Constant Network Data Use at Idle

Outis · 2012-04-06 23:35:01

First, I have no daemons running in the background such as freenet, tor, or i2p.

For some reason, conky is showing me as never going below 1Kbps down even when idle.

Netstat is showing some funky connections to random web sites even when nothing is open

netstat wrote:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.5:42129 189-80.amazon.:www-http ESTABLISHED
tcp 0 0 192.168.1.5:42124 189-80.amazon.:www-http ESTABLISHED
tcp 0 1 192.168.1.5:53182 99-102-138-239:www-http SYN_SENT
tcp 0 0 192.168.1.5:42123 189-80.amazon.:www-http ESTABLISHED
tcp 0 0 192.168.1.5:34116 a63-80-242-40.:www-http ESTABLISHED
tcp 0 0 192.168.1.5:42122 189-80.amazon.:www-http ESTABLISHED
tcp 0 0 192.168.1.5:42125 189-80.amazon.:www-http ESTABLISHED

chkrootkit comes up clean

top isn't showing anything out of the ordinary that would be opening such odd connections

netstat is attributing the connections to firefox, even when firefox is closed. Could it be a rogue plug-in?

Stebalien · 2012-04-06 23:51:14

`netstat --ip -p` will give you the programs making those connections.

Outis · 2012-04-06 23:57:27

Stebalien wrote:

`netstat --ip -p` will give you the programs making those connections.

netstat is no longer showing any rogue connections, yet the data use is still there

suborbital · 2012-04-07 00:25:16

grab lsof package

&

lsof -i| grep ESTABLISHED

Outis · 2012-04-07 00:47:43

suborbital wrote:

grab lsof package
&
lsof -i| grep ESTABLISHED

Also showing nothing, even ungrepped

cfr · 2012-04-07 01:47:28

What happens if you log in as a new user and run netstat without ever starting firefox? (Maybe create the new user, reboot and log straight into that account...)

Do you use iptables? Anything logged?

Do you use cloud storage? I seem to remember some kinds use Amazon servers and I'm just wondering because netstat shows some weird listings on my machine and assigns them to dropbox. I don't know why it would assign them to firefox in that case, though.

Are you positive firefox isn't running when it is "closed" but netstat attributes connections to it? I've seen the firefox process outlast the gui by a good margin at times...

Last edited by cfr (2012-04-07 02:00:53)

chpln · 2012-04-07 01:54:51

Also try tcpdump or wireshark.

Outis · 2012-04-07 02:23:59

cfr wrote:

What happens if you log in as a new user and run netstat without ever starting firefox? (Maybe create the new user, reboot and log straight into that account...)
Do you use iptables? Anything logged?
Do you use cloud storage? I seem to remember some kinds use Amazon servers and I'm just wondering because netstat shows some weird listings on my machine and assigns them to dropbox. I don't know why it would assign them to firefox in that case, though.
Are you positive firefox isn't running when it is "closed" but netstat attributes connections to it? I've seen the firefox process outlast the gui by a good margin at times...

You're right about the phantom connections - I did a few quick tests and it looks like Firefox the process was living quite a bit longer than the GUI.

chpln wrote:

Also try tcpdump or wireshark.

Ah! According to tcpdump, it looks like AT&T's U-Verse boxes are very chatty.

That explains why no software was showing active connections yet traffic was being observed.

Okay, so it's solved. I appreciate the help from everyone.

Last edited by Outis (2012-04-07 06:50:37)

Arch Linux

#1 2012-04-06 23:35:01

Constant Network Data Use at Idle

#2 2012-04-06 23:51:14

Re: Constant Network Data Use at Idle

#3 2012-04-06 23:57:27

Re: Constant Network Data Use at Idle

#4 2012-04-07 00:25:16

Re: Constant Network Data Use at Idle

#5 2012-04-07 00:47:43

Re: Constant Network Data Use at Idle

#6 2012-04-07 01:47:28

Re: Constant Network Data Use at Idle

#7 2012-04-07 01:54:51

Re: Constant Network Data Use at Idle

#8 2012-04-07 02:23:59

Re: Constant Network Data Use at Idle

Board footer