What data does arch send and recive by the Internet after booting?

busy beaver · 2022-05-25 17:31:31

Hello, everyone.
I installed Arch with Cinnamon desktop. For the Internet connection I use my Android phone in usb-modem mode.
After booting I constantly see in my gnome-system-monitor something like this:
https://i.ibb.co/rsWftWY/2022-05-25-21-49-37-r.png
It means that 48 kib of data has been received and 26 kib of data has been sent. My goal is to find out what is that data. I found a command named "tcpdump" from so-called package that shows all incoming and outgoing internet packets. Then I wrote a python script that saves the output of that command to a file and made it to be started by systemd.

/etc/systemd/system/inet-log.service :

[Service]
ExecStart=/home/username/inet-log
[Install]
WantedBy=multi-user.target

/home/username/inet-log :

#!/bin/python
import subprocess, time
p = subprocess.Popen('tcpdump', shell=True, text=True, encoding='utf-8', stdout=subprocess.PIPE)
with open('/home/username/inet-log.txt', 'w') as f:
    for line in p.stdout:
        f.write(line)

$ sudo chmod +x /home/username/inet-log
$ sudo systemctl enable inet-log

The output:
/home/username/inet-log.txt

As you can see, there are some real ip's like 172.67.17.175, 104.20.26.217, 185.125.188.54, 185.125.188.58, 185.125.188.60 and a real url "redirect.archlinux.org".
What are those and how can I disable that data sending?
Maybe anyone know how to see what process does that requests?

p.s. sorry for my english

Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code

Last edited by busy beaver (2022-05-25 17:36:38)

Slithery · 2022-05-25 17:37:31

Do you use NetworkManager to control your networking?
If so then the archlinux.org URL is probably just the online check that it makes to verify if you are connected to the internet.
https://github.com/archlinux/svntogit-p … BUILD#L124

busy beaver · 2022-05-25 17:41:38

@Slithery Thanks for replay. Yes I do use NetworkManager. But https://ping.archlinux.org/nm-check.txt is a lot smaller than 48 kib. And what about that ip's?

Slithery · 2022-05-25 17:56:07

Did you look up the IP's? They all either belong to Cloudflare or Canonical.
What services and applications are you starting when you boot the system?

busy beaver · 2022-05-25 18:12:08

$ systemctl list-unit-files | grep enabled
var-lib-snapd-snap-code-96.mount           enabled         disabled
var-lib-snapd-snap-code-97.mount           enabled         disabled
var-lib-snapd-snap-core-12834.mount        enabled         disabled
var-lib-snapd-snap-core-13250.mount        enabled         disabled
getty@.service                             enabled         enabled
inet-log.service                           enabled         disabled
lightdm.service                            enabled         disabled
NetworkManager-dispatcher.service          enabled         disabled
NetworkManager-wait-online.service         enabled         disabled
NetworkManager.service                     enabled         disabled
snapd.service                              enabled         disabled
systemd-boot-update.service                disabled        enabled
systemd-fsck-root.service                  enabled-runtime disabled
systemd-homed.service                      disabled        enabled
systemd-network-generator.service          disabled        enabled
systemd-networkd.service                   disabled        enabled
systemd-pstore.service                     disabled        enabled
systemd-remount-fs.service                 enabled-runtime disabled
systemd-resolved.service                   enabled         enabled
systemd-timesyncd.service                  disabled        enabled
windscribe.service                         enabled         disabled
snapd.socket                               enabled         disabled
systemd-userdbd.socket                     disabled        enabled
machines.target                            disabled        enabled
reboot.target                              disabled        enabled
remote-cryptsetup.target                   disabled        enabled
remote-fs.target                           enabled         enabled
pamac-cleancache.timer                     enabled         disabled

https://i.ibb.co/C6ywMSk/2022-05-25-23-11-07.png

Scimmia · 2022-05-25 18:14:49

So it's very likely snap

busy beaver · 2022-05-25 18:17:08

I tried disabling snapd and the amount of received data slightly decreased, but it's not completely gone. So there is some other apps that use the Internet.

Last edited by busy beaver (2022-05-25 18:18:51)

Slithery · 2022-05-25 18:38:07

Windscribe is probably using some data. Is it configured to automatically connect to a VPN?

tucuxi · 2022-05-25 18:53:14

Two useful tools:

1. sudo bandwhich
2. sudo lsof -i

busy beaver · 2022-05-25 18:53:43

I disabled all snap-related services and windscribe. Now it's sending around 7 kib and receiving around 6 kib.

$ systemctl list-unit-files | grep enabled
getty@.service                             enabled         enabled
inet-log.service                           enabled         disabled
lightdm.service                            enabled         disabled
NetworkManager-dispatcher.service          enabled         disabled
NetworkManager-wait-online.service         enabled         disabled
NetworkManager.service                     enabled         disabled
systemd-boot-update.service                disabled        enabled
systemd-fsck-root.service                  enabled-runtime disabled
systemd-homed.service                      disabled        enabled
systemd-network-generator.service          disabled        enabled
systemd-networkd.service                   disabled        enabled
systemd-pstore.service                     disabled        enabled
systemd-remount-fs.service                 enabled-runtime disabled
systemd-resolved.service                   enabled         enabled
systemd-timesyncd.service                  disabled        enabled
systemd-userdbd.socket                     disabled        enabled
machines.target                            disabled        enabled
reboot.target                              disabled        enabled
remote-cryptsetup.target                   disabled        enabled
remote-fs.target                           enabled         enabled
pamac-cleancache.timer                     enabled         disabled

Log: https://disk.yandex.ru/d/e8p9LF4u5Z9Bsg

busy beaver · 2022-05-25 19:00:27

@tucuxi thanks but it it seems to be impossible to see the output of that commands while booting.

progandy · 2022-05-25 19:01:57

I'd guess about 1 kib is recieved as part of the tls handshake (the certificate). maybe more if ocsp is queried as well.
I suggest you also try to boot to multi-user.target and skip the GUI to check if that is creating some connections as well.

Last edited by progandy (2022-05-25 19:05:05)

busy beaver · 2022-05-25 19:08:49

I found out that it still sends and receives some data after boot. And I can see it in terminal with "sudo tcpdump" and in system monitor. But somehow it's not logged by my script (which uses the same command). When after that I open browser, my script continues to work. My be this is related to users? I don't know.

busy beaver · 2022-05-25 19:09:22

@progandy boot to multi-user.target? What does that mean?

tucuxi · 2022-05-25 19:10:25

busy beaver wrote:

@tucuxi thanks but it it seems to be impossible to see the output of that commands while booting.

Sure, but the gnome-system-monitor screenshot suggests that you see the same traffic pattern when you are in the graphical environment. Or did you capture it from a different machine?

progandy · 2022-05-25 19:15:35

busy beaver wrote:

@progandy boot to multi-user.target? What does that mean?

You add systemd.unit=multi-user.target to your kernel commandline, then your system will only boot to a console / terminal and the GUI (login manager/display manager, desktop environment, ...) does not start.

busy beaver · 2022-05-25 19:29:03

tucuxi wrote:

busy beaver wrote:
@tucuxi thanks but it it seems to be impossible to see the output of that commands while booting.
Sure, but the gnome-system-monitor screenshot suggests that you see the same traffic pattern when you are in the graphical environment. Or did you capture it from a different machine?

Yes, I am in GUI. But gnome system monitor shows the amount of data received and sent since boot (or since some demon start). And your commands show only currently transmitting data.

Last edited by busy beaver (2022-05-25 19:37:14)

busy beaver · 2022-05-25 19:36:52

progandy wrote:

busy beaver wrote:
@progandy boot to multi-user.target? What does that mean?
You add systemd.unit=multi-user.target to your kernel commandline, then your system will only boot to a console / terminal and the GUI (login manager/display manager, desktop environment, ...) does not start.

I booted to the lightdm, then pressed ctrl+alt+f2 and went to the tty. Then I checked my log file, and it's empty! So that means that all that data sending happens after logging into GUI. I also tried selecting i3 in the lightdm menu instead of cinnamon, but it made no difference from the cinnamon. Is that enough or shall I still boot to multi-user.target?

progandy · 2022-05-25 19:39:40

busy beaver wrote:

I booted to the lightdm, then pressed ctrl+alt+f2 and went to the tty. Then I checked my log file, and it's empty! So that means that all that data sending happens after logging into GUI. I also tried selecting i3 in the lightdm menu instead of cinnamon, but it made no difference from the cinnamon. Is that enough or shall I still boot to multi-user.target?

That is enough.
Edit: Is your internet connection up when you are not logged in? If not, then nothing can be send before that.

Last edited by progandy (2022-05-25 19:41:05)

busy beaver · 2022-05-25 19:48:01

progandy wrote:

Edit: Is your internet connection up when you are not logged in? If not, then nothing can be send before that.

Yes. Pacman works.

busy beaver · 2022-05-25 19:48:35

I booted to multi-user.target, log still empty. Does that mean that this is cinnamon-related problem? Then why using i3 makes no difference?

Trilby · 2022-05-25 19:52:36

No it means it's a GUI-related problem. There's something you are running in both cinnamon and i3 that is sending data. Or perhaps it's the display manager itself - sending data over a network would be an absurd thing for a DM to do, but most of what DMs do is absurd.

Last edited by Trilby (2022-05-25 19:54:07)

progandy · 2022-05-25 19:54:03

Now it depends on e.g. your user session startup. I have no idea what is common between i3 and cinnamon. Maybe you set up some autostart scripts in i3 that start the same as cinnamon, maybe something is in the systemd --user session that is only startet in a graphical environment, ...

seth · 2022-05-25 19:57:09

Since it's not the boot you could also https://wiki.archlinux.org/title/Wireshark the system from the console before logging in.

busy beaver · 2022-05-25 20:07:17

Sorry for misinformation. The log is not empty even in the multi-user.target. It is empty just for a couple of seconds. Then requests begin. The same works in i3.

Arch Linux

#1 2022-05-25 17:31:31

What data does arch send and recive by the Internet after booting?

#2 2022-05-25 17:37:31

Re: What data does arch send and recive by the Internet after booting?

#3 2022-05-25 17:41:38

Re: What data does arch send and recive by the Internet after booting?

#4 2022-05-25 17:56:07

Re: What data does arch send and recive by the Internet after booting?

#5 2022-05-25 18:12:08

Re: What data does arch send and recive by the Internet after booting?

#6 2022-05-25 18:14:49

Re: What data does arch send and recive by the Internet after booting?

#7 2022-05-25 18:17:08

Re: What data does arch send and recive by the Internet after booting?

#8 2022-05-25 18:38:07

Re: What data does arch send and recive by the Internet after booting?

#9 2022-05-25 18:53:14

Re: What data does arch send and recive by the Internet after booting?

#10 2022-05-25 18:53:43

Re: What data does arch send and recive by the Internet after booting?

#11 2022-05-25 19:00:27

Re: What data does arch send and recive by the Internet after booting?

#12 2022-05-25 19:01:57

Re: What data does arch send and recive by the Internet after booting?

#13 2022-05-25 19:08:49

Re: What data does arch send and recive by the Internet after booting?

#14 2022-05-25 19:09:22

Re: What data does arch send and recive by the Internet after booting?

#15 2022-05-25 19:10:25

Re: What data does arch send and recive by the Internet after booting?

#16 2022-05-25 19:15:35

Re: What data does arch send and recive by the Internet after booting?

#17 2022-05-25 19:29:03

Re: What data does arch send and recive by the Internet after booting?

#18 2022-05-25 19:36:52

Re: What data does arch send and recive by the Internet after booting?

#19 2022-05-25 19:39:40

Re: What data does arch send and recive by the Internet after booting?

#20 2022-05-25 19:48:01

Re: What data does arch send and recive by the Internet after booting?

#21 2022-05-25 19:48:35

Re: What data does arch send and recive by the Internet after booting?

#22 2022-05-25 19:52:36

Re: What data does arch send and recive by the Internet after booting?

#23 2022-05-25 19:54:03

Re: What data does arch send and recive by the Internet after booting?

#24 2022-05-25 19:57:09

Re: What data does arch send and recive by the Internet after booting?

#25 2022-05-25 20:07:17

Re: What data does arch send and recive by the Internet after booting?

Board footer