I got a notice from Comcast that I was nearing my internet monthly limit. June-July-August, I used almost exactly 200 GB consistently So far in September, I am up to a terabyte. I do not watch streaming videos, other than occasional short YouTube. I am not doing anything different this month. If anything, missing more online Zoom-type sessions than back in June. So I assume I have picked up a bot of some kind, most likely on one of my Windows computers I use for Zoom sessions, because the Windows Zoom client is better than the Linux one. For the moment, I have disconnected all the computers in the room where Windows runs. Network traffic on my desktop displays as negligible, but perhaps if it were infected, that would be hidden from the system monitor. A complication is that I run my Linux desktop from a general user that does NOT have sudo privileges. I su to the userid that has sudo rights, then sudo apt install packages figuring this was going to be essentially a one-time usage, I installed Wireshark without creating a Wireshark group, perhaps I need to uninstall and do that. Will it solve my problem so that the powerless desktop ID can capture packets? I think I need to capture packets for a period of time, then take that file and analyze it? A real-time monitor would be nicer, in case the infection is only intermittently active. Web search/AI says to navigate on the GUI and capture packets, I presume, then I can analyze them on the general id. 1. i can bring up the Wireshark GUI from the authority-less desktop ID 2, I cannot bring up Wireshark GUI from a sudoer or even a root terminal: root@OptiPlex-7050:~# wireshark ** (wireshark:886012) 08:10:00.286024 [GUI WARNING] -- could not connect to display ** (wireshark:886012) 08:10:00.286157 [GUI ERROR] -- This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb. Aborted (core dumped) Is there an option I can put on the command line invocation to connect to gui? That might be easiest? ------------------------------------------------------------------------- attempting to get around, I guess i'm back to newbie status, what have i lost to senility? careyschug@OptiPlex-7050:~$ ls -altr root total 8 drwxrwxr-- 25 careyschug careyschug 4096 Sep 23 09:12 .. drwxrwxrwx 2 root root 4096 Sep 23 09:19 . careyschug@OptiPlex-7050:~$ sudo tshark -i enp0s31f6 -w /home/careyschug/root/wireshark Running as user "root" and group "root". This could be dangerous. Capturing on 'enp0s31f6' tshark: The file to which the capture would be saved ("/home/careyschug/root/wireshark") could not be opened: Permission denied. careyschug@OptiPlex-7050:~$ sudo touch /home/careyschug/root/wireshark careyschug@OptiPlex-7050:~$ ls -altr root total 8 drwxrwxr-- 25 careyschug careyschug 4096 Sep 23 09:12 .. -rw-r--r-- 1 root root 0 Sep 23 09:25 wireshark drwxrwxrwx 2 root root 4096 Sep 23 09:25 . ---------------------------------------- I was able to start a console log and run tshark displaying to console, accumulating about 10 MB. I cannot find a way to read that into wireshark, but maybe there are other scripts to just analyze that outside of wireshark? for starters, I want to see which local computers have this presumeably excess traffic (unless the extra is not all the time and thus is not captured in my console). as a starter, I can just erase and re=image that computer since there is nothing to be saved (well i save the message logs from zoom sessions to usb disks, easily cleared off). Carey