# 224 MB of data transferred over port 80, I want to know more

## nomadicME

Tonight my browser was eating up large amounts of memory, so I closed it and reopened it, which seemed to solve the problem.  A while later I discovered that 224 MB of data was transfered (incoming) over TCP port 80 from 23.21.81.68 to 192.168.2.4 around the time I closed my browser.  The funny thing is I am not running a web server on this machine (192.168.2.4).  Further, I know that iptables was active at the time and I thought I had incoming traffic (not ESTABLISHED) on port 80 blocked.  I start with all ports blocked in and out and then open individual ports.  These are the two commands I issue in order to allow browser navigation out on port 80 on this machine:

iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

I did a whois on the src ip and found that it is a dynamic hosting environment on Amazon's Elastic Cloud.  They provide some information on filing a complaint, which I may do.  The question I have is, how do I find out more about the data that was transfered?  Is it somewhere on my filesystem?  Should I be worried about trojans? What should I be concerned about, and how can avoid this type of transfer in the future?

I discovered this large transfer using a packet sniffer program I wrote in order to keep track of data usage.

----------

## christofdeluca

Were you streaming video or audio?

----------

## nomadicME

No, I'm sure that I wasn't streaming any media.  I may have had the following link open in a tab, but I can't really remember for sure.  Even if I did have it open there is no way it should amount to 224 MB!

http://www.wunderground.com/radar/radblast.asp?ID=ABX&lat=35.03903580&lon=-106.18625641&label=Edgewood%2C+NM&type=N0R&zoommode=pan&map.x=400&map.y=240&centerx=400&centery=240&prevzoom=zoom&num=10&delay=15&scale=1&noclutter=0&showstorms=31&showlabels=1&rainsnow=1&lightning=1&remembersettings=on&setprefs.0.key=RADNUM&setprefs.0.val=6&setprefs.1.key=RADSPD&setprefs.1.val=15&setprefs.2.key=RADC&setprefs.2.val=0&setprefs.3.key=RADSTM&setprefs.3.val=31&setprefs.4.key=SLABS&setprefs.4.val=1&setprefs.5.key=RADRMS&setprefs.5.val=1&setprefs.6.key=RADLIT&setprefs.6.val=1

I actually had very few tabs open at the time, so I'm fairly confident that it is nothing obvious.

----------

## christofdeluca

One minute of wireshark gives me 17k packets to amazonaws.com. We've found your culprit. Please mark solved.

----------

## nomadicME

Pardon my ignorance, but could you spell it out for me.  What is  the culprit?  How did I load it in my browser?  Was it embedded in a page I loaded?  Should I report it to Amazon? Thanks.

----------

## christofdeluca

Well, in 60 seconds of looking at that weather map, I got 4262090 bytes of data from amazon. That tab was the only one open, everything else (pidgin etc) off. It's totally that weather map. It's just... data. I've not the time to dissect the webpage, but I'm sure there's a refresh loop in there somewhere.

----------

## nomadicME

Thank you for your help.  Feel a little silly, but I'm just scratching the surface of being more aware of what is going in and out of my network.  I need to get more familiar with wireshark, and I definately need to find another wx radar site.  Thanks again.

----------

