On Fri, Jan 9, 2009 at 5:08 PM, T o n g <mlist4sunt...@yahoo.com> wrote: > Hi, > > I've tried all the network bandwidth monitoring tools that I know to find > out the unknown network traffic I'm having now, I've tried iftop, netstat, > lsof and pktstat, and still can't find out the result. Please help. > > First, neither of the following command reveal anything suspicious: > > netstat -ap | grep -v ^unix > lsof -i
Try switching to single-user mode in order to rule out most locally-running programs and repeating the experiment. At that point you should be able to just run "tcpdup -n -i blah" (where blah is your outward-facing network interface, eth0 on my machine here) and eyeball the raw information. Look for common themes in the local and remote port numbers. > > However, iftop reports: > > 192.168.0.100 => 192.168.0.1 1.95Kb 1.24Kb 1.31Kb > <= 4.71Kb 3.50Kb 3.41Kb This is internal traffic (or should be - both addresses are unroutable RFC1918 addresses) > 192.168.0.100 => i118-17-235-161.s10.a024. 0b 130b 108b > <= 0b 107b 89b > 192.168.0.100 => 71-15-119-132.dhcp.ftwo.t 0b 127b 106b > <= 0b 105b 87b > 192.168.0.100 => 76.105.253.104 636b 127b 106b > <= 524b 105b 87b > 192.168.0.100 => lan31-4-82-227-130-41.fbx 0b 127b 106b > <= 0b 105b 87b > 192.168.0.100 => ctv-86-100-215-242.ip.ryg 0b 127b 106b > <= 0b 105b 87b > 192.168.0.100 => i038098.gprs.dnafinland.f 636b 127b 106b > <= 524b 105b 87b > 192.168.0.100 => host-89-228-137-138.gorzo 0b 127b 106b > <= 0b 105b 106b AFAICT most of these are other broadband users. Are you using some kind of p2p tool? If not, perhaps they are compromised remote systems attempting to compromise your machine. This would imply that your computer is connected directly to the Internet, without benefit of a separate firewall device. That's not such a great idea from a security point of view. > > That's all tools that I know, then I google and find pktstat, which reports: > > bps % desc > 107.2 0% icmp unreach port 192.168.0.100 -> 119.40.7.39 > 107.2 0% icmp unreach port 192.168.0.100 -> 122-121-216-117 > 107.2 0% icmp unreach port 192.168.0.100 -> 17 > 107.2 0% icmp unreach port 192.168.0.100 -> 220-136-240-189 > 108.5 0% icmp unreach port 192.168.0.100 -> 227 > 105.4 0% icmp unreach port 192.168.0.100 -> 77.81.248.210 > 105.4 0% icmp unreach port 192.168.0.100 -> 83-157-127-150 > 108.5 0% icmp unreach port 192.168.0.100 -> 84 > icmp unreach port 192.168.0.100 -> 87-121-157-166 > 82.8 0% icmp unreach port 192.168.0.100 -> 93.190.206.248 > 108.5 0% icmp unreach port 192.168.0.100 -> adsl110-221 > 105.4 0% icmp unreach port 192.168.0.100 -> bas3-montreal02-1096681363 > 108.5 0% icmp unreach port 192.168.0.100 -> bau06-5-88-168-64-43 > 107.2 0% icmp unreach port 192.168.0.100 -> cpc4-neat2-0-0-cust924 > 105.4 0% icmp unreach port 192.168.0.100 -> host217-43-58-203 > icmp unreach port 192.168.0.100 -> host70-87-dynamic > 108.5 0% icmp unreach port 192.168.0.100 -> host86-137-255-28 > 107.2 0% icmp unreach port 192.168.0.100 -> i222-150-158-232 > > My normal network bandwidth is almost 0. First of all, these are very small numbers. This almost certainly is not a summary of what's using up all your bandwidth (if that's indeed happening). But these ICMP port-unreachable errors indicate that the remote systems are trying to communicate with a network port you're not listening on. Perhaps they are trying to perform some SQL Server exploit or something like that. James. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
