SystemUIServer receiving a large amount of network data

Discussion in 'macOS' started by thomasp, Nov 26, 2006.

  1. thomasp macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #1
    I've noticed this a couple of times but actually managed to find out what was causing it today.

    I'm on a university halls LAN (wired) connection - 10Mbit up/down and have sometimes noticed very high internet usage in Activity Monitor despite me not really browsing that much. When I noticed the Data Received was about 500Mb greater than it should have been and there was a steady 50 - 65Kb/sec stream of data being received even when no apps were using a large amount of bandwidth, I went investigating.

    After quitting all applications and anything that might use the internet (including rebooting the dock & dashboard), I somehow came down to the SystemUIServer process in Activity Monitor. Quitting this (with it instantly restarting, as expected) stopped the steady flow of network traffic in and things went back to their usual idle.


    Is this common for SystemUIServer - I've only noticed this a couple of times? Should I look into things more closely, and if so, where should I start looking? Is there any way to stop it from doing this, as obviously I don't want my network admins coming down on top of me for using excessive bandwidth (they are very strict on P2P and have been disconnecting a lot of people for excessive filesharing and are starting to disconnect people who even just have P2P software installed on their computer but never use it)


    Thanks for the help :)


    Edit:

    Sorry, forgot to mention: I'm using OSX 10.4.5. Applications used today include Dashboard, Mail, Safari, iTunes, Adium, DVD Player, Word and Excel.
     
  2. WildCowboy Administrator/Editor

    WildCowboy

    Staff Member

    Joined:
    Jan 20, 2005
    #2
    SystemUIServer controls several things, one of which are the Menu Extras in the right side of the menu bar. What do you have up there?

    It also handles external devices...do you have anything like an iPod or external hard drive connected to your computer?
     
  3. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #3
    Thanks for the reply :)

    Just the standard ones: Spotlight, Battery status, clock, keyboard, wireless (off), sound, displays, Bluetooth (off). And ClamXav (quit this, problem still persisted), Temperature monitor (quit and problem still persisted) and Adium (quit and problem still persisted)


    I plugged my external LaCie FW drive in earlier today, but I've seen this problem before I had that drive (only got it a couple of weeks ago). Will find it and try now.


    Edit:

    Nope, plugging the FW drive in didn't cause any change. Currently, the data in is idling around 100 bytes/sec, which is normal.
     
  4. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #4
    Update:

    It would appear that it is not SystemUIServer.

    I woke my laptop up from sleep just now, started Adium, Mail and Safari and noticed once everything had settled down that there was this 55Kb/sec being received through my ethernet socket.

    Tried quitting SUIS and that didn't stop it. Even tried logging out and in and that didn't stop it.


    Is there any way I can trace where this data is coming from or what's using my ethernet socket?


    For the record, I am connected to a university halls network.
     
  5. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #5
    I'd start with a mix of "lsof -i" and "netstat -an" to see exactly what is listening and responding on the network stack.
     
  6. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #6
    Sorry for the stupid question, but what should I be looking for when I do that?


    Also, after quitting all open apps, and logging out and restarting the 3 main apps, as mentioned in my previous post, Safari (2.0.3) decided to hang. After force quitting this, the data transfer disappered. In exactly the same way as when I quitted SystemUIServer yesterday (although doing that today had no effect).
     
  7. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #7
    What processes might be talking on the network.

    FWIW, if you use Bonjour in any capacity, it's definitely blasting away at the network looking for device to answer.
     
  8. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #8
    Never used Bonjour in my life! Don't even know where it is or what it does :D


    I may have got a solution from Apple Discussions - a Java exploit hack thingy in Safari causes a DoS: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6015 Just got to find out how to stop it...
     
  9. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #9
    How exactly would a buffer overflow cause excess data bandwidth usage?

    You realize that even though you have no applications running, there are still plenty of background processes that can consume bandwidth?
     
  10. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #10
    Bonjour is TCP polling for devices/apps on a network. Similar to AppleTalk, but TCP and better. Err sexier. Err better.

    Anyway, it's on by default, so whether you use it or not, it's there. It's commonly referred to as mDNS as a process. That is "multicast DNS".

    iChat uses it, iTunes uses it (I believe), Printer Utility uses it, etc.

    While that could be your issue.. do you surf anything that could have caused to you to get exploited like this?
    I mean, that's pretty far fetched, I have to say.
     
  11. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #11
    I don't know :)

    Yes, but for all bar these three or four times that I've noticed when nothing is open my bandwidth usage is idling at bytes per second - usually 60 - 300 bytes/sec. However, whenever this problem arises, it "idles" at 55+Kb/sec

    I assume it's listed as "mDNSResponder" in Activity Monitor?

    Well, the problem today flared up when I'd only been browsing MacRumors on Safari (and come to think of it, it could have been from MR yesterday as well...). I noticed the abnormal data transfer after browsing the MR forums (specifically this thread and forum spy), quit Safari, quit everything else, logged off, logged back in, saw the abnormal data transfer was still there, gave up, opened Safari, browsed another forum on Safari which then promptly crashed (Safari, that is), then the abnormal data transfer mysteriously disappeared!
     
  12. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #12
    Yes, that's the one listening for Bonjour requests.


    Well, that doesn't make much sense since it was still there when you quit Safari and logged out. You should be restarting and starting from scratch when you look for these types of issues. Again.. keep it simple. Restart. Check for activity. Use lsof -i for hints. Use ethereal to sniff the traffic from your computer. Etc. Also, see if this is an issue when logged in as another user.
     
  13. thomasp thread starter macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #13
    Probelm happens after reboot and when logged in as another user. Although it only seems to start after about 1pm... I might get onto my netadmin about this...

    lsof -i doesn't show anything when this occurs.


    Also, it was suggested on Apple Discussions that I use Little Snitch to monitor what's going on. This also didn't detect anything, apart from when I booted up safari and it came up with "SyndicationAgent" - I'm guessing this is a Safari RSS thing, as it's not running any more in Activity Monitor.


    Think I'm going to try an update to OSX 10.4.8 in a bit...
     
  14. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR

Share This Page