulseaudio to disable its network sinks.

 

splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send.

HTH & best ... khay

----------

## splurben

 *khayyam wrote:*   

>  *splurben wrote:*   I still haven't found a way to tell pulseaudio to disable its network sinks. 
> 
> splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send.

 

I’ve been through there, and a couple of other sites also suggest default.pa, I’ll have another look. I have a number of machines running like this. I remember getting into the GUI at some point just on this machine and being able to enable/disable this feature in there. It’s still in the GUI but it’s greyed out and enabled, I’ve tried accessing as my user, sudo, and root, and the dialogue is still greyed out in paprefs. It’s only a problem on this machine for some reason. I’ve checked permissions and can't find a reason for sections of the GUI being greyed out.

That’ll teach me to play with my settings! — It’s not a huge problem, it’s just annoying seeing activity on the network interface all the time.

Thank you for the suggestion.

Cheers

----------

