# help, my isp invoices me twice more because of my bandwith

## Yamakasi

Hello all,

My isp charging me twice the cost of my internet modem connection, because I have exceeded the bandwith in upstream and downstream.

Im pretty sure they are wrong.  For example, my montly usage report says that I have downloaded 1 gig of data in 4 days and uploaded about 477 meg of data. 

Wtf!?!?! (sorry about my language, im so frustrated) 

I have a gentoo server which shares the internet modem cable connection (1.5) for my home lan (4 computers). I have asked to my bros ans sis if they had downloaded lot of stuff during this month, and they didnt...

So here my question...

I need to monitor how much data go throught my server in download and upload

I need to know from what site the data come from 

I  need to know the day/month/year/hour/min/sec of the data that has been transfert

I need to know from which workstation the data has been transfert

What would the best tool(s) to monitor all that?

Plz help, my isp wants me to pay 92$ for this month...thats crazy

thx a lot

ps: sorry about my poor english, my first language is french

----------

## RagManX

Not sure what tool/tools will give you everything you need, but start out with ntop (it is in portage) to watch how much talking is going on.  I think is only gives running totals, but I haven't had much need for it, so I can't say for sure what all it does.  I know it can give you up to date usage data, so that will get you started on your quest.

RagManX

----------

## samokk

 *RagManX wrote:*   

> Not sure what tool/tools will give you everything you need, but start out with ntop (it is in portage) to watch how much talking is going on.  I think is only gives running totals, but I haven't had much need for it, so I can't say for sure what all it does.  I know it can give you up to date usage data, so that will get you started on your quest.
> 
> RagManX

 

I think he's speaking about having something that gives the overall total. ntop, (I haven't looked at it, but here's my first impression) on the other hand, is gonna give you informations you can get using ifconfig interface / netstat etc

sam

----------

## elendur

I think that MRTG does what you want.

"The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network links."

From their web page:

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

----------

## samokk

 *elendur wrote:*   

> I think that MRTG does what you want.
> 
> "The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network links."
> 
> From their web page:
> ...

 

Someone here https://forums.gentoo.org/viewtopic.php?p=368295#368295 suggested using telemon.

Sam

----------

## dfuse

About your upload amount... I worked a while for an ISP and lot's of people have this problem, it always comes down to one thing: file sharing programs. I don't know what os's your brothers and sisters are running, but a lot of Windows filesharing programs, like WinMX and IMesh, generate a constant upstream, even if you're doing nothing. Also a lot of people don't know you can disable filesharing with other people, or are even aware they are sharing their data with others (this may seem trivial to you, I don't know, but you really wouldn't believe how many people don't know this).

----------

## Yamakasi

thx samokk, I will see what I can do with Telemon

 *Quote:*   

> About your upload amount... I worked a while for an ISP and lot's of people have this problem, it always comes down to one thing: file sharing programs. I don't know what os's your brothers and sisters are running, but a lot of Windows filesharing programs, like WinMX and IMesh, generate a constant upstream, even if you're doing nothing. Also a lot of people don't know you can disable filesharing with other people, or are even aware they are sharing their data with others (this may seem trivial to you, I don't know, but you really wouldn't believe how many people don't know this).

 

dfus, all the os of my lan are windows xp. They use file sharing , but everything is already disabled.

I was just thinking about something else. My bro is a big online Mutiplayer Gamer. It spend days and nights playing at Warcraft, Wolfenstein etc...

Do u know if Online Games could generate so much traffic??

Thx again all

----------

## dfuse

The upstream generated by games is neglectful, they do autopatch sometimes but that doesn't generate that amount of download. I think you'll just have to monitor your network traffic and if you're really sure it isn't the amount your isp says it is, call them. I know there was almost every month something wrong with the isp''s traffic monitor when I worked there.

----------

## Yamakasi

I have emerge the tool call "iptraft". Pretty interesting tool. I also found pretty interesting packets which in my opinion get my bandwidth exceeded.

Im not sure where they are from, that why I need you guy opinions....

here a little screenshot of iptraft (screenshot taken with XV, the only tool that I found to take windows screenshot)

[img:120ddc3c10]http://207.35.22.148/iptraf/iptraf_udp.gif[/img:120ddc3c10]

Iptraft has been installed on the gateway, and its listening to ETH0 which is my Wan interface. My isp name is called "Videotron", using a modem cable connection (1.5 m/b). I using DHCP to get my ip from the ISP. Im sharing my bandwidth with 4 workstation all using Windows XP.

As you can guy see, I got a lot of  UDP packets. These UPD packets going in each 2 sec all the day long. Its like 377 byte each two seconds....(1000 byte=1 k, 1000k= 1 meg)

So in 2 days I can easily have 800 megs transfered in my eth0 interface...(it happened last week)

This morning, I have checked my "ifconfig" and I already have received 394.7 meg on my eth0 (rx) with an uptime of my time of 2 days

```

bash-2.05b# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:A0:24:D1:2D:CC  

          inet addr:66.131.65.152  Bcast:255.255.255.255  Mask:255.255.255.0

          UP BROADCAST NOTRAILERS RUNNING PROMISC  MTU:1500  Metric:1

          RX packets:2216263 errors:0 dropped:0 overruns:0 frame:0

          TX packets:715157 errors:0 dropped:0 overruns:0 carrier:0

          collisions:574 txqueuelen:100 

          RX bytes:413889807 (394.7 Mb)  TX bytes:72073301 (68.7 Mb)

          Interrupt:11 Base address:0xdf00 

eth1      Link encap:Ethernet  HWaddr 00:05:5D:E9:80:CE  

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:587292 errors:0 dropped:0 overruns:0 frame:0

          TX packets:720903 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:52053821 (49.6 Mb)  TX bytes:717651231 (684.4 Mb)

          Interrupt:11 Base address:0xd800 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:968 errors:0 dropped:0 overruns:0 frame:0

          TX packets:968 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:88464 (86.3 Kb)  TX bytes:88464 (86.3 Kb)

bash-2.05b# uptime

 07:14:27  up 2 days,  7:27,  7 users,  load average: 0.27, 0.19, 0.11

```

I have also stop ETH1, to be sure not packets is coming from my Lan. I have closed all appz (dock temperature appz, dock emails notifications etc..) and service (sshd) that required internet connection and I was even on console. Launching Iptraft always telling me that Eth0 is receiving  UDP packets on port 67/68 (bootpc/bootps)

my conclusion, its that Im generating no packets! and that my ISP's fault...

Well, I really need your opinions on that guys....thats pissing me off to pay 92$ this month because they saying that I have exceedeed the bandwith

Sorry, for this BIG post!

Have a nice day all!  :Smile: 

----------

## Yamakasi

So...anybody got an idea for my problem?  :Smile: 

----------

## fusion

it is problly coming from your cable modem or someother network hardware router or switch maybe?

Being that they are 10.66.0.1 which is a private address. Since you have a  lan disconnect your cable modem and see if they stop or are still happening.  If they continue try disconnecting the other pcs on the lan one by one to see where its coming from. 

Btw somemore info about how your lan is setup could help too

edit:  I had the same problem which turned out to be my RCA cablem modem.

----------

## DrkPlague

that traffic is coming from other people on your local cable node trying to boot over bootp.  my advice would be to complain to the ISP and tell them you are recieving that much data from something they SHOULD be filtering out.

or if you are really evil you could run your own bootp server and hijack other people's computers  :Twisted Evil: 

----------

## elzbal

One idea... set up a firewall on your Gentoo box and block anything that you don't need. For example, set up the rules to block all, then explicitly allow certain connections (web, email, your favorite games, etc). This will give you more control over the miscellaneous traffic that certain computers (read: Windows) seem to generate.

----------

## Matje

Setting up a firewall won't help the fact that he is receiving these packages, it'll just drop them, but he will still be accounted for it. I agree with DrkPlague on the fact that you should contact your ISP. However, it isn't a client that's trying to boot. Since it's going from bootps (bootprotocol server) to bootpc (bootprotocol client), it's a broadcast message from some idiot that made his bootserver available on the www  :Wink:  This still is the ISP's problem because they should block broadcast messages from clients.

----------

## Yamakasi

 *Matje wrote:*   

> Setting up a firewall won't help the fact that he is receiving these packages, it'll just drop them, but he will still be accounted for it. I agree with DrkPlague on the fact that you should contact your ISP. However, it isn't a client that's trying to boot. Since it's going from bootps (bootprotocol server) to bootpc (bootprotocol client), it's a broadcast message from some idiot that made his bootserver available on the www  This still is the ISP's problem because they should block broadcast messages from clients.

 

you are right Matje...the firewall doesnt do anything..the udp still going in. (I have blocked udp packets on 67 and 68 )

DrkPlague and you brought some pretty interesting points. I will call my ISP today and give u all a status about it.

However, before calling them, I need know more how "BootServer " is working.

From my understanding, Bootserver is a service installed on a server (in my case, some idiot's server on my node) that will permit a workstation (configured in the bios to boot on the network) to get an  IP and then start the OS installation.

Am I right?

Also, is the "BootServer" service always send broadcasts packets on the entire  network? (like every 2 seconds? that would be crazy!)

----------

## zhenlin

BootP was the predecessor to DHCP, I'm told. Like DHCP, it is based on a broadcast system.

NetBoot utilises BootP or DHCP to get an IP address, and from there proceeds to download a kernel from the server, load it into memory, boot, and mount NFS filesystems.

----------

## Matje

 *Yamakasi wrote:*   

> you are right Matje...

 

I try to be  :Smile: 

 *Quote:*   

> the firewall doesnt do anything..the udp still going in. (I have blocked udp packets on 67 and 68 )
> 
> DrkPlague and you brought some pretty interesting points. I will call my ISP today and give u all a status about it.
> 
> However, before calling them, I need know more how "BootServer " is working.
> ...

 

You're right yes. Usually you have a network card or use a floppy so that your network card gets an ip, then it looks for an available kernel on the network (normally gets the info where to get it with the IP) and it boots.

 *Quote:*   

> Also, is the "BootServer" service always send broadcasts packets on the entire  network? (like every 2 seconds? that would be crazy!)

 

Well... This is the part I don't understand  :Smile:  Normally a server doesn't broadcast it's presence. Normally, a client sends out a broadcast requesting an IP (dhcp), and the dhcp server on the server sends back an IP, together with the adress where the client should go and pick up the kernel. One could say that maybe there's just another server (ab)using that port but since it's clearly between bootps and bootpc I think it's safe to say that this isn't the case. I just did a quick review of the BOOTP RFC and I didn't see anything about a server broadcasting. However, this is not one of your worries  :Smile:  You should just contact your ISP stating that somebody is broadcasting UDP packets every 2 seconds and that you get accounted for it. 

If it helps, imagine what the other guy shall be paying for uploading that much packets  :Laughing: 

----------

## Athlon_Jedi

what it soundslike to me is that some idiot is attempting to set up distributed computing ILLEGALY and wants to steal bandwith or the like. Or that the idiot in question wants to set up a cluster using everyone elses system thus bootp is actively seeking clients that are connected to your node but idle.

I would DEFFANATELY bring this to your isps attention, people like this guy are the reason bit caps exist in the first place.

----------

## MrMullen

I did not follow all of the conversion to much, but I think one of your Windows machines has a Stealth P2P on it and you don't know it.

Over the last 3 years I have found 4 P2P's installed on to my computer with out my permission or knowledge. Two, I think, came from pirated software, and two others I have no clue. I would give every computer on internal network scanned with VPROT virus scanner (It handles stealth P2P clients) and see what comes up.

----------

