strange eth0 interface traffic

lnx · 2010-01-03 11:18:01

For almost a week now, I noticed that there is some traffic over the eth0 interface every 3 seconds (90 - 180 B/s). Even when I close all applications like Firefox and Kmail. I don't know what to google on because I don't know what this all about. So, any hints, suggestions are very welcome.

R00KIE · 2010-01-03 12:43:25

That should be easy to spot ... I think. Install iftop, then run it as root or with sudo
iftop -i eth0
Press p n N, this should make it show only ip addresses and port numbers (you can pause the display with P), check the source port, it's on the first column after : (I'm sure you know all this )

Then have another console ready with 'netstat -naptu | grep ' and don't take too long to write the source port after it because the port may be used only once a be freed soon.

The output from netstat should give you the pid of the process and its name.

Hope this helps and I'd like to see how other users would track this down

lnx · 2010-01-03 14:34:06

iftop -i eth0:

192.168.1.255:137 => 192.168.1.101:137 0b 0b 0b
<= 624b 312b 364b

netstat -naptu | grep 137:
nothing

192.168.1.101 is a laptop running Windows Vista with a wireless connection.
IP of my PC is 192.168.1.100. But I don't understand where 192.168.1.255 is coming from.

So far, 5.6 MiB have been received!?

Last edited by lnx (2010-01-03 14:38:44)

jwwolf · 2010-01-03 14:51:50

X.X.X.255 is broadcast.
Your windows machine/samba is trying to resolve a local name using NetBIOS(That is what port 137 is used for).

graysky · 2010-01-03 14:55:32

Probably barking up the wrong tree here: do you have your windows machine's IP addy in your /etc/hosts and does your windows machine have your linux box's IP in its hosts file?

lnx · 2010-01-03 15:00:07

Grayski,
Neither is the case. Should it? I'm using DHCP.

graysky · 2010-01-03 15:03:10

Give it a try and see if it goes away. If nothing else it'll make connections to/from them easier for you, ie: \\linuxboxname\share

jwwolf · 2010-01-03 15:03:29

jwwolf wrote:

X.X.X.255 is broadcast.
Your windows machine/samba is trying to resolve a local name using NetBIOS(That is what port 137 is used for).

R00KIE · 2010-01-03 15:26:16

Oh yes, windows boxes are or used to be very chatty
I'm surprised you don't get more traffic from your windows box.

Oh and in this case as it is an incoming connection it is normal that netstat | grep doesn't output anything, I was mostly thinking about outgoing connections.

If you are using dhcp then things can be simple or tricky, if you can configure your router to always give a certain card the same ip then things are easy, just add the correct entries to both hosts files, if you can't then IPs may change and the annoyance may come back.

I guess you shouldn't worry too much about that though, it seems to be legitimate traffic and a few bytes every 3s is not something that will slow down your home network

graysky · 2010-01-03 16:29:42

deleted

Last edited by graysky (2010-01-03 17:10:40)

Arch Linux

#1 2010-01-03 11:18:01

strange eth0 interface traffic

#2 2010-01-03 12:43:25

Re: strange eth0 interface traffic

#3 2010-01-03 14:34:06

Re: strange eth0 interface traffic

#4 2010-01-03 14:51:50

Re: strange eth0 interface traffic

#5 2010-01-03 14:55:32

Re: strange eth0 interface traffic

#6 2010-01-03 15:00:07

Re: strange eth0 interface traffic

#7 2010-01-03 15:03:10

Re: strange eth0 interface traffic

#8 2010-01-03 15:03:29

Re: strange eth0 interface traffic

#9 2010-01-03 15:26:16

Re: strange eth0 interface traffic

#10 2010-01-03 16:29:42

Re: strange eth0 interface traffic

Board footer