On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet), there is a constant 6-15 kilobytes/second data down happening. The LAN works normally at all times, but even with no activity this data down is running. I checked with internet connected wifi on laptop and a USB dongle on both, but there was no such data transfer in idle conditions. It doesn't happen when on Windows 7.
Is there a tool to find out which port or software is taking this data? I tried netstat but couldn't make a headway. Searched on ubuntuforums but found nothing close enough. Can somebody please guide me how to go about it.
Install wireshark, run a capture, and either analyze it yourself or offer it for download.
Binand
2011/6/24 Sanket Shah 88.sanket@gmail.com
On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet), there is a constant 6-15 kilobytes/second data down happening. The LAN works normally at all times, but even with no activity this data down is running. I checked with internet connected wifi on laptop and a USB dongle on both, but there was no such data transfer in idle conditions. It doesn't happen when on Windows 7.
Is there a tool to find out which port or software is taking this data? I tried netstat but couldn't make a headway. Searched on ubuntuforums but found nothing close enough. Can somebody please guide me how to go about it.
-- Sanket Shah -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Fri, Jun 24, 2011 at 1:03 PM, Binand Sethumadhavan binand@gmail.comwrote:
Install wireshark, run a capture, and either analyze it yourself or offer it for download.
Binand
2011/6/24 Sanket Shah 88.sanket@gmail.com
On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet),
there
is a constant 6-15 kilobytes/second data down happening. The LAN works normally at all times, but even with no activity this data down is
running.
I checked with internet connected wifi on laptop and a USB dongle on
both,
but there was no such data transfer in idle conditions. It doesn't happen when on Windows 7.
Is there a tool to find out which port or software is taking this data? I tried netstat but couldn't make a headway. Searched on ubuntuforums but found nothing close enough. Can somebody please guide me how to go about it.
-- Sanket Shah -- http://mm.glug-bom.org/mailman/listinfo/linuxers
Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming on ARP & UDP.
I'm not sure how to proceed now. How do I find which application is causing this or how to block it. Sample details of a ARP log (Destination is empty):
No. Time Source Destination Protocol Info 661 2.987881 Hewlett-_01:03:d9 ARP Who has 172.136.81.142? Tell 172.136.38.12
Frame 661: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) Arrival Time: Jun 29, 2011 11:05:09.163967000 IST Epoch Time: 1309325709.163967000 seconds [Time delta from previous captured frame: 0.011841000 seconds] [Time delta from previous displayed frame: 0.011841000 seconds] [Time since reference or first frame: 2.987881000 seconds] Frame Number: 661 Frame Length: 62 bytes (496 bits) Capture Length: 62 bytes (496 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:arp] [Coloring Rule Name: ARP] [Coloring Rule String: arp] Linux cooked capture Packet type: Broadcast (1) Link-layer address type: 1 Link-layer address length: 6 Source: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Protocol: ARP (0x0806) Trailer: 63484d585018f8e7ca9e000000000037ff53 Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) [Is gratuitous: False] Sender MAC address: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Sender IP address: 172.136.38.12 (172.136.38.12) Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 172.136.81.142 (172.136.81.142)
Could someone help me how to go about it now. It looks like a machine broadcasting info. There are several sender machines that repeat (here Hewlett-xxx being the machine).
Thanks a lot.
2011/6/30 Sanket Shah 88.sanket@gmail.com:
Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming on ARP & UDP.
ARP is normal; the capture you have posted does not raise any flags at all. Presumably you are using an HP laptop.
What is the UDP traffic you are seeing? In wireshark, setup a capture filter to exclude ARP.
Binand
On Thu, Jun 30, 2011 at 5:38 PM, Binand Sethumadhavan binand@gmail.comwrote:
2011/6/30 Sanket Shah 88.sanket@gmail.com:
Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming
on
ARP & UDP.
ARP is normal; the capture you have posted does not raise any flags at all. Presumably you are using an HP laptop.
The data analysis shows major chunk of data is in ARP. And no my system
isn't HP. In fact there are a bunch of machines other than the HP that show up in ARP logs. My worry is the amount of data. They are very frequent.
What is the UDP traffic you are seeing? In wireshark, setup a capture filter to exclude ARP.
Shall do that. But the UDP data was comparably less. 65 % by data size was
in ARP, 27% in UDP.
On 24 June 2011 11:59, Sanket Shah 88.sanket@gmail.com wrote:
On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet), there is a constant 6-15 kilobytes/second data down happening.
Try http://en.wikipedia.org/wiki/Tcpdump . It also might help . check the URL's to know where the data is going/coming . But you need a better traffic analyser . http://www.ubuntugeek.com/network-traffic-analyzers-for-ubuntu-system.html Might help !
Regards, Pavithran
-
Binand Sethumadhavan -
pavithran s -
Sanket Shah