dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1229
share rss forum feed

mahohmei

join:2008-10-29

1 edit

Excessive bandwith use

According to Comcast's usage meter, starting late in October, I have been sucking down a constant roughly 1 GB per hour, even when I'm not home. After some trial and error (read: disconnecting one device at a time from the LAN while at work and overnight), I have narrowed it down to my desktop running Ubuntu 12.04.

Here's the rub: I can't see where I'm using the bandwidth. I run System Monitor and Wireshark, and when my desktop is sitting idle, network usage is nearly flatlined--nowhere near the roughly 2 mbps Comcast claims I'm sucking down.

Does anyone else have this issue?

Thanks!

Addendum: Someone just suggested to me it could be the NIC. Tonight, I'm going to boot from a "Linux demo" CD, let it sit overnight, and see what happens.


baineschile
2600 ways to live
Premium
join:2008-05-10
Sterling Heights, MI
Got any screenshots?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to mahohmei
It could be the NIC? Did you get any explanation along with that suggestion.

You might want to run netstat -an and see if you have any connections to foreign addresses.

brianiscool

join:2000-08-16
Tampa, FL
kudos:1
reply to mahohmei
Ubuntu updates?


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
reply to mahohmei
I can assure you the problem isn't your NIC. Your NIC nor the NIC driver is not going to send/receive a bunch of crap across the wire "just for fun". Give me a break.

Are you sure your box isn't compromised? It could be that someone has your box turned into a DDoS client or something similar, especially if you have services running on the Ubuntu box that are open to the Internet (forwarded on your router, etc.). IMO, this sounds like the most likely explanation.

It could also be happening when you're not awake, i.e. when Wireshark isn't running, thus you never see any captured packets. Or your pcap filter could be wrong. Who knows.

My recommendation would be to make a shell script that does something like this, and let it run for 24 hours:

#!/bin/sh
( while true
do
  date
  /sbin/ifconfig eth0
  netstat -4 -6 -n
  echo
  ps auxwwww
  echo
  echo
  sleep 1
done ) | tee /path/to/some/log/file
 

Be aware said log file will be quite big after 24 hours. You can pull our the RX/TX byte transfer statistics by simply doing grep 'RX bytes' /path/to/some/log/file, find the relevant counter output, then open the file in an editor and look around that timeframe for when it happened.

Regardless, the bottom line is this: this is your box, your equipment, therefore your responsibility to figure out/address. I'm not even sure why this is a post in the Comcast HSI forum (vs. the UNIX/Linux forum) for that matter... :-) The latter would be the place to ask for "forensic help".

Alternately, if you don't want to deal with it? Take the box off the network. Disconnect its network cable. Do not reconnect it. Then reinstall the entire OS from scratch (bare bones OS install/format/etc.). Disable any port forwards you have from your router to the Linux box. After that, reconnect the network cable.

--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to mahohmei
said by mahohmei:

I have narrowed it down to my desktop running Ubuntu 12.04.

Turn off linux box for a day. Check meter. If meter flat, it's the linux box, and its got a rootkit or you're not looking in the right place for where the data is being consumed from.
--
My place : »www.schettino.us