You are not logged in.
- Topics: Active | Unanswered
#26 2022-05-25 20:51:58
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,896
Re: What data does arch send and recive by the Internet after booting?
You could still setup a systemd service and/or otherwise trigger a wireshark recording of the traffic (or, w/ a couple of seconds time even kick it off manually)
But typically this will be NM pinging the connectivity check - or did you disable that?
https://wiki.archlinux.org/title/Networ … nnectivity
Offline
#27 2022-05-26 11:46:50
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
OK I tried using tshark command instead of tcpdump. Here is the log - https://disk.yandex.ru/d/I03h1Xue1IzYMQ. As you can see it frozen at the middle of the line. It even does not react to "ping google.com". Sometimes it starts to work again after that freeze if many requests happen. Idk why isn't it working? tcpdump also freezes like that. I also changed my python script to "/bin/tshark > /home/username/inet-log.txt" and tried using direct connection to the router instead of my Android phone. Now received data=1kib, transmitted data=2kib. When logger starts working after freeze, I see something like this: https://disk.yandex.ru/d/SqQbaQu-nEBfGg. It seems like it is scanning local network for other connected devices like "Redmi Note 10S" (see line 155). This phone is actually connected to the same router. Is it possible to switch off that scanning?
Offline
#28 2022-05-26 11:50:24
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Also tried disabling NM pinging. There was no "/etc/NetworkManager/conf.d/20-connectivity.conf" file. So I created it:
[connectivity]
enabled=falseOffline
#29 2022-05-26 11:57:24
- Maniaxx
- Member
- Registered: 2014-05-14
- Posts: 757
Re: What data does arch send and recive by the Internet after booting?
It'd probably be much easier if you'd monitor the traffic from outside (e.g. linux router). This could also be an intermediate server like RPi or rooted Android phone.
sys2064
Offline
#30 2022-05-26 12:05:51
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
It'd probably be much easier if you'd monitor the traffic from outside (e.g. linux router). This could also be an intermediate server like RPi or rooted Android phone.
I don't know how to do that. And what should it give me? I can already see some requests. But I don't know what process does that requests. It would be much more useful if there was a way to see, what program does all of that.
Offline
#31 2022-05-26 13:09:02
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,279
Re: What data does arch send and recive by the Internet after booting?
Maybe you can run nethogs in trace mode and use nethogs-parser (a -git package is in the AUR) to inspect the logs and find the processes.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#32 2022-05-26 13:40:38
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Maybe you can run nethogs in trace mode and use nethogs-parser (a -git package is in the AUR) to inspect the logs and find the processes.
OK I did it.
/var/lib/nethogs/2022-05-26_18-32-28.log :
Refreshing:
unknown TCP/0/0 0 0.0105469
Unknown connection: 192.168.42.38:56762-185.125.188.60:443This lines repeated many times. When I "ping google.com" nothing changes. When I open firefox it seas:
Refreshing:
/usr/lib/firefox/firefox/1993/1000 5.9248 14.5887
unknown TCP/0/0 0.025 0.0144531
/usr/lib/firefox/firefox/2053/1000 0.173438 0
Unknown connection: 192.168.42.38:49960-54.192.99.45:443Offline
#33 2022-05-26 13:49:12
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Found this report on stack exchange: https://unix.stackexchange.com/question … is-it-safe
His issue is almost the same as mine
Offline
#34 2022-05-26 13:52:00
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,896
Re: What data does arch send and recive by the Internet after booting?
185.125.188.60 is canonical (the Ubuntu company) - did you try "netstat -tulpen" (but it's likely snapd…)
The SE thread has a connection to 91.98.103.126 (Iranian server) on port 80, it's not nearly the same.
Offline
#35 2022-05-26 14:00:54
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Yes, it's snap. I disabled snap again. Now it seas:
Adding local address: 192.168.42.38
Adding local address: fe80::3cb9:3f99:371f:86a8
Ethernet link detected
Refreshing:
unknown TCP/0/0 0 0
Refreshing:
unknown TCP/0/0 0 0
Refreshing:
unknown TCP/0/0 0 0
........Offline
#36 2022-05-26 14:54:19
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Probably there is nothing suspicious in that data transmitting. Maybe it's just a regular thing that is done every time I connect to a modem. Here is log without any devices in local network: https://disk.yandex.ru/d/Q6l9X2HHZdecRA
Here's what I found:
192.168.42.38 is local my ip (but it's not in that log)
192.168.42.129 is my "default route" (idk what's that)
fe80::3cb9:3f99:371f:68a8 is my local ipv6 (also not in log)
fe80::640b:b2ff:fe80:c8fb - whats that?? Whois tells that it's IANA. It also tells that my local ip and "default rote" belong to IANA. So probably this ipv6 is something local too.
igmp.mcast.net - whats that? After googling I found this question. Someone answered that "t's a "multicast" address". Probably that means that my computer tries to send something to other devices in the local network or to scan local network.
Another question is why does snap connect to the Internet? What is it doing?
Last edited by busy beaver (2022-05-26 16:57:35)
Offline
#37 2022-05-26 14:58:44
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Also almost the same requests happen when I reconnect my phone (in usb-modem mode).
Offline
#38 2022-05-26 14:59:10
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: What data does arch send and recive by the Internet after booting?
Probably there is nothing suspicious in that data transmitting.
Probably? If you're referring to the snapd data (which appears to be the only suspicious actual wan connection), then why would you make this assumption? It is indeed probably "normal" for snapd to do this and it is almost certainly intended by the snapd authors. But the fact that it is normal and intended does not make it any less suspicious.
Another question it why does snap connect to the Internet? What is it doing?
Whatever it wants. Do you trust the authors of snapd? And / or have you audited the source code? If you can't answer yes to either of these, that could be a problem. Even if you identify what it's doing today, that may not be the same thing it's doing tomorrow. If you trust the source of the software, you should be fine; if you don't, identifying what it's doing today should make it any more trustworthy tomorrow.
If I'm feeling generous, I'd speculate that it's polling for updates or some such housekeeping task. But I'd also not be surprised if it was "phoning home" so the upstream authors could keep a running metric of snapd usage. And note that the latter goal is often hidden by the former as an excuse.
Last edited by Trilby (2022-05-26 15:01:30)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#39 2022-05-26 15:13:48
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Probably? If you're referring to the snapd data (which appears to be the only suspicious actual wan connection), then why would you make this assumption? It is indeed probably "normal" for snapd to do this and it is almost certainly intended by the snapd authors. But the fact that it is normal and intended does not make it any less suspicious.
No. I'm talking about all other data. Like what's fe80::640b:b2ff:fe80:c8fb and igmp.mcast.net? I know that what's snap doing is suspicious.
Whatever it wants. Do you trust the authors of snapd? And / or have you audited the source code? If you can't answer yes to either of these, that could be a problem. Even if you identify what it's doing today, that may not be the same thing it's doing tomorrow. If you trust the source of the software, you should be fine; if you don't, identifying what it's doing today should make it any more trustworthy tomorrow.
If I'm feeling generous, I'd speculate that it's polling for updates or some such housekeeping task. But I'd also not be surprised if it was "phoning home" so the upstream authors could keep a running metric of snapd usage. And note that the latter goal is often hidden by the former as an excuse.
Probably you're right. I'll try to stop to use snap. I use it just because Visual Studio Code from snap works better than from arch repos. There is some bugs with extensions in VSCode from arch's repos.
Edit: found "visual-studio-code-bin" AUR package. Works good.
Last edited by busy beaver (2022-05-26 16:58:58)
Offline
#40 2022-05-26 15:35:24
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: What data does arch send and recive by the Internet after booting?
If you're referring to the snapd data (which appears to be the only suspicious actual wan connection)...
No. I'm talking about all other data. Like what's fe80::640b:b2ff:fe80:c8fb and igmp.mcast.net
Those are lan connections. These will depend on your router / ISP. I'm far from well-versed enough to know exactly what goes on between the local machine and the router / modem / etc - but data is sent and received to negotiate a connection, to request and assign an IP address, etc. This is part of connecting to the network.
Last edited by Trilby (2022-05-26 15:37:34)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#41 2022-05-26 16:04:11
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,279
Re: What data does arch send and recive by the Internet after booting?
fe80::640b:b2ff:fe80:c8fb - whats that??
I'd guess it is the link-local ipv6 address of your router
https://www.cisco.com/c/en/us/support/d … 6-lla.html
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#42 2022-05-26 16:09:05
- Slithery
- Administrator
- From: Norfolk, UK
- Registered: 2013-12-01
- Posts: 5,776
Re: What data does arch send and recive by the Internet after booting?
Like what's ... igmp.mcast.net?
A quick Google search would tell you exactly what this is. Everyone that uses Arch is expected to do there own research before asking easily answered questions on the forums.
Offline
#43 2022-05-26 16:13:25
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
A quick Google search would tell you exactly what this is. Everyone that uses Arch is expected to do there own research before asking easily answered questions on the forums.
Yes and I did search it before asking (see above). I just wasn't confident.
Offline
#44 2022-05-26 16:16:28
- busy beaver
- Member
- From: Russia
- Registered: 2022-05-25
- Posts: 29
Re: What data does arch send and recive by the Internet after booting?
Those are lan connections. These will depend on your router / ISP. I'm far from well-versed enough to know exactly what goes on between the local machine and the router / modem / etc - but data is sent and received to negotiate a connection, to request and assign an IP address, etc. This is part of connecting to the network.
I'd guess it is the link-local ipv6 address of your router
https://www.cisco.com/c/en/us/support/d … 6-lla.html
Thanks for answering!
Offline