dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1283
mahohmei1
join:2008-10-29

1 edit

mahohmei1

Member

Excessive bandwith use

According to Comcast's usage meter, starting late in October, I have been sucking down a constant roughly 1 GB per hour, even when I'm not home. After some trial and error (read: disconnecting one device at a time from the LAN while at work and overnight), I have narrowed it down to my desktop running Ubuntu 12.04.

Here's the rub: I can't see where I'm using the bandwidth. I run System Monitor and Wireshark, and when my desktop is sitting idle, network usage is nearly flatlined--nowhere near the roughly 2 mbps Comcast claims I'm sucking down.

Does anyone else have this issue?

Thanks!

Addendum: Someone just suggested to me it could be the NIC. Tonight, I'm going to boot from a "Linux demo" CD, let it sit overnight, and see what happens.

baineschile
2600 ways to live
Premium Member
join:2008-05-10
Sterling Heights, MI

baineschile

Premium Member

Got any screenshots?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to mahohmei1

MVM

to mahohmei1
It could be the NIC? Did you get any explanation along with that suggestion.

You might want to run netstat -an and see if you have any connections to foreign addresses.
brianiscool
join:2000-08-16
Tampa, FL

brianiscool to mahohmei1

Member

to mahohmei1
Ubuntu updates?

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

koitsu to mahohmei1

MVM

to mahohmei1
I can assure you the problem isn't your NIC. Your NIC nor the NIC driver is not going to send/receive a bunch of crap across the wire "just for fun". Give me a break.

Are you sure your box isn't compromised? It could be that someone has your box turned into a DDoS client or something similar, especially if you have services running on the Ubuntu box that are open to the Internet (forwarded on your router, etc.). IMO, this sounds like the most likely explanation.

It could also be happening when you're not awake, i.e. when Wireshark isn't running, thus you never see any captured packets. Or your pcap filter could be wrong. Who knows.

My recommendation would be to make a shell script that does something like this, and let it run for 24 hours:

#!/bin/sh
( while true
do
  date
  /sbin/ifconfig eth0
  netstat -4 -6 -n
  echo
  ps auxwwww
  echo
  echo
  sleep 1
done ) | tee /path/to/some/log/file
 

Be aware said log file will be quite big after 24 hours. You can pull our the RX/TX byte transfer statistics by simply doing grep 'RX bytes' /path/to/some/log/file, find the relevant counter output, then open the file in an editor and look around that timeframe for when it happened.

Regardless, the bottom line is this: this is your box, your equipment, therefore your responsibility to figure out/address. I'm not even sure why this is a post in the Comcast HSI forum (vs. the UNIX/Linux forum) for that matter... :-) The latter would be the place to ask for "forensic help".

Alternately, if you don't want to deal with it? Take the box off the network. Disconnect its network cable. Do not reconnect it. Then reinstall the entire OS from scratch (bare bones OS install/format/etc.). Disable any port forwards you have from your router to the Linux box. After that, reconnect the network cable.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to mahohmei1

Premium Member

to mahohmei1
said by mahohmei1:

I have narrowed it down to my desktop running Ubuntu 12.04.

Turn off linux box for a day. Check meter. If meter flat, it's the linux box, and its got a rootkit or you're not looking in the right place for where the data is being consumed from.