Stealth Network Activity

[svenas1]

Hi all,

my system is using some kind of bandwidth (2.4 KB/sec), even when nothing other than the finder is running. I think this is fairly new, because I always have the 'menu meters' running and watch them constantly. Activity Monitor also tells me that my network is active, receiving about 48 packets per second.

How can I check which process is accessing the net ? Are there any known culprits ? I could post a list of processes that Activity Monitor or top says are running.

Any takers ?
Cheers,
Sven

 

[tomf87]

Hi all,

my system is using some kind of bandwidth (2.4 KB/sec), even when nothing other than the finder is running. I think this is fairly new, because I always have the 'menu meters' running and watch them constantly. Activity Monitor also tells me that my network is active, receiving about 48 packets per second.

How can I check which process is accessing the net ? Are there any known culprits ? I could post a list of processes that Activity Monitor or top says are running.

Any takers ?
Cheers,
Sven

I'd try out NetBarrier X 3. It will tell you exactly what apps are accessing the net.

You could also do a:

lsof -i4 -n -P

from Terminal to get the list of processings opening ports.

 

[svenas1]

I'd try out NetBarrier X 3. It will tell you exactly what apps are accessing the net.

You could also do a:

lsof -i4 -n -P

from Terminal to get the list of processings opening ports.

Thanks, that was what I was looking for. But know, even though lsof says nothing is open, my network is receiving stuff. I haven't tried NetBarrierX yet. I'll give it a try.

 

[wrldwzrd89]

Thanks, that was what I was looking for. But know, even though lsof says nothing is open, my network is receiving stuff. I haven't tried NetBarrierX yet. I'll give it a try.

Odds are that your computer isn't at fault, if the lsop command shows nothing. You said you're noticing incoming packets, not outgoing packets, correct? If that's the case, some device(s) somewhere on the internet is/are sending you packets. I've never used NetBarrier X myself, but it might help you identify where the packets are coming from.

 

[tomf87]

Odds are that your computer isn't at fault, if the lsop command shows nothing. You said you're noticing incoming packets, not outgoing packets, correct? If that's the case, some device(s) somewhere on the internet is/are sending you packets. I've never used NetBarrier X myself, but it might help you identify where the packets are coming from.

Get your IP address by 'ifconfig -a' from terminal.

Then do a:

sudo tcpdump -i en0 -n -q (ethernet only)

or

sudo tcpdump -i en1 -n -q (airport)

You'll get output similar to this, with more lines of course:

16:11:34.591486 IP 10.1.1.45.4275 > 203.51.193.14.6346: tcp 0

If your IP is 10.1.1.45, in this case you are sending traffic, since your IP is on the left side of the '<'.

If you are receiving traffic, it will look similar to this, where your IP is on the right side of the '>':

16:11:34.604859 IP 68.55.134.213.6346 > 10.1.1.45.4147: tcp 31

If you would like me to take a look at a dump, just post the output of:

sudo tcpdump -i en0 -n

or

sudo tcpdump -i en1 -n

(just leaving off the -q option)

 

[svenas1]

Get your IP address by 'ifconfig -a' from terminal.

Then do a:

sudo tcpdump -i en0 -n -q (ethernet only)

or

sudo tcpdump -i en1 -n -q (airport)

You'll get output similar to this, with more lines of course:

16:11:34.591486 IP 10.1.1.45.4275 > 203.51.193.14.6346: tcp 0

If your IP is 10.1.1.45, in this case you are sending traffic, since your IP is on the left side of the '<'.

If you are receiving traffic, it will look similar to this, where your IP is on the right side of the '>':

16:11:34.604859 IP 68.55.134.213.6346 > 10.1.1.45.4147: tcp 31

If you would like me to take a look at a dump, just post the output of:

sudo tcpdump -i en0 -n

or

sudo tcpdump -i en1 -n

(just leaving off the -q option)

Thanks, all very helpful! This is what I get:
22:23:35.229465 IP 10.132.23.254.520 > 224.0.0.9.520: RIPv2, Response, length: 464
22:22:29.884605 arp who-has 82.4.144.2 tell 82.4.144.254

(many of the last line, repeating itself with different numbers in the first IP address - last item behind the dot. e.g. 82.4.144.96 tell 82.4.144.254 or 82.4.144.192 tell 82.4.144.254 etc)

It seems something is going on here..

 

[svenas1]

Get your IP address by 'ifconfig -a' from terminal.

Then do a:

sudo tcpdump -i en0 -n -q (ethernet only)

PS: how do I stop the tcpdump command ?

EDIT: ok, ctrl-c.

 

[svenas1]

Odds are that your computer isn't at fault, if the lsop command shows nothing. You said you're noticing incoming packets, not outgoing packets, correct? If that's the case, some device(s) somewhere on the internet is/are sending you packets. I've never used NetBarrier X myself, but it might help you identify where the packets are coming from.

Yes, I understand, thanks. Can you make sense out of the results of the tcpdump command ? What is up with arp being in there ?? The manfile tells me that there are many requests for an ethernet address coming in, but that no answers are going out. (no 'arp reply...').

If I do a tcpdump -e, it appears a long list of IP addresses from my provider (ntl) are being asked, more or less at random. Is someone trying to find a hole (Should I get worried ?)

Thanks all.

 

[wrldwzrd89]

Yes, I understand, thanks. Can you make sense out of the results of the tcpdump command ? What is up with arp being in there ?? The manfile tells me that there are many requests for an ethernet address coming in, but that no answers are going out. (no 'arp reply...').

If I do a tcpdump -e, it appears a long list of IP addresses from my provider (ntl) are being asked, more or less at random. Is someone trying to find a hole (Should I get worried ?)

Thanks all.

I looked at your output, and I think I know what is happening. It looks like your router thinks that your Mac is also a router, and is sending/forwarding RIP and ARP packets to it (RIP and ARP are routing protocols that only routers understand).

 

[aswitcher]

I'd try out NetBarrier X 3. It will tell you exactly what apps are accessing the net.

.

Would you recommend NetBarrier over other firewalls for the Mac? I've used Nortons in the PC world and know what to expect. Does NetBarrier have better features?

 

[svenas1]

I looked at your output, and I think I know what is happening. It looks like your router thinks that your Mac is also a router, and is sending/forwarding RIP and ARP packets to it (RIP and ARP are routing protocols that only routers understand).

Any way to remedy this ?

 

[wrldwzrd89]

Any way to remedy this ?

It depends on if the offending router is yours or not. The best way to verify whether or not the router is yours is to do a traceroute to it (usage: traceroute ip_address_of_router). Look at the number of hops required to reach the router. If only one was needed, it's yours. If more than one was required, it probably isn't your router.

If your router is causing the problem, there are three things you could try doing:
1. Reconfigure the router.
2. Block the packets at the firewall.
3. Combine options 1 and 2.

If it isn't yours, option #2 is the only thing you can do on your end. If you know who owns the router (for example, it belongs to your ISP), you can notify them of the problem so they can fix it.

 

[svenas1]

It depends on if the offending router is yours or not. The best way to verify whether or not the router is yours is to do a traceroute to it (usage: traceroute ip_address_of_router). Look at the number of hops required to reach the router. If only one was needed, it's yours. If more than one was required, it probably isn't your router.

If your router is causing the problem, there are three things you could try doing:
1. Reconfigure the router.
2. Block the packets at the firewall.
3. Combine options 1 and 2.

If it isn't yours, option #2 is the only thing you can do on your end. If you know who owns the router (for example, it belongs to your ISP), you can notify them of the problem so they can fix it.

Thanks. The router definitely isn't mine, and the traceroute apparently didn't get to the router in 12 hops. So I'll ring my ISP.

Thanks to all - and greetings to Ohio from rainy England!
cheers,
Sven

 

[tomf87]

Would you recommend NetBarrier over other firewalls for the Mac? I've used Nortons in the PC world and know what to expect. Does NetBarrier have better features?

I like NetBarrier because it allows a per-application access to and from the network. It just doesn't do port/IP blocking.