Explaining network activity

Llama · 2012-03-13 11:40:35

Hi,

I am not asking here how to detect a rootkit, etc. But...

Is there a way to tell that some network activity is harmless? Beyond suspicion, that is. For instance, I've go something like 5 K/s traffic on eth0, doing nothing, on my desktop. Is there an easy way to check its nature?

Last edited by Llama (2012-03-13 11:42:33)

Gcool · 2012-03-13 11:46:12

Wireshark is your friend in that case. Just let the capture run for a little bit while you're "doing nothing".

skanky · 2012-03-13 11:55:49

Also

lsof -i

will show currently open network connections.

Llama · 2012-03-13 12:56:08

Thanks! I've run lsof and started wireshark. GTK GUI looks nice, but it's just as I feared: I wouldn't know a red flag when I see it. There's way too much info on network security; I'm completely at sea as to where to start. Any suggestion is extremely welcome.

Last edited by Llama (2012-03-13 12:58:10)

x33a · 2012-03-13 13:36:57

You can post the logs here if you feel it's safe.

Also, use iftop to see where the connections are being made.

Llama · 2012-03-13 17:28:54

As soon as I try to close Wireshark, I get a message: "Save capture file before program quit?" [Quit without saving/Cancel]. Meanwhile, File->Save is grayed out...

xs · 2012-03-13 18:11:41

snort is a good IDS with good filters/rules configuration, ettercap (has arp poisoning and other detection plugins), Wireshark is obv a good recommendation (learn to use its protocol filters etc).

Last edited by xs (2012-03-13 18:12:11)

Gcool · 2012-03-13 19:10:19

Llama wrote:

As soon as I try to close Wireshark, I get a message: "Save capture file before program quit?" [Quit without saving/Cancel]. Meanwhile, File->Save is grayed out...

Make sure to stop your capture (Capture --> Stop) before closing.

Llama · 2012-03-19 14:10:45

x33a wrote:

You can post the logs here if you feel it's safe.
Also, use iftop to see where the connections are being made.

I've got a good sample capture file, 3.8M. It's a binary. How am I supposed to post it here?

Gcool · 2012-03-19 14:33:05

Just upload it to one of the free upload services (Google "free upload" and you'll get tons) and link it here.

Llama · 2012-03-19 15:02:58

links deleted

Last edited by Llama (2012-03-24 14:36:07)

x33a · 2012-03-20 05:38:46

I can't tell much from the logs, but i do see that a lot of udp connections are being made on port 59452. It seems that port 59452 is open and only accepting udp traffic.

Are you running some torrent client? If you are, and are using dht, then that can explain the traffic, as dht stays active even if you are not running any active torrents (but the client it on).

If this isn't the case, try iftop, it displays the active connections on the top right, and even tells the amount of traffic being exchanged with each ip. Though, it won't tell the protocol being used and other details.

Llama · 2012-03-20 09:55:24

It's been my hunch, too. I do seed, DHT on. The funny thing is, the logs reflect periods of deluged (I use deluge) inactivity (stopped). It looks like a case of life after death. After reboot the funny activity settles down to zero (not right away, though).

Arch Linux

#1 2012-03-13 11:40:35

Explaining network activity

#2 2012-03-13 11:46:12

Re: Explaining network activity

#3 2012-03-13 11:55:49

Re: Explaining network activity

#4 2012-03-13 12:56:08

Re: Explaining network activity

#5 2012-03-13 13:36:57

Re: Explaining network activity

#6 2012-03-13 17:28:54

Re: Explaining network activity

#7 2012-03-13 18:11:41

Re: Explaining network activity

#8 2012-03-13 19:10:19

Re: Explaining network activity

#9 2012-03-19 14:10:45

Re: Explaining network activity

#10 2012-03-19 14:33:05

Re: Explaining network activity

#11 2012-03-19 15:02:58

Re: Explaining network activity

#12 2012-03-20 05:38:46

Re: Explaining network activity

#13 2012-03-20 09:55:24

Re: Explaining network activity

Board footer