PDA

View Full Version : Mystery internet network use!


swimswim
01-16-2007, 04:23 AM
About a week ago, my G3 Pismo running 10.4.8 started using the internet for a reason I can not figure out.

- connection to the internet is via Airport card to Airport Base Station to dsl modem
- there is no password on the Base Station but it is doubtful my neighbors are computer literate
- traffic is a constant 92B/s upload/transmit and steady 278B/s download/receive
- no applications are running
- even installed a Dashboard quitting widget to be sure it wasn't Dashboard
- System Preferences -> Sharing = all off
- according to Activity Monitor the following ports are in use: 141, 130, 131, 127, 111, 85, 75, 65 (this is with Safari on using 129 and Activity Monitor using 75)

I swear this is new. Other wireless networks I have joined have not had this constant network activity. THIS network didn't have it either until a week ago.

It is freaking me out.

How can I determine what the traffic is and how do I stop it (without stopping my own use of the internet)?

hayne
01-16-2007, 05:04 AM
- there is no password on the Base Station but it is doubtful my neighbors are computer literate
Your neighbours don't need to be computer literate for them to be using your Airport network - their computers might automatically find your wireless network and start using it.
And you need to worry about others than your neighbours - e.g. someone could access your network from a car in the street.

- according to Activity Monitor the following ports are in use: 141, 130, 131, 127, 111, 85, 75, 65 (this is with Safari on using 129 and Activity Monitor using 75)
As far as I know, Activity Monitor does not show what ports are in use. I suspect that you might be looking at the "process id" column of Activity Monitor - that shows the Unix ids of the various processes (programs) that are running on your Mac. These are not related to network ports.

But you could have a look at what ports are being used by running "Network Utility" and going into the "Netstat" tab and setting it to "Display the state of all current socket connections" and then press the "Netstat" button. Look in particular at the lines that say ESTABLISHED or LISTEN.

swimswim
01-16-2007, 01:41 PM
I intentionally have no password on my wireless network. I like free wireless. :D What I should have written about my neighbors is I doubt they are able or want to hack.

The Activity Monitor does have a column titled "# Ports." Here is a screenshot of the Activity Monitor on top and Network Utility -> NetStat below:

http://ourrez.com/netstat_and_activity.png

(That's Raging Menace's MenuMeters (http://ragingmenace.com/software/menumeters) in the top right in green and red, a kick ass application.)

Could it be Privoxy that is constantly monitoring/using the internet network?

DarrellGreenwood
01-16-2007, 03:25 PM
The Activity Monitor does have a column titled "# Ports."

Mach ports.

http://tinyurl.com/3al7y6

Cheers,

Darrell

hayne
01-16-2007, 03:27 PM
The Activity Monitor does have a column titled "# Ports."
Oh - that's just the number of Mac ports currently being used by the process. These have nothing to do with Internet ports.

Could it be Privoxy that is constantly monitoring/using the internet network?
I don't think so - Provoxy should only be active when it is processing a web page that you asked to display.

Perhaps it would be useful to look at the output of the following command:

sudo /usr/sbin/lsof -i -P

That will show what sockets ar open and what program is using them.

swimswim
01-18-2007, 02:08 AM
sudo /usr/sbin/lsof -i -P

Thanks, hayne, that is helpful.

(I am away from my wireless network for a couple days but will try it when I return. Incidentally, I am on another Airport wireless network -far far away from my own- and the mystery internet network use is absent.)

swimswim
01-23-2007, 09:34 PM
Here's the output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mDNSRespo 55 root 7u IPv4 0x02982ba0 0t0 UDP *:5353
mDNSRespo 55 root 8u IPv6 0x02982ad0 0t0 UDP *:5353
mDNSRespo 55 root 9u IPv4 0x02982a00 0t0 UDP *:5353
mDNSRespo 55 root 11u IPv4 0x029825f0 0t0 UDP 10.0.1.2:49154
mDNSRespo 55 root 12u IPv4 0x02edcff4 0t0 TCP *:* (CLOSED)
netinfod 56 root 6u IPv4 0x02982e10 0t0 UDP localhost:1033
netinfod 56 root 7u IPv4 0x02edfe8c 0t0 TCP localhost:1033 (LISTEN)
netinfod 56 root 8u IPv4 0x02edc94c 0t0 TCP localhost:1033->localhost:1017 (ESTABLISHED)
netinfod 56 root 9u IPv4 0x02ede3ec 0t0 TCP localhost:1033->localhost:1021 (ESTABLISHED)
syslogd 57 root 16u IPv4 0x02982d40 0t0 UDP *:*
configd 59 root 9u IPv6 0x02e91ee0 0t0 ICMPV6 *:*
Directory 71 root 6u IPv4 0x02ede740 0t0 TCP localhost:1021->localhost:1033 (ESTABLISHED)
Directory 71 root 10u IPv4 0x029822b0 0t0 UDP *:*
Directory 71 root 11u IPv4 0x02edf7e4 0t0 TCP *:* (CLOSED)
Directory 71 root 12u IPv4 0x02982040 0t0 UDP *:*
Directory 71 root 13u IPv4 0x02edd9f0 0t0 TCP *:* (CLOSED)
cupsd 137 root 0u IPv4 0x02edd348 0t0 TCP localhost:631 (LISTEN)
cupsd 137 root 3u IPv4 0x029819c0 0t0 UDP *:631
privoxy 143 root 1u IPv4 0x02edc5f8 0t0 TCP localhost:8118 (LISTEN)
lookupd 145 root 6u IPv4 0x02edcca0 0t0 TCP localhost:1017->localhost:1033 (ESTABLISHED)
automount 177 root 8u IPv4 0x02982520 0t0 UDP localhost:1023
automount 181 root 8u IPv4 0x02982930 0t0 UDP localhost:1022


Is my computer supplying Iran with nukes, hyping Russian stocks, and selling Floridian Viagra? wth?

hayne
01-23-2007, 09:51 PM
There were no external connections listed in that output.
I.e. nothing to worry about.

Are you still seeing the network traffic at the same time as you get a clean report like the one you showed?
If so, and you want to pursue this, you could look at the packets using "Ethereal" (runs under X11)

swimswim
01-24-2007, 12:21 AM
still seeing the network traffic at the same time as you get a clean report

Yes, the same, steady 277 b/s down and 92 b/s up. Again, I've had this computer for six years and never seen steady network traffic like this. The traffic is through the Airport card.

Of course, this information is dependent on the assumption that MenuMeters is reading correctly (or that I am reading MenuMeters correctly).

Ethereal pointed me toward Fink. I'll try it out. Thanks.

swimswim
01-24-2007, 02:00 AM
Ethereal is hardcore. http://ourrez.com/bluebang.gif
I got version 0.10.14 running and tried capturing interface en1 (Airport card) but it did not work:

The capture session could not be initiated ((no devices found /dev/bpf0: Permission denied). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

ThreeDee
01-24-2007, 04:40 PM
When running ethereal, make sure you type sudo before it! You need root status to run it properly!

swimswim
01-24-2007, 07:16 PM
Thanks ThreeDee. Sudo worked. I will post some results soon.

swimswim
01-25-2007, 05:39 AM
The output over 15 seconds was a repeat of the following

No. Time Source Destination Protocol Info
1 0.000000 10.0.1.2 10.0.1.1 UDP Source port: 49294 Destination port: osu-nms

Frame 1 (46 bytes on wire, 46 bytes captured)
Ethernet II, Src: AppleCom_1c:6b:9f (00:30:65:1d:61:9f), Dst: AppleCom_cb:4b:b6 (00:1d:93:db:4e:b6)
Internet Protocol, Src: 10.0.1.2 (10.0.1.2), Dst: 10.0.1.1 (10.0.1.1)
User Datagram Protocol, Src Port: 49294 (49294), Dst Port: osu-nms (192)
Data (4 bytes)

0000 08 01 03 10 ....

No. Time Source Destination Protocol Info
2 0.001847 10.0.1.1 10.0.1.2 UDP Source port: osu-nms Destination port: 49294

Frame 2 (139 bytes on wire, 139 bytes captured)
Ethernet II, Src: AppleCom_cb:4b:b6 (00:1d:93:db:4e:b6), Dst: AppleCom_1c:6b:9f (00:30:65:1d:61:9f)
Internet Protocol, Src: 10.0.1.1 (10.0.1.1), Dst: 10.0.1.2 (10.0.1.2)
User Datagram Protocol, Src Port: osu-nms (192), Dst Port: 49294 (49294)
Data (97 bytes)

0000 08 02 00 03 03 11 04 00 03 03 12 00 00 03 03 13 ................
0010 00 00 03 03 14 02 00 06 03 15 00 00 00 00 00 06 ................
0020 03 16 00 00 98 d7 00 03 03 18 00 00 04 03 19 00 ................
0030 00 00 06 03 21 00 00 00 00 00 06 03 22 00 00 00 ....!......."...
0040 00 00 06 03 23 00 00 00 00 00 06 03 24 00 00 00 ....#.......$...
0050 00 00 06 03 25 00 00 00 00 00 06 03 26 00 00 00 ....%.......&...
0060 00

I searched the net for osu-nms and found another macosxhints forum thread: http://forums.macosxhints.com/archive/index.php/t-3840.html which in turn referred to a Princeton page, http://www.net.princeton.edu/software/osunms_probe/osunms_probe.8.html. hayne, you posted in the former. :D

I didn't find any conclusions about how to stop the traffic. I am not using any new hardware so it must have been software that invoked a change and began this new mystery network use.

What do you think?

swimswim
01-26-2007, 04:22 PM
bumpity bump bump

hayne
01-26-2007, 07:54 PM
You seem to have found out that the traffic is to and from your Airport base station. Maybe it's defective, or maybe your Airport config is causing this for some reason.

I'd create a new "location" in Network Preferences and see what happens when you use that new location instead of the automatic (default) location.

ElectricSheep
01-26-2007, 10:32 PM
FWIW, port 192 is reserved for the OSU Network Monitoring System and is used by Apple's Airport technology to discover Airport Basestations.

Traffic to/from port 192 will be generated when you open up the Airport Admin utility, and presumably any other tool to monitor Airport Networks/Basestations.

swimswim
02-02-2007, 01:59 PM
I created a new Network location but unfortunately it did not stop the constant chatter.

I have another computer with the same setup (original Airport Card on the same Base Station), but it doesn't have the constant spill of network traffic.

This feels like the end of the line.

Thanks for all your help, I appreciate it. It's good to learn that my comptuer is not a zombie.

I'll holler if it stops or I learn more.