Stealth Network Activity

Discussion in 'Mac Apps and Mac App Store' started by svenas1, Sep 16, 2004.

  1. svenas1 macrumors member

    Joined:
    Dec 17, 2003
    #1
    Hi all,

    my system is using some kind of bandwidth (2.4 KB/sec), even when nothing other than the finder is running. I think this is fairly new, because I always have the 'menu meters' running and watch them constantly. Activity Monitor also tells me that my network is active, receiving about 48 packets per second.

    How can I check which process is accessing the net ? Are there any known culprits ? I could post a list of processes that Activity Monitor or top says are running.

    Any takers ?
    Cheers,
    Sven
     
  2. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #2
    I'd try out NetBarrier X 3. It will tell you exactly what apps are accessing the net.

    You could also do a:

    lsof -i4 -n -P

    from Terminal to get the list of processings opening ports.
     
  3. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #3
    Thanks, that was what I was looking for. But know, even though lsof says nothing is open, my network is receiving stuff. I haven't tried NetBarrierX yet. I'll give it a try.
     
  4. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #4
    Odds are that your computer isn't at fault, if the lsop command shows nothing. You said you're noticing incoming packets, not outgoing packets, correct? If that's the case, some device(s) somewhere on the internet is/are sending you packets. I've never used NetBarrier X myself, but it might help you identify where the packets are coming from.
     
  5. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #5
    Get your IP address by 'ifconfig -a' from terminal.

    Then do a:

    sudo tcpdump -i en0 -n -q (ethernet only)

    or

    sudo tcpdump -i en1 -n -q (airport)

    You'll get output similar to this, with more lines of course:
    Code:
    16:11:34.591486 IP 10.1.1.45.4275 > 203.51.193.14.6346: tcp 0
    If your IP is 10.1.1.45, in this case you are sending traffic, since your IP is on the left side of the '<'.

    If you are receiving traffic, it will look similar to this, where your IP is on the right side of the '>':
    Code:
    16:11:34.604859 IP 68.55.134.213.6346 > 10.1.1.45.4147: tcp 31
    If you would like me to take a look at a dump, just post the output of:

    sudo tcpdump -i en0 -n

    or

    sudo tcpdump -i en1 -n

    (just leaving off the -q option)
     
  6. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #6
    Thanks, all very helpful! This is what I get:
    22:23:35.229465 IP 10.132.23.254.520 > 224.0.0.9.520: RIPv2, Response, length: 464
    22:22:29.884605 arp who-has 82.4.144.2 tell 82.4.144.254

    (many of the last line, repeating itself with different numbers in the first IP address - last item behind the dot. e.g. 82.4.144.96 tell 82.4.144.254 or 82.4.144.192 tell 82.4.144.254 etc)

    It seems something is going on here..
     
  7. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #7
    PS: how do I stop the tcpdump command ?

    EDIT: ok, ctrl-c.
    :)
     
  8. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #8
    Yes, I understand, thanks. Can you make sense out of the results of the tcpdump command ? What is up with arp being in there ?? The manfile tells me that there are many requests for an ethernet address coming in, but that no answers are going out. (no 'arp reply...').

    If I do a tcpdump -e, it appears a long list of IP addresses from my provider (ntl) are being asked, more or less at random. Is someone trying to find a hole (Should I get worried ?)

    Thanks all.
     
  9. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #9
    I looked at your output, and I think I know what is happening. It looks like your router thinks that your Mac is also a router, and is sending/forwarding RIP and ARP packets to it (RIP and ARP are routing protocols that only routers understand).
     
  10. aswitcher macrumors 603

    aswitcher

    Joined:
    Oct 8, 2003
    Location:
    Canberra OZ
    #10

    Would you recommend NetBarrier over other firewalls for the Mac? I've used Nortons in the PC world and know what to expect. Does NetBarrier have better features?
     
  11. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #11
    Any way to remedy this ?
     
  12. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #12
    It depends on if the offending router is yours or not. The best way to verify whether or not the router is yours is to do a traceroute to it (usage: traceroute ip_address_of_router). Look at the number of hops required to reach the router. If only one was needed, it's yours. If more than one was required, it probably isn't your router.

    If your router is causing the problem, there are three things you could try doing:
    1. Reconfigure the router.
    2. Block the packets at the firewall.
    3. Combine options 1 and 2.

    If it isn't yours, option #2 is the only thing you can do on your end. If you know who owns the router (for example, it belongs to your ISP), you can notify them of the problem so they can fix it.
     
  13. svenas1 thread starter macrumors member

    Joined:
    Dec 17, 2003
    #13

    Thanks. The router definitely isn't mine, and the traceroute apparently didn't get to the router in 12 hops. So I'll ring my ISP.

    Thanks to all - and greetings to Ohio from rainy England!
    cheers,
    Sven
     
  14. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #14
    I like NetBarrier because it allows a per-application access to and from the network. It just doesn't do port/IP blocking.
     

Share This Page