On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet), there is a constant 6-15 kilobytes/second data down happening. The LAN works normally at all times, but even with no activity this data down is running. I checked with internet connected wifi on laptop and a USB dongle on both, but there was no such data transfer in idle conditions. It doesn't happen when on Windows 7.
Is there a tool to find out which port or software is taking this data? I tried netstat but couldn't make a headway. Searched on ubuntuforums but found nothing close enough. Can somebody please guide me how to go about it.
Install wireshark, run a capture, and either analyze it yourself or offer it for download.
Binand
2011/6/24 Sanket Shah 88.sanket@gmail.com
On Fri, Jun 24, 2011 at 1:03 PM, Binand Sethumadhavan binand@gmail.comwrote:
Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming on ARP & UDP.
I'm not sure how to proceed now. How do I find which application is causing this or how to block it. Sample details of a ARP log (Destination is empty):
No. Time Source Destination Protocol Info 661 2.987881 Hewlett-_01:03:d9 ARP Who has 172.136.81.142? Tell 172.136.38.12
Frame 661: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) Arrival Time: Jun 29, 2011 11:05:09.163967000 IST Epoch Time: 1309325709.163967000 seconds [Time delta from previous captured frame: 0.011841000 seconds] [Time delta from previous displayed frame: 0.011841000 seconds] [Time since reference or first frame: 2.987881000 seconds] Frame Number: 661 Frame Length: 62 bytes (496 bits) Capture Length: 62 bytes (496 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:arp] [Coloring Rule Name: ARP] [Coloring Rule String: arp] Linux cooked capture Packet type: Broadcast (1) Link-layer address type: 1 Link-layer address length: 6 Source: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Protocol: ARP (0x0806) Trailer: 63484d585018f8e7ca9e000000000037ff53 Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) [Is gratuitous: False] Sender MAC address: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Sender IP address: 172.136.38.12 (172.136.38.12) Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 172.136.81.142 (172.136.81.142)
Could someone help me how to go about it now. It looks like a machine broadcasting info. There are several sender machines that repeat (here Hewlett-xxx being the machine).
Thanks a lot.
2011/6/30 Sanket Shah 88.sanket@gmail.com:
ARP is normal; the capture you have posted does not raise any flags at all. Presumably you are using an HP laptop.
What is the UDP traffic you are seeing? In wireshark, setup a capture filter to exclude ARP.
Binand
On Thu, Jun 30, 2011 at 5:38 PM, Binand Sethumadhavan binand@gmail.comwrote:
isn't HP. In fact there are a bunch of machines other than the HP that show up in ARP logs. My worry is the amount of data. They are very frequent.
in ARP, 27% in UDP.
On 24 June 2011 11:59, Sanket Shah 88.sanket@gmail.com wrote:
Try http://en.wikipedia.org/wiki/Tcpdump . It also might help . check the URL's to know where the data is going/coming . But you need a better traffic analyser . http://www.ubuntugeek.com/network-traffic-analyzers-for-ubuntu-system.html Might help !
Regards, Pavithran
-
Binand Sethumadhavan -
pavithran s -
Sanket Shah