1. old, retired guy with poor memory. Back when I was working in servers till ~2002, and then trained in networks including passing the CNA test ~2004, I think I would have understood all the chatter. Not so much any more. 2. whatever it is, in some fraction of september it was 800 gigabytes. I had consistantly used 200 GB per month for the 3 prior months, and was up to a terabite just in a little over half of september. (or are those numbers off by a factor of 1000?) (see table at end) 3. i doubt that is just "browser chatter" with the sites listed. remember, that list was just my eyeballing a very small part of a tshark log for interesting ip addresses. 4. setting up a managed switch so I can make a promiscuous port is more than I'd like to take on. I own 100mb and gb cisco switches I purchased but never powered up. you wouldn't believe the cr*p I have...cddi, fddi, fiber, etc. I had ambitions goals for setting up a demonstration lab. 5. in the early days, there were a few 100 mb hubs (not switches). i thought I found on on ebay, but looked up the part number and it is a 10 mb switch. 5a. Are there any reasonbably priced switches that include (for troubleshooting purposes) a promiscuous port or a physical switch to make one port such? Seems like it would be a useful thing to have available to look for problems without having to take time to reprogram the switch. Notr: AI says there are not. Only managed switches. 5b. Would a cisco 10 mb switch with 2 100 mb uplink ports automatically forward everything through the 100mb ports? Asked simple AI seems to say this is often true. asked again and was told no. if it did work, plug one into my gigabit switch and the other to my linux computer to get all traffic? or would the linux say "hey, only send me one ip"? can i tell my computer to ask for promiscuity? 6. from observing the blinking of lights, it seemed the problem was on my linux computer. the tshark log seemed awfully big to support that hypothethis. 7. among other things, i started unplugging everything when not being used (three windows used for video conferencing, sometimes overlapping or simultaneous, plus my deskgop linux in a different room). the blinking became less, I *THINK* when i rebooted my linux system, though I probably had rebooted earlier, but maybe the problems had only been since the last reboot. that is when I noticed how the lights were blinking less. 8. given past experience with their incompetance, i guess there is a 10% (honestly) or 90% (emotionally) chance comcast did something stuped, like tell my routher to reload everything 4 times, just plain miscalculate, or add in my usage multiple times, I dunno. 9. if nothing above will help, if the issue arises again, I will install wireshark/tshark on 3 computers (and not use the 4th, which was rare anyway) rather than try for promiscuous mode on one, and use the system monitors to figure out which compuer is the problem (hitting head, why did i not do that before?), then use tshark and/or wireshark to try to determine what the exact problem is. 10. i purchased a wireshark book online and says it has been or is ready to be shipped. I reserved another book from the library and it is ready for me to go pick up. 11. is there something on the order of iftop or system monitor that will produce a running graph of how many bytes were sent/received to the top 25 or so ip addresses over the last x minutes? 12, I kind of think sometime recently I wanted to download something, clicked where it said, after a while, realized it was a torrent making zero progress, thought I cancelled it, but maybe once started, it kept going, and eventually became a sender to many? 13. realizing it would severly limit my total traffic, I *DO* have a 10 mb hub that was working years ago. unfortunately, it has only two AUI ports that could be adapted to twisted pair and connected (1) to comcast and (2) my linux computer (and get everything), and the other 6 ports are thin, so i'd need coax to a 10 mb twisted pair switch with a thin coax port to connect to the gb switdh for the rest of my home network. 14. UNRELATED, but since AI did not know (said "no limit"), if i have switches connected to switches, what is the limit for the total number of addresses one port on the switch can know it has to forward to that port? I assume this varies between models and manufacturesrs, and hopefully exceeds 253 so a "normal" minimum would never be a problem, but if you were using 10.x, the top switch coull have to forward to millions of random addresses on each port. Carey December 12/01/2024 - 12/31/2024 238 GB 0 GB January 01/01/2025 - 01/31/2025 259 GB 0 GB February 02/01/2025 - 02/28/2025 233 GB 0 GB March 03/01/2025 - 03/31/2025 274 GB 0 GB April 04/01/2025 - 04/30/2025 205 GB 0 GB May 05/01/2025 - 05/31/2025 184 GB 0 GB June 06/01/2025 - 06/30/2025 208 GB 0 GB July 07/01/2025 - 07/31/2025 194 GB 0 GB August 08/01/2025 - 08/31/2025 186 GB 0 GB September 09/01/2025 - 09/30/2025 964 GB 0 GB
On 09/26/2025 11:45 AM CDT Giles Orr via Talk <talk@lists.gtalug.org> wrote:
On Wed, 24 Sept 2025 at 16:00, Mauro Souza via Talk <talk@lists.gtalug.org> wrote:
If most traffic is inbound, I would say Carey does not have any filesharing issues, but auto update issues: the IP addresses most accessed are mostly for CDN providers, the ones used for hosting update packages. Auto updates will take a lot of traffic, especially snaps. They take a lot of space, and usually when one is updated because of a library issue, you can count on several others having the same library to release updates too. If most of this traffic is outbound, then we have a different history and something is really sending a lot of data outside. And if the traffic is more or less balanced, it's a proxy, torrent, or Tor node running.
How to know? There are some programs for that: iftop, iptraf, nethogs and bmon are easy to use and powerful.
Another non-authority weighing in here. Although I have used almost every tool mentioned so far at one point or another. I have previously (admittedly many years ago) been offended by surges of traffic on my local network, and gone hunting for them. There were two culprits at different times: SparkleShare (file sharing), and browsers. Idle browsers can generate a surprising amount of traffic: no, you didn't ask that page to reload, but their JS says it should reload parts of the page every two minutes, and sometimes more often depending on the ad network involved. And if you have a lot of pages open ... (Recent browsers often stop JS on idle tabs, but not always?)
I would add that some of the IPs you posted that Don Tai looked up names for: cloudflare, akaimai, fastly - these are all CDNs: https://en.wikipedia.org/wiki/Content_delivery_network . And browsers talk to these A LOT. My website doesn't use a CDN because it's a low-end hobby thing. But Google, DDG, MSN ... any major website pretty much always uses a CDN.
SparkleShare was a fascinating case: the damn thing chewed through a terabyte of data trying to download a 1G file because it would get to 99% and fail - apparently around 1000 times. It was very determined. I had a lot of other issues with it, and it's long gone.
Since you know the specific machine that's causing the problem, I second the recommendation of `nethogs`. TUI interface, very clear and easy to read.
Another possibility is that a webpage you've loaded (and presumably leave open) is using JS to create a Torrent node (this idea is a bit out there, but it's happened). If `nethogs` says the problem is your browser, something like "about:performance" might help in FF, but I think brute-force is the way to go: just kill tabs one at a time to see when traffic drops.
I hope this helps.
Let us know if/when you find the problem. I'm interested, and it's a learning experience for all of us.
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com ------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/3J6SEVN...