Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

SystemUIServer receiving a large amount of network data

T

thomasp

macrumors 6502a
Original poster
Sep 18, 2004
654
1
UK
I've noticed this a couple of times but actually managed to find out what was causing it today.

I'm on a university halls LAN (wired) connection - 10Mbit up/down and have sometimes noticed very high internet usage in Activity Monitor despite me not really browsing that much. When I noticed the Data Received was about 500Mb greater than it should have been and there was a steady 50 - 65Kb/sec stream of data being received even when no apps were using a large amount of bandwidth, I went investigating.

After quitting all applications and anything that might use the internet (including rebooting the dock & dashboard), I somehow came down to the SystemUIServer process in Activity Monitor. Quitting this (with it instantly restarting, as expected) stopped the steady flow of network traffic in and things went back to their usual idle.


Is this common for SystemUIServer - I've only noticed this a couple of times? Should I look into things more closely, and if so, where should I start looking? Is there any way to stop it from doing this, as obviously I don't want my network admins coming down on top of me for using excessive bandwidth (they are very strict on P2P and have been disconnecting a lot of people for excessive filesharing and are starting to disconnect people who even just have P2P software installed on their computer but never use it)


Thanks for the help :)


Edit:

Sorry, forgot to mention: I'm using OSX 10.4.5. Applications used today include Dashboard, Mail, Safari, iTunes, Adium, DVD Player, Word and Excel.
 
SystemUIServer controls several things, one of which are the Menu Extras in the right side of the menu bar. What do you have up there?

It also handles external devices...do you have anything like an iPod or external hard drive connected to your computer?
 
Thanks for the reply :)

WildCowboy said:
SystemUIServer controls several things, one of which are the Menu Extras in the right side of the menu bar. What do you have up there?
Click to expand...

Just the standard ones: Spotlight, Battery status, clock, keyboard, wireless (off), sound, displays, Bluetooth (off). And ClamXav (quit this, problem still persisted), Temperature monitor (quit and problem still persisted) and Adium (quit and problem still persisted)

WildCowboy said:
It also handles external devices...do you have anything like an iPod or external hard drive connected to your computer?
Click to expand...


I plugged my external LaCie FW drive in earlier today, but I've seen this problem before I had that drive (only got it a couple of weeks ago). Will find it and try now.


Edit:

Nope, plugging the FW drive in didn't cause any change. Currently, the data in is idling around 100 bytes/sec, which is normal.
 
Update:

It would appear that it is not SystemUIServer.

I woke my laptop up from sleep just now, started Adium, Mail and Safari and noticed once everything had settled down that there was this 55Kb/sec being received through my ethernet socket.

Tried quitting SUIS and that didn't stop it. Even tried logging out and in and that didn't stop it.


Is there any way I can trace where this data is coming from or what's using my ethernet socket?


For the record, I am connected to a university halls network.
 
I'd start with a mix of "lsof -i" and "netstat -an" to see exactly what is listening and responding on the network stack.
 
yellow said:
I'd start with a mix of "lsof -i" and "netstat -an" to see exactly what is listening and responding on the network stack.
Click to expand...

Sorry for the stupid question, but what should I be looking for when I do that?


Also, after quitting all open apps, and logging out and restarting the 3 main apps, as mentioned in my previous post, Safari (2.0.3) decided to hang. After force quitting this, the data transfer disappered. In exactly the same way as when I quitted SystemUIServer yesterday (although doing that today had no effect).
 
thomasp said:
Sorry for the stupid question, but what should I be looking for when I do that?
Click to expand...

What processes might be talking on the network.

FWIW, if you use Bonjour in any capacity, it's definitely blasting away at the network looking for device to answer.
 
yellow said:
What processes might be talking on the network.

FWIW, if you use Bonjour in any capacity, it's definitely blasting away at the network looking for device to answer.
Click to expand...

Never used Bonjour in my life! Don't even know where it is or what it does :D


I may have got a solution from Apple Discussions - a Java exploit hack thingy in Safari causes a DoS: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6015 Just got to find out how to stop it...
 
thomasp said:
Never used Bonjour in my life! Don't even know where it is or what it does :D


I may have got a solution from Apple Discussions - a Java exploit hack thingy in Safari causes a DoS: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6015 Just got to find out how to stop it...
Click to expand...

How exactly would a buffer overflow cause excess data bandwidth usage?

You realize that even though you have no applications running, there are still plenty of background processes that can consume bandwidth?
 
Bonjour is TCP polling for devices/apps on a network. Similar to AppleTalk, but TCP and better. Err sexier. Err better.

Anyway, it's on by default, so whether you use it or not, it's there. It's commonly referred to as mDNS as a process. That is "multicast DNS".

iChat uses it, iTunes uses it (I believe), Printer Utility uses it, etc.

While that could be your issue.. do you surf anything that could have caused to you to get exploited like this?
I mean, that's pretty far fetched, I have to say.
 
kingjr3 said:
How exactly would a buffer overflow cause excess data bandwidth usage?
Click to expand...

I don't know :)

kingjr3 said:
You realize that even though you have no applications running, there are still plenty of background processes that can consume bandwidth?
Click to expand...

Yes, but for all bar these three or four times that I've noticed when nothing is open my bandwidth usage is idling at bytes per second - usually 60 - 300 bytes/sec. However, whenever this problem arises, it "idles" at 55+Kb/sec

yellow said:
Bonjour is TCP polling for devices/apps on a network. Similar to AppleTalk, but TCP and better. Err sexier. Err better.

Anyway, it's on by default, so whether you use it or not, it's there. It's commonly referred to as mDNS as a process. That is "multicast DNS".
Click to expand...

I assume it's listed as "mDNSResponder" in Activity Monitor?

yellow said:
While that could be your issue.. do you surf anything that could have caused to you to get exploited like this?
I mean, that's pretty far fetched, I have to say.
Click to expand...

Well, the problem today flared up when I'd only been browsing MacRumors on Safari (and come to think of it, it could have been from MR yesterday as well...). I noticed the abnormal data transfer after browsing the MR forums (specifically this thread and forum spy), quit Safari, quit everything else, logged off, logged back in, saw the abnormal data transfer was still there, gave up, opened Safari, browsed another forum on Safari which then promptly crashed (Safari, that is), then the abnormal data transfer mysteriously disappeared!
 
thomasp said:
I assume it's listed as "mDNSResponder" in Activity Monitor?
Click to expand...

Yes, that's the one listening for Bonjour requests.


thomasp said:
Well, the problem today flared up when I'd only been browsing MacRumors on Safari (and come to think of it, it could have been from MR yesterday as well...). I noticed the abnormal data transfer after browsing the MR forums (specifically this thread and forum spy), quit Safari, quit everything else, logged off, logged back in, saw the abnormal data transfer was still there, gave up, opened Safari, browsed another forum on Safari which then promptly crashed (Safari, that is), then the abnormal data transfer mysteriously disappeared!
Click to expand...

Well, that doesn't make much sense since it was still there when you quit Safari and logged out. You should be restarting and starting from scratch when you look for these types of issues. Again.. keep it simple. Restart. Check for activity. Use lsof -i for hints. Use ethereal to sniff the traffic from your computer. Etc. Also, see if this is an issue when logged in as another user.
 
Probelm happens after reboot and when logged in as another user. Although it only seems to start after about 1pm... I might get onto my netadmin about this...

lsof -i doesn't show anything when this occurs.


Also, it was suggested on Apple Discussions that I use Little Snitch to monitor what's going on. This also didn't detect anything, apart from when I booted up safari and it came up with "SyndicationAgent" - I'm guessing this is a Safari RSS thing, as it's not running any more in Activity Monitor.


Think I'm going to try an update to OSX 10.4.8 in a bit...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back