On Wed, 24 Sept 2025 at 16:00, Mauro Souza via Talk <talk@lists.gtalug.org> wrote:
If most traffic is inbound, I would say Carey does not have any filesharing issues, but auto update issues: the IP addresses most accessed are mostly for CDN providers, the ones used for hosting update packages. Auto updates will take a lot of traffic, especially snaps. They take a lot of space, and usually when one is updated because of a library issue, you can count on several others having the same library to release updates too. If most of this traffic is outbound, then we have a different history and something is really sending a lot of data outside. And if the traffic is more or less balanced, it's a proxy, torrent, or Tor node running.
How to know? There are some programs for that: iftop, iptraf, nethogs and bmon are easy to use and powerful.
Another non-authority weighing in here. Although I have used almost every tool mentioned so far at one point or another. I have previously (admittedly many years ago) been offended by surges of traffic on my local network, and gone hunting for them. There were two culprits at different times: SparkleShare (file sharing), and browsers. Idle browsers can generate a surprising amount of traffic: no, you didn't ask that page to reload, but their JS says it should reload parts of the page every two minutes, and sometimes more often depending on the ad network involved. And if you have a lot of pages open ... (Recent browsers often stop JS on idle tabs, but not always?) I would add that some of the IPs you posted that Don Tai looked up names for: cloudflare, akaimai, fastly - these are all CDNs: https://en.wikipedia.org/wiki/Content_delivery_network . And browsers talk to these A LOT. My website doesn't use a CDN because it's a low-end hobby thing. But Google, DDG, MSN ... any major website pretty much always uses a CDN. SparkleShare was a fascinating case: the damn thing chewed through a terabyte of data trying to download a 1G file because it would get to 99% and fail - apparently around 1000 times. It was very determined. I had a lot of other issues with it, and it's long gone. Since you know the specific machine that's causing the problem, I second the recommendation of `nethogs`. TUI interface, very clear and easy to read. Another possibility is that a webpage you've loaded (and presumably leave open) is using JS to create a Torrent node (this idea is a bit out there, but it's happened). If `nethogs` says the problem is your browser, something like "about:performance" might help in FF, but I think brute-force is the way to go: just kill tabs one at a time to see when traffic drops. I hope this helps. Let us know if/when you find the problem. I'm interested, and it's a learning experience for all of us. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com