I got a notice from Comcast that I was nearing my internet monthly limit. June-July-August, I used almost exactly 200 GB consistently So far in September, I am up to a terabyte. I do not watch streaming videos, other than occasional short YouTube. I am not doing anything different this month. If anything, missing more online Zoom-type sessions than back in June. So I assume I have picked up a bot of some kind, most likely on one of my Windows computers I use for Zoom sessions, because the Windows Zoom client is better than the Linux one. For the moment, I have disconnected all the computers in the room where Windows runs. Network traffic on my desktop displays as negligible, but perhaps if it were infected, that would be hidden from the system monitor. A complication is that I run my Linux desktop from a general user that does NOT have sudo privileges. I su to the userid that has sudo rights, then sudo apt install packages figuring this was going to be essentially a one-time usage, I installed Wireshark without creating a Wireshark group, perhaps I need to uninstall and do that. Will it solve my problem so that the powerless desktop ID can capture packets? I think I need to capture packets for a period of time, then take that file and analyze it? A real-time monitor would be nicer, in case the infection is only intermittently active. Web search/AI says to navigate on the GUI and capture packets, I presume, then I can analyze them on the general id. 1. i can bring up the Wireshark GUI from the authority-less desktop ID 2, I cannot bring up Wireshark GUI from a sudoer or even a root terminal: root@OptiPlex-7050:~# wireshark ** (wireshark:886012) 08:10:00.286024 [GUI WARNING] -- could not connect to display ** (wireshark:886012) 08:10:00.286157 [GUI ERROR] -- This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb. Aborted (core dumped) Is there an option I can put on the command line invocation to connect to gui? That might be easiest? ------------------------------------------------------------------------- attempting to get around, I guess i'm back to newbie status, what have i lost to senility? careyschug@OptiPlex-7050:~$ ls -altr root total 8 drwxrwxr-- 25 careyschug careyschug 4096 Sep 23 09:12 .. drwxrwxrwx 2 root root 4096 Sep 23 09:19 . careyschug@OptiPlex-7050:~$ sudo tshark -i enp0s31f6 -w /home/careyschug/root/wireshark Running as user "root" and group "root". This could be dangerous. Capturing on 'enp0s31f6' tshark: The file to which the capture would be saved ("/home/careyschug/root/wireshark") could not be opened: Permission denied. careyschug@OptiPlex-7050:~$ sudo touch /home/careyschug/root/wireshark careyschug@OptiPlex-7050:~$ ls -altr root total 8 drwxrwxr-- 25 careyschug careyschug 4096 Sep 23 09:12 .. -rw-r--r-- 1 root root 0 Sep 23 09:25 wireshark drwxrwxrwx 2 root root 4096 Sep 23 09:25 . ---------------------------------------- I was able to start a console log and run tshark displaying to console, accumulating about 10 MB. I cannot find a way to read that into wireshark, but maybe there are other scripts to just analyze that outside of wireshark? for starters, I want to see which local computers have this presumeably excess traffic (unless the extra is not all the time and thus is not captured in my console). as a starter, I can just erase and re=image that computer since there is nothing to be saved (well i save the message logs from zoom sessions to usb disks, easily cleared off). Carey
On 9/23/25 11:28, CAREY SCHUG via Talk wrote:
I got a notice from Comcast that I was nearing my internet monthly limit.
I run Wireshark and I have 2 icons for it. One just for Wireshark and one for superuser mode. This is on openSuse. However, I am in the Wireshark group. Also, where are you planning on doing the monitoring? Unless you're on the path to the Internet, such as the router, you won't see much of the traffic from your network. I run pfSense for my router, where I can run Packet Capture to capture all the packets or filter what is captured.
this is just my home. one router to Comcast, one local node. I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no? Carey
On 09/23/2025 10:36 AM CDT James Knott via Talk <talk@lists.gtalug.org> wrote:
On 9/23/25 11:28, CAREY SCHUG via Talk wrote:
I got a notice from Comcast that I was nearing my internet monthly limit.
I run Wireshark and I have 2 icons for it. One just for Wireshark and one for superuser mode. This is on openSuse. However, I am in the Wireshark group.
Also, where are you planning on doing the monitoring? Unless you're on the path to the Internet, such as the router, you won't see much of the traffic from your network. I run pfSense for my router, where I can run Packet Capture to capture all the packets or filter what is captured.
On 9/23/25 12:08, CAREY SCHUG wrote:
I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
Only if it's in a position to see all the traffic. I got the impression there were multiple computers on your network. That implies a switch, which prevents a computer on one switch port from seeing traffic from another. You will need to use a data tap between that switch and the modem to intercept all the traffic. Here are instructions for making one: https://forum.netgate.com/topic/144521/creating-a-data-tap?_=1732217084711 I used a 1 Gb switch, but these days you might want to get a faster one, depending on how fast your Internet connection is. BTW, years ago, before I switched to pfSense, I used Linux for my router and could run Wireshark on it.
i assume my current switches are not managed. I have one or two 32 port cisco gigabit swtiches I bought at a garage sale but never consoled into. I had a CCNA 20 years ago, but have forgotten 99% of that, as I never got a job that used it. the learning curve to figure out how to reset the passwords on the ciscos would be difficult. I think one had a noisy fan. i thought that switches could put a port into promiscuous mode. my configuration: comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch my desktop is on the first switch, the windows computers are on the second my computer is 10.0.0.182 there are 3 windows computers. I verified two of them are 10.0.0.26 and 10.0.0.56 the third I shutdown before thinking to verify its ip i presume the comcast router is the 10.0.0.1 address I see in the log using grep (10.0.0) and grep -v (10.0.0.182) i find, in my log file 10.0.0.25 10.0.0.26 10.0.0.56 carey@OptiPlex-7050:~$ cat wireshark|grep 10.0.0.25|wc -l 38 carey@OptiPlex-7050:~$ cat wireshark|grep 10.0.0.26|wc -l 1693 carey@OptiPlex-7050:~$ cat wireshark|grep 10.0.0.182|wc -l 32288 carey@OptiPlex-7050:~$ cat wireshark|grep 10.0.0.56|wc -l 19 which would imply the problem is my linux desktop... during the gathering of data above, i started up a zoom session on one windows computer and shut down another, probably the .25 one. as far as I could see, there was no local-only traffic. Carey
On 09/23/2025 11:16 AM CDT James Knott <james.knott@jknott.net> wrote:
On 9/23/25 12:08, CAREY SCHUG wrote:
I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
Only if it's in a position to see all the traffic. I got the impression there were multiple computers on your network. That implies a switch, which prevents a computer on one switch port from seeing traffic from another. You will need to use a data tap between that switch and the modem to intercept all the traffic.
Here are instructions for making one: https://forum.netgate.com/topic/144521/creating-a-data-tap?_=1732217084711
I used a 1 Gb switch, but these days you might want to get a faster one, depending on how fast your Internet connection is.
BTW, years ago, before I switched to pfSense, I used Linux for my router and could run Wireshark on it.
On 9/23/25 13:09, CAREY SCHUG wrote:
comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch
I have no idea about what that switch can do. Since you don't want to use one of your Cisco switches, then buy a cheap managed switch and follow my instructions. You should be able to find one for around $20 - $30.
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing. and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode. I am getting MANY ip addresses that are not mine, talking to my desktop ip address. just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following: cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152 if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer. question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting? Carey
On 09/23/2025 12:17 PM CDT James Knott <james.knott@jknott.net> wrote:
On 9/23/25 13:09, CAREY SCHUG wrote:
comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch
I have no idea about what that switch can do. Since you don't want to use one of your Cisco switches, then buy a cheap managed switch and follow my instructions. You should be able to find one for around $20 - $30.
On 9/23/25 13:56, CAREY SCHUG via Talk wrote:
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
You can sort by address in Wireshark. Beyond that, it doesn't do much to sort out traffic.
162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines. On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
On 09/23/2025 12:17 PM CDT James Knott <james.knott@jknott.net> wrote:
On 9/23/25 13:09, CAREY SCHUG wrote:
comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch
I have no idea about what that switch can do. Since you don't want to use one of your Cisco switches, then buy a cheap managed switch and follow my instructions. You should be able to find one for around $20 - $30.
Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/EAIQZXP...
ok, for the person who has been out of the biz for 25 years, during which things have changed (and that was solaris, with some differences, and a good corporate firewall) can soomebody point me to how to get rid of that stuff?? Carey
On 09/23/2025 1:21 PM CDT Don Tai <dontai.canada@gmail.com> wrote:
162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly
You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines.
On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org mailto:talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
On 09/23/2025 12:17 PM CDT James Knott <james.knott@jknott.net mailto:james.knott@jknott.net> wrote:
On 9/23/25 13:09, CAREY SCHUG wrote:
comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch
I have no idea about what that switch can do. Since you don't want to use one of your Cisco switches, then buy a cheap managed switch and follow my instructions. You should be able to find one for around $20 - $30.
Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org mailto:Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org mailto:talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/EAIQZXP...
CAREY SCHUG via Talk said on Tue, 23 Sep 2025 14:25:56 -0500 (CDT)
ok, for the person who has been out of the biz for 25 years, during which things have changed (and that was solaris, with some differences, and a good corporate firewall) can soomebody point me to how to get rid of that stuff??
Carey
Carey, I'm not an authority, but as far as I know, this kind of usage comes from unauthorized servers. The way you stop unauthorized servers dead in their tracks is to set your firewall so your only servers that can hit the Internet are on port 21 (ssh). And if you don't ssh into your Linux box, then set your firewall to block port 21 also. SteveT Steve Litt http://444domains.com
Steve Litt via Talk wrote on 2025-09-23 21:44:
set your firewall so your only servers that can hit the Internet are on port 21 (ssh)
Port 22 is for ssh. 21 is FTP (and 20 if I recall correctly). If a Windows machine is infected, router stats should indicate which one is generating tons of traffic. Or, it's a Discord problem per Carey's earlier message?
Ron via Talk said on Tue, 23 Sep 2025 22:38:26 -0700
Steve Litt via Talk wrote on 2025-09-23 21:44:
set your firewall so your only servers that can hit the Internet are on port 21 (ssh)
Port 22 is for ssh. 21 is FTP (and 20 if I recall correctly).
Dohhhhhhh! A simple grep ssh /etc/services would have told me that. But nooooo, I went and shot my mouth off. I've never enabled ftp or telnet on my own computers, at least on Linux. Since about 2005 I never used them as clients either. Passwords aren't cheap, and neither is my (or anyone else's) data. SteveT Steve Litt http://444domains.com
That will block incoming connections. OP's problem of outgoing connections still remains. What distro are you running, Carey? On 2025-09-24 00:44, Steve Litt via Talk wrote:
Carey, I'm not an authority, but as far as I know, this kind of usage comes from unauthorized servers. The way you stop unauthorized servers dead in their tracks is to set your firewall so your only servers that can hit the Internet are on port 21 (ssh). And if you don't ssh into your Linux box, then set your firewall to block port 21 also.
SteveT
Steve Litt
Distributor ID: Ubuntu Description: Ubuntu 22.04.5 LTS Release: 22.04 Codename: jammy note that after killing all browsers and rebooting, and just now installing iftop, the typical rate seems to be around 20-40 Kb, and the router is blinking less frenetically. We will see if that changes when I bring up the Discord window on the hour for a Zoom session on training with it. Carey
On 09/24/2025 1:03 PM CDT William Park via Talk <talk@lists.gtalug.org> wrote:
That will block incoming connections. OP's problem of outgoing connections still remains.
What distro are you running, Carey?
William Park via Talk said on Wed, 24 Sep 2025 14:03:56 -0400
On 2025-09-24 00:44, Steve Litt via Talk wrote:
Carey, I'm not an authority, but as far as I know, this kind of usage comes from unauthorized servers. The way you stop unauthorized servers dead in their tracks is to set your firewall so your only servers that can hit the Internet are on port 21 (ssh). And if you don't ssh into your Linux box, then set your firewall to block port 21 also.
That will block incoming connections. OP's problem of outgoing connections still remains.
Firewalls can be used to block both outgoing and incoming. Now if you mean that Carey is purposefully accessing a client to a server that sends him tons of stuff, that's a different matter and the solution is to quit using that server. SteveT Steve Litt http://444domains.com
If most traffic is inbound, I would say Carey does not have any filesharing issues, but auto update issues: the IP addresses most accessed are mostly for CDN providers, the ones used for hosting update packages. Auto updates will take a lot of traffic, especially snaps. They take a lot of space, and usually when one is updated because of a library issue, you can count on several others having the same library to release updates too. If most of this traffic is outbound, then we have a different history and something is really sending a lot of data outside. And if the traffic is more or less balanced, it's a proxy, torrent, or Tor node running. How to know? There are some programs for that: iftop, iptraf, nethogs and bmon are easy to use and powerful. Mauro https://www.maurosouza.com - registered Linux User: 294521 Scripture is both history, and a love letter from God. On Wed, Sep 24, 2025 at 4:33 PM Steve Litt via Talk <talk@lists.gtalug.org> wrote:
William Park via Talk said on Wed, 24 Sep 2025 14:03:56 -0400
On 2025-09-24 00:44, Steve Litt via Talk wrote:
Carey, I'm not an authority, but as far as I know, this kind of usage comes from unauthorized servers. The way you stop unauthorized servers dead in their tracks is to set your firewall so your only servers that can hit the Internet are on port 21 (ssh). And if you don't ssh into your Linux box, then set your firewall to block port 21 also.
That will block incoming connections. OP's problem of outgoing connections still remains.
Firewalls can be used to block both outgoing and incoming.
Now if you mean that Carey is purposefully accessing a client to a server that sends him tons of stuff, that's a different matter and the solution is to quit using that server.
SteveT
Steve Litt
------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/6AWIB43...
On Wed, 24 Sept 2025 at 16:00, Mauro Souza via Talk <talk@lists.gtalug.org> wrote:
If most traffic is inbound, I would say Carey does not have any filesharing issues, but auto update issues: the IP addresses most accessed are mostly for CDN providers, the ones used for hosting update packages. Auto updates will take a lot of traffic, especially snaps. They take a lot of space, and usually when one is updated because of a library issue, you can count on several others having the same library to release updates too. If most of this traffic is outbound, then we have a different history and something is really sending a lot of data outside. And if the traffic is more or less balanced, it's a proxy, torrent, or Tor node running.
How to know? There are some programs for that: iftop, iptraf, nethogs and bmon are easy to use and powerful.
Another non-authority weighing in here. Although I have used almost every tool mentioned so far at one point or another. I have previously (admittedly many years ago) been offended by surges of traffic on my local network, and gone hunting for them. There were two culprits at different times: SparkleShare (file sharing), and browsers. Idle browsers can generate a surprising amount of traffic: no, you didn't ask that page to reload, but their JS says it should reload parts of the page every two minutes, and sometimes more often depending on the ad network involved. And if you have a lot of pages open ... (Recent browsers often stop JS on idle tabs, but not always?) I would add that some of the IPs you posted that Don Tai looked up names for: cloudflare, akaimai, fastly - these are all CDNs: https://en.wikipedia.org/wiki/Content_delivery_network . And browsers talk to these A LOT. My website doesn't use a CDN because it's a low-end hobby thing. But Google, DDG, MSN ... any major website pretty much always uses a CDN. SparkleShare was a fascinating case: the damn thing chewed through a terabyte of data trying to download a 1G file because it would get to 99% and fail - apparently around 1000 times. It was very determined. I had a lot of other issues with it, and it's long gone. Since you know the specific machine that's causing the problem, I second the recommendation of `nethogs`. TUI interface, very clear and easy to read. Another possibility is that a webpage you've loaded (and presumably leave open) is using JS to create a Torrent node (this idea is a bit out there, but it's happened). If `nethogs` says the problem is your browser, something like "about:performance" might help in FF, but I think brute-force is the way to go: just kill tabs one at a time to see when traffic drops. I hope this helps. Let us know if/when you find the problem. I'm interested, and it's a learning experience for all of us. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
1. old, retired guy with poor memory. Back when I was working in servers till ~2002, and then trained in networks including passing the CNA test ~2004, I think I would have understood all the chatter. Not so much any more. 2. whatever it is, in some fraction of september it was 800 gigabytes. I had consistantly used 200 GB per month for the 3 prior months, and was up to a terabite just in a little over half of september. (or are those numbers off by a factor of 1000?) (see table at end) 3. i doubt that is just "browser chatter" with the sites listed. remember, that list was just my eyeballing a very small part of a tshark log for interesting ip addresses. 4. setting up a managed switch so I can make a promiscuous port is more than I'd like to take on. I own 100mb and gb cisco switches I purchased but never powered up. you wouldn't believe the cr*p I have...cddi, fddi, fiber, etc. I had ambitions goals for setting up a demonstration lab. 5. in the early days, there were a few 100 mb hubs (not switches). i thought I found on on ebay, but looked up the part number and it is a 10 mb switch. 5a. Are there any reasonbably priced switches that include (for troubleshooting purposes) a promiscuous port or a physical switch to make one port such? Seems like it would be a useful thing to have available to look for problems without having to take time to reprogram the switch. Notr: AI says there are not. Only managed switches. 5b. Would a cisco 10 mb switch with 2 100 mb uplink ports automatically forward everything through the 100mb ports? Asked simple AI seems to say this is often true. asked again and was told no. if it did work, plug one into my gigabit switch and the other to my linux computer to get all traffic? or would the linux say "hey, only send me one ip"? can i tell my computer to ask for promiscuity? 6. from observing the blinking of lights, it seemed the problem was on my linux computer. the tshark log seemed awfully big to support that hypothethis. 7. among other things, i started unplugging everything when not being used (three windows used for video conferencing, sometimes overlapping or simultaneous, plus my deskgop linux in a different room). the blinking became less, I *THINK* when i rebooted my linux system, though I probably had rebooted earlier, but maybe the problems had only been since the last reboot. that is when I noticed how the lights were blinking less. 8. given past experience with their incompetance, i guess there is a 10% (honestly) or 90% (emotionally) chance comcast did something stuped, like tell my routher to reload everything 4 times, just plain miscalculate, or add in my usage multiple times, I dunno. 9. if nothing above will help, if the issue arises again, I will install wireshark/tshark on 3 computers (and not use the 4th, which was rare anyway) rather than try for promiscuous mode on one, and use the system monitors to figure out which compuer is the problem (hitting head, why did i not do that before?), then use tshark and/or wireshark to try to determine what the exact problem is. 10. i purchased a wireshark book online and says it has been or is ready to be shipped. I reserved another book from the library and it is ready for me to go pick up. 11. is there something on the order of iftop or system monitor that will produce a running graph of how many bytes were sent/received to the top 25 or so ip addresses over the last x minutes? 12, I kind of think sometime recently I wanted to download something, clicked where it said, after a while, realized it was a torrent making zero progress, thought I cancelled it, but maybe once started, it kept going, and eventually became a sender to many? 13. realizing it would severly limit my total traffic, I *DO* have a 10 mb hub that was working years ago. unfortunately, it has only two AUI ports that could be adapted to twisted pair and connected (1) to comcast and (2) my linux computer (and get everything), and the other 6 ports are thin, so i'd need coax to a 10 mb twisted pair switch with a thin coax port to connect to the gb switdh for the rest of my home network. 14. UNRELATED, but since AI did not know (said "no limit"), if i have switches connected to switches, what is the limit for the total number of addresses one port on the switch can know it has to forward to that port? I assume this varies between models and manufacturesrs, and hopefully exceeds 253 so a "normal" minimum would never be a problem, but if you were using 10.x, the top switch coull have to forward to millions of random addresses on each port. Carey December 12/01/2024 - 12/31/2024 238 GB 0 GB January 01/01/2025 - 01/31/2025 259 GB 0 GB February 02/01/2025 - 02/28/2025 233 GB 0 GB March 03/01/2025 - 03/31/2025 274 GB 0 GB April 04/01/2025 - 04/30/2025 205 GB 0 GB May 05/01/2025 - 05/31/2025 184 GB 0 GB June 06/01/2025 - 06/30/2025 208 GB 0 GB July 07/01/2025 - 07/31/2025 194 GB 0 GB August 08/01/2025 - 08/31/2025 186 GB 0 GB September 09/01/2025 - 09/30/2025 964 GB 0 GB
On 09/26/2025 11:45 AM CDT Giles Orr via Talk <talk@lists.gtalug.org> wrote:
On Wed, 24 Sept 2025 at 16:00, Mauro Souza via Talk <talk@lists.gtalug.org> wrote:
If most traffic is inbound, I would say Carey does not have any filesharing issues, but auto update issues: the IP addresses most accessed are mostly for CDN providers, the ones used for hosting update packages. Auto updates will take a lot of traffic, especially snaps. They take a lot of space, and usually when one is updated because of a library issue, you can count on several others having the same library to release updates too. If most of this traffic is outbound, then we have a different history and something is really sending a lot of data outside. And if the traffic is more or less balanced, it's a proxy, torrent, or Tor node running.
How to know? There are some programs for that: iftop, iptraf, nethogs and bmon are easy to use and powerful.
Another non-authority weighing in here. Although I have used almost every tool mentioned so far at one point or another. I have previously (admittedly many years ago) been offended by surges of traffic on my local network, and gone hunting for them. There were two culprits at different times: SparkleShare (file sharing), and browsers. Idle browsers can generate a surprising amount of traffic: no, you didn't ask that page to reload, but their JS says it should reload parts of the page every two minutes, and sometimes more often depending on the ad network involved. And if you have a lot of pages open ... (Recent browsers often stop JS on idle tabs, but not always?)
I would add that some of the IPs you posted that Don Tai looked up names for: cloudflare, akaimai, fastly - these are all CDNs: https://en.wikipedia.org/wiki/Content_delivery_network . And browsers talk to these A LOT. My website doesn't use a CDN because it's a low-end hobby thing. But Google, DDG, MSN ... any major website pretty much always uses a CDN.
SparkleShare was a fascinating case: the damn thing chewed through a terabyte of data trying to download a 1G file because it would get to 99% and fail - apparently around 1000 times. It was very determined. I had a lot of other issues with it, and it's long gone.
Since you know the specific machine that's causing the problem, I second the recommendation of `nethogs`. TUI interface, very clear and easy to read.
Another possibility is that a webpage you've loaded (and presumably leave open) is using JS to create a Torrent node (this idea is a bit out there, but it's happened). If `nethogs` says the problem is your browser, something like "about:performance" might help in FF, but I think brute-force is the way to go: just kill tabs one at a time to see when traffic drops.
I hope this helps.
Let us know if/when you find the problem. I'm interested, and it's a learning experience for all of us.
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com ------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/3J6SEVN...
On Fri, 26 Sept 2025 at 23:48, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
4. setting up a managed switch so I can make a promiscuous port is more than I'd like to take on.
Why are you so intimidated about using a managed switch? "Out of the box" a managed switch will behave the same as an unmanaged one. Logging in to the web interface of the switch and only enabling what you call promiscuous mode (but is more often called monitoring or mirroring) on a port should be relatively easy. A 5 port managed switch won't be very expensive. E.g. https://www.amazon.ca/NETGEAR-Ethernet-Manageable-Affordable-Connectivity/dp... For that Netgear GS305E switch, it's called port mirroring and instructions on how to enable it can be found on page 68 of the User Manual https://www.downloads.netgear.com/files/GDC/GS105EV2/WebManagedSwitches_UM_E...
14. UNRELATED, but since AI did not know (said "no limit"), if i have switches connected to switches, what is the limit for the total number of addresses one port on the switch can know it has to forward to that port? I assume this varies between models and manufacturesrs, and hopefully exceeds 253 so a "normal" minimum would never be a problem, but if you were using 10.x, the top switch coull have to forward to millions of random addresses on each port.
Unless it has extra intelligence, a switch does its routing based on the lower layer MAC addresses, not IP addresses, so it's more of a question of how many devices (unique MAC addresses) can be handled on one port. It's usually done using a global table, i.e. MAC address to port number mapping. The table size would be at least a thousand entries, even for the most basic switch. The GS305E I mentioned above has an 8K table. -- Scott
From: Scott Allen via Talk <talk@lists.gtalug.org>
A 5 port managed switch won't be very expensive. E.g. https://www.amazon.ca/NETGEAR-Ethernet-Manageable-Affordable-Connectivity/dp...
I have some older Netgear "manageable" switches. Bad choice: The brains were in an app that lived in a Windows web browser and the settings became a binary blob uploaded to the switch. Note: this one might be better. What was bad: - there was a trivially defeated security mechanism on the blob uploading - the configuration software only ran on Windows. I assume that, for a little more money, you can get one with a little web server running on the switch that provides for configuration. I was going to search on Amazon.com (Carey is in the US) but it would only show me items that would ship to Canada. Better for Carey to search.
On Sat, 27 Sept 2025 at 18:22, D. Hugh Redelmeier via Talk <talk@lists.gtalug.org> wrote:
I assume that, for a little more money, you can get one with a little web server running on the switch that provides for configuration.
I have the Netgear GS305E. It has a web interface for configuration. I think there's also dedicated software for Windows and Mac but I've never looked into it, not having any need to use it. -- Scott
On 9/26/25 23:48, CAREY SCHUG via Talk wrote:
setting up a managed switch so I can make a promiscuous port
Why do you keep talking about a promiscuous port on a switch? It's a mirror port. A promiscuous port would on a computer that running something like Wireshark. As I mentioned earlier, you can make a "data tap" from a cheap 5 port managed switch, for about $20 - $30. BTW, there's a Wireshark users guide under Help, in Wireshark.
OK, MY language problem, forgetting (or changed) terminology. I took the classes, passed the CNA certification, but never used that knowledge, not even in my home lab. I asked AI the difference between a promiscuous port and a mirror port, and learned that promiscuous was a mode on a NIC, and the port on the switch was in mirror, monitor or SPAN mode. OK, my jogged memory, I recall "monitor" ports and maybe SPAN mode, but really think i never heard it called mirror. I also did not want to wait to order and ship a managed switch, and either did not look hard enough, or misunderstood (or maybe it was the case 20 years ago), thought buying one would be at least $100, maybe $200 or more. For the ones I have it would require finding the procedure to reset the login password, and I thought require setting up a USB serial port to connect to a terminal program, and finding/making a crossover cable, or configure the serial port correctly. I don't have any VMs, so promiscuous mode is not a security risk (per AI), and from 20 years ago, I thought unless the NIC was set to promiscuous mode, the NIC blocked all traffic to other addresses, and the computer was unaware of any traffic other than it's own. I think (but I've been wrong so much, would like to check) these would do it. My current office switch is 8 ports, but should probably replace it and increase, rather than adding another serial link in the chain? https://www.ebay.com/itm/277246206249 https://www.ebay.com/itm/197496478450 Also want to make sure I won't have to set up a second NIC on my desktop computer use to use for this. I may have a 100mb usb ethernet port, but I maybe only 10mb. Again, it doesn't sound like it from AI searches, but I've been wrong so much.... I found some online information on wireshark, maybe downloaded it, but this aging brain does better with paper. I'm trombones years old. (...led the big parade) I don't understand, do I neeed to make my NIC be promiscuous? will wireshark (and tshark) do that automatically?:
... It's a mirror port. A promiscuous port would on a computer that running something like Wireshark.
Carey
On 09/27/2025 8:02 AM CDT James Knott via Talk <talk@lists.gtalug.org> wrote:
On 9/26/25 23:48, CAREY SCHUG via Talk wrote:
setting up a managed switch so I can make a promiscuous port
Why do you keep talking about a promiscuous port on a switch? It's a mirror port. A promiscuous port would on a computer that running something like Wireshark.
As I mentioned earlier, you can make a "data tap" from a cheap 5 port managed switch, for about $20 - $30.
BTW, there's a Wireshark users guide under Help, in Wireshark.
On Sat, 27 Sept 2025 at 10:48, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
I think (but I've been wrong so much, would like to check) these would do it. My current office switch is 8 ports, but should probably replace it and increase, rather than adding another serial link in the chain? https://www.ebay.com/itm/277246206249 https://www.ebay.com/itm/197496478450
You would want to replace the switch that is attached to your Comcast gateway; the first switch in the chain. You won't need any additional ports on the switch. Just put the port attached to your machine running Wireshark into mirroring mode. Either of the switches you linked to would work but I'm not sure I'd trust a "genereic" brand. If an 8 port switch would suffice, and you can get to a Canada Computers store, this TP-Link model would work. https://www.canadacomputers.com/en/managed-smart-switches/74300/tp-link-8-po...
Also want to make sure I won't have to set up a second NIC on my desktop computer use to use for this.
No, you don't need a second port dedicated for monitoring.
I don't understand, do I neeed to make my NIC be promiscuous? will wireshark (and tshark) do that automatically?:
With the proper privileges, Wireshark or tshark will put the NIC into promiscuous mode as necessary. -- Scott
From: CAREY SCHUG via Talk <talk@lists.gtalug.org>
6. from observing the blinking of lights, it seemed the problem was on my linux computer. the tshark log seemed awfully big to support that hypothethis.
7. among other things, i started unplugging everything when not being used (three windows used for video conferencing, sometimes overlapping or simultaneous, plus my deskgop linux in a different room). the blinking became less, I *THINK* when i rebooted my linux system, though I probably had rebooted earlier, but maybe the problems had only been since the last reboot. that is when I noticed how the lights were blinking less.
Try the easy things first. If the problem may just be on your Linux box, then try running, say, "nethogs" on that machine (mentioned by Giles). No need to capture traffic. No need to intercept traffic for other machines. I just tried nethogs on my machine. Seems OK. Some options might be useful but I don't know what they are. -v looks useful: You can set the units and whether the numbers are cumulative. The interactive controls are useful too.
CAREY SCHUG via Talk said on Fri, 26 Sep 2025 22:48:29 -0500 (CDT)
2. whatever it is, in some fraction of september it was 800 gigabytes. I had consistantly used 200 GB per month for the 3 prior months, and was up to a terabite just in a little over half of september. (or are those numbers off by a factor of 1000?) (see table at end)
3. i doubt that is just "browser chatter" ^^^^^
It's an intermittent, intermittents are a bitch, and the root cause could be almost anything. I have a suggestion to add to the list of diagnostic tools you're assembling: A second by second log of network traffic. This might help you see several correlations to help focus in on things. Focusing in is all you can do because it's an intermittent. Here's what I recommend, running as root because that's what iftop likes: iftop -t | carey.sh >> carey.log And the following is carey.sh: ==================================================================== #!/usr/bin/env ksh date "+RESULTS: %Y/%m/%d_%H/%M/%S" while IFS= read -r line; do echo "$line" if [[ "$line" == "========="* ]]; then printf "\n\n\n" date "+RESULTS: %Y/%m/%d_%H/%M/%S" fi done ==================================================================== The carey.log has timestamped headers that make parsing pretty easy. You could even modify carey.sh to ring a bell and throw up a (zenity) message box when traffic goes over a certain amount. Another useful tool, though not for logging, is nethogs, which gives you a view of which of your processes is hogging all the traffic. Once again, run nethogs as root. HTH, SteveT Steve Litt http://444domains.com
ok, nmap sounds like it does everything but eat. (we had a mainframe utility called debe for that) any intro web pages for a novice? in my less than 30 minutes of scanning, i had over 32000 packets in/out of my desktop. to a large variety of ip addresses when I am not doing anything but email something is running without my permission how do I determine what it is? like list activity by port number as a starting point? Carey
On 09/23/2025 1:21 PM CDT Don Tai <> wrote:
162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly
You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines.
On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org mailto:talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
How many win computers do you have running? Turn off one and see if the net traffic is reduced. Then keep turning off one computer at a time. One or more of these win computers are in a bot network. I would trust that the Linux computers are solid. I have, i the past scanned multiple (my) linux computers, and they were shut tight. There are also very few, multiple times fewer security vulnerabilities with a linux system. Trying to crack a linux computer is extremely difficult. On Tue, 23 Sept 2025 at 16:37, CAREY SCHUG <sqrfolkdnc@comcast.net> wrote:
ok, nmap sounds like it does everything but eat. (we had a mainframe utility called debe for that)
any intro web pages for a novice?
in my less than 30 minutes of scanning, i had over 32000 packets in/out of my desktop. to a large variety of ip addresses when I am not doing anything but email
something is running without my permission
how do I determine what it is?
like list activity by port number as a starting point?
Carey
On 09/23/2025 1:21 PM CDT Don Tai <> wrote:
162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly
You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines.
On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
the issue was that june-july-august my internet usage was 200 gb and suddenly this munth it is nearly a terabyte so far. first, given past experience, i would sugest it is at least 10% chance it is a comcast problem, such as a bug in their modem causing resends of data or something. no idea how to diagnose that or prove it. once they closed the pinhole required for dynamic ip requests, nobody I could talk to in sujpport would listen to me (this was back when i was studying this stuff, getting my CNA). but over 2 weeks as more and more people lost access they eventually figured out. I must have been one of the fierst. I did say "i wasn't doing anything different". may have been an untruth. This was the first time I left a window open in discord, connected to at least 4 servers. I don't think any of them had audio or video channels open, but i know I was accused of consuming cycles on the server of one of them many years ago. could discord be sending/receiving constant chatter and using up my internet alottment? Carey
There is an interesting tool called etherape. It will generate real-time graphs of the traffic on the monitored interface. Last time I used it the downside was that an X or equivalent display was required. It will take PCAP files and generate graphs. I have used it to track down odd traffic problems. Its good for looking at the big picture. wireshark is more of a microscope. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
thank you, big picture instead of microscope sounds good. some concerns (besides my last foray with x caused problems many years ago). it says there are 24 forks, but clicking only leads to one...by guy serioiusly intto bitcoin and other marginal stuff. installed etherape easily, but it won't run, asking for gtk and libpcap, neither of which seem clear as to where to get them or what the corect version is. the link puportedly for lippcap brought an opera browser, but not pointing at any useful website. probably beyond my pay grade. Carey
On 09/23/2025 8:45 PM CDT Alvin Starr via Talk <talk@lists.gtalug.org> wrote:
There is an interesting tool called etherape. It will generate real-time graphs of the traffic on the monitored interface. Last time I used it the downside was that an X or equivalent display was required.
It will take PCAP files and generate graphs.
I have used it to track down odd traffic problems. Its good for looking at the big picture. wireshark is more of a microscope.
-- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/B6FIWHT...
first, I did get a proper binary file into wireshark. I had been trying to write the file directly to my user directory, so I just let it write into /media then moved it and changed ownership after. I now have a minute or two worth of data in wireshark. That and $5 (or whatever it is now) will get me a cup of coffee. what I need to know is who is talking to all those weird ports and how do I stop it. Carey
On 09/23/2025 1:21 PM CDT Don Tai <dontai.canada@gmail.com> wrote:
162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly
You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines.
On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org mailto:talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
On 09/23/2025 12:17 PM CDT James Knott <james.knott@jknott.net mailto:james.knott@jknott.net> wrote:
On 9/23/25 13:09, CAREY SCHUG wrote:
comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch
I have no idea about what that switch can do. Since you don't want to use one of your Cisco switches, then buy a cheap managed switch and follow my instructions. You should be able to find one for around $20 - $30.
Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org mailto:Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org mailto:talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/EAIQZXP...
On Tue, 23 Sept 2025 at 16:47, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
what I need to know is who is talking to all those weird ports and how do I stop it.
My guess is that unless the machine you took the Wireshark trace on is the one causing your problems, you don't want to stop any of that stuff. Note that if a system is compromised, the malicious software will tend to use standard ports like 80 (HTTP) or 443 (HTTPS) to make it more likely that firewalls along the path won't block it. -- Scott
man lsof man fuser man ss (was netstat) I don't use them often enough to memorize their options. On 2025-09-23 16:47, CAREY SCHUG via Talk wrote:
first, I did get a proper binary file into wireshark. I had been trying to write the file directly to my user directory, so I just let it write into /media then moved it and changed ownership after. I now have a minute or two worth of data in wireshark. That and $5 (or whatever it is now) will get me a cup of coffee. what I need to know is who is talking to all those weird ports and how do I stop it.
Carey
On 09/23/2025 1:21 PM CDT Don Tai <dontai.canada@gmail.com> wrote: 162.159.134.234 cloudflare 23.220.246.152 akamai 3.233.158.26 AZN 184.25.113.134 Akamai 151.101.3.52 skyca, Fastly You could download nmap and scan your ports. It will tell you if you have ports open. When I used to try to hack linux boxes (my own), Linux was really secure. Nothing should be open, unlike Win machines.
On Tue, 23 Sept 2025 at 13:56, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
FIrst, it looks like the probem is my linux desktop. traffic going all over the place when i am doing essentially nothing.
and I have confirmed the ip addresses of my windows computers in the log i created on my desktop. explain how that can be unless wireshark has put my port into promiscuous mode.
I am getting MANY ip addresses that are not mine, talking to my desktop ip address.
just going throught he first part and eyeballing for different ip addresses (I am sure I missed some), maybe 2% of the whole file, I found the following:
cat wireshark|grep 162.159.134.234|wc -l cat wireshark|grep 23.220.246.152|wc -l cat wireshark|grep 3.233.158.26|wc -l cat wireshark|grep 184.25.113.134|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 151.101.3.52|wc -l cat wireshark|grep 207.65.32.79|wc -l cat wireshark|grep 3.233.158.25|wc -l cat wireshark|grep 18.206.77.82|wc -l cat wireshark|grep 98.87.185.133|wc -l cat wireshark|grep 18.160.225.46|wc -l 75 852 2589 63 2813 531 408 2813 13 14 152
if wireshark or some other existing tool cannot go through my listing and extract all the ip addresses, i will work on that, or do other research to find what malware could have infected my computer.
question: could it be accidental or malicious p2p filesharing was started on my computer? how would I look for the task running it and kill it and prevent it from restarting?
Carey
> On 09/23/2025 12:17 PM CDT James Knott <james.knott@jknott.net> wrote: > > > On 9/23/25 13:09, CAREY SCHUG wrote: > > comcast<-->monoprice 8 port gigabit switch<-->monoprice 8 prt gb switch > > I have no idea about what that switch can do. Since you don't want to > use one of your Cisco switches, then buy a cheap managed switch and > follow my instructions. You should be able to find one for around $20 - > $30. ------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/EAIQZXP...
------------------------------------ Description: GTALUG Talk Unsubscribe viaTalk-unsubscribe@lists.gtalug.org Start a new thread:talk@lists.gtalug.org This message archived athttps://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/36GB6N7...
From: CAREY SCHUG via Talk <talk@lists.gtalug.org>
this is just my home. one router to Comcast, one local node. I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
This is not particularly clear. Is the router actually the box provided by Comcast? That would likely be a combination of a - modem to decode cable signal into ethernet - a router, including NAT, a packet filter - an ethernet (wired) switch - an AP (for WiFi) Is this correct? What is the model? "one local node" implies to me that you only have one computer but that seems to contradict other messages which suggest you want your Linux machine to monitor your Windows machine. I'm guessing that the first thing to do is figure out what machine is generating the traffic. That probably doesn't require wireshark. There are lots of tools to do that (some for Linux, some for Windows. There might even be one in your Comcast router. If malware is involved, it could be hiding the traffic. If so, you need to measure the traffic on another machine that is party to it. That would be the Comcast box unless you add some hardware.
i think most of this has been answerd. if the problem is on the windows computers, it should be visible to my desktop, right? perhaps there is MORE traffic on my desktop that is hidden, but there is certainly too much to be explained by my doing nothing during this time but email and maybe a search or two for how to use wireshark. If I collect all the ip address (and i note there were a variety) that my desktop talked to, can i go somewhere and see if any are known bad actor sites? Carey
On 09/23/2025 11:56 AM CDT D. Hugh Redelmeier via Talk <talk@lists.gtalug.org> wrote:
From: CAREY SCHUG via Talk <talk@lists.gtalug.org>
this is just my home. one router to Comcast, one local node. I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
This is not particularly clear.
Is the router actually the box provided by Comcast? That would likely be a combination of a - modem to decode cable signal into ethernet - a router, including NAT, a packet filter - an ethernet (wired) switch - an AP (for WiFi)
Is this correct? What is the model?
"one local node" implies to me that you only have one computer but that seems to contradict other messages which suggest you want your Linux machine to monitor your Windows machine.
I'm guessing that the first thing to do is figure out what machine is generating the traffic. That probably doesn't require wireshark. There are lots of tools to do that (some for Linux, some for Windows. There might even be one in your Comcast router.
If malware is involved, it could be hiding the traffic. If so, you need to measure the traffic on another machine that is party to it. That would be the Comcast box unless you add some hardware. ------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/AP6AC6T...
"If I collect all the ip address (and i note there were a variety) that my desktop talked to, can i go somewhere and see if any are known bad actor sites?" The IP addresses will generally point to large host providers, who sell individual IPs to anyone. Generally they ALL have bad actors but pay their dues, so the host providers look the other way. On Tue, 23 Sept 2025 at 13:13, CAREY SCHUG via Talk <talk@lists.gtalug.org> wrote:
i think most of this has been answerd. if the problem is on the windows computers, it should be visible to my desktop, right? perhaps there is MORE traffic on my desktop that is hidden, but there is certainly too much to be explained by my doing nothing during this time but email and maybe a search or two for how to use wireshark.
If I collect all the ip address (and i note there were a variety) that my desktop talked to, can i go somewhere and see if any are known bad actor sites?
Carey
On 09/23/2025 11:56 AM CDT D. Hugh Redelmeier via Talk < talk@lists.gtalug.org> wrote:
From: CAREY SCHUG via Talk <talk@lists.gtalug.org>
this is just my home. one router to Comcast, one local node. I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
This is not particularly clear.
Is the router actually the box provided by Comcast? That would likely be a combination of a - modem to decode cable signal into ethernet - a router, including NAT, a packet filter - an ethernet (wired) switch - an AP (for WiFi)
Is this correct? What is the model?
"one local node" implies to me that you only have one computer but that seems to contradict other messages which suggest you want your Linux machine to monitor your Windows machine.
I'm guessing that the first thing to do is figure out what machine is generating the traffic. That probably doesn't require wireshark. There are lots of tools to do that (some for Linux, some for Windows. There might even be one in your Comcast router.
If malware is involved, it could be hiding the traffic. If so, you need to measure the traffic on another machine that is party to it. That would be the Comcast box unless you add some hardware. ------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/AP6AC6T...
Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/HAIQOXQ...
On Tue, Sep 23, 2025 at 11:08:07AM -0500, CAREY SCHUG via Talk wrote:
this is just my home. one router to Comcast, one local node. I assumed wireshark wouild use promiscuous mode and record everything that went to/from comcast, no?
The only traffic you will see on your PC running wireshark is traffic to and from your PC. You will not see other traffic on the network, except broadcast packets. Switches have been common for decades. You had to go back to hubs or thinnet before the entire network was essentially broadcast and you could see everything. It was super inefficient and that is why we don't do that anymore. Only the router can see all the traffic to and from the internet. -- Len Sorensen
On 9/23/25 13:58, Lennart Sorensen via Talk wrote:
Only the router can see all the traffic to and from the internet.
Or use a data tap, as I mentioned earlier. It's easy to make one from a cheap managed switch. I remember those hub days. I used Ethereal, as Wireshark was called back then, to show my manager how I could see user IDs and passwords on the network. Encrypted passwords weren't that common back then. I also remember token ring, where every packet on the network passed through your computer!
On Tue, Sep 23, 2025 at 02:03:18PM -0400, James Knott via Talk wrote:
On 9/23/25 13:58, Lennart Sorensen via Talk wrote:
Only the router can see all the traffic to and from the internet.
Or use a data tap, as I mentioned earlier. It's easy to make one from a cheap managed switch.
I remember those hub days. I used Ethereal, as Wireshark was called back then, to show my manager how I could see user IDs and passwords on the network. Encrypted passwords weren't that common back then. I also remember token ring, where every packet on the network passed through your computer!
Sure, assuming the device isn't on wifi to the router. Which at least in the case of laptops these days is often the case. -- Len Sorensen
On 2025-09-23 11:28, CAREY SCHUG via Talk wrote:
Web search/AI says to navigate on the GUI and capture packets, I presume, then I can analyze them on the general id.
1. i can bring up the Wireshark GUI from the authority-less desktop ID 2, I cannot bring up Wireshark GUI from a sudoer or even a root terminal: I never got the hang of using Wireshark.I always have to read up on it if I feel the need to use it. Some other tools that can help with checking on network activity are ntop and ntopng.
-- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
On 2025-09-23 11:28, CAREY SCHUG via Talk wrote:
Web search/AI says to navigate on the GUI and capture packets, I presume, then I can analyze them on the general id.
1. i can bring up the Wireshark GUI from the authority-less desktop ID 2, I cannot bring up Wireshark GUI from a sudoer or even a root terminal: I never got the hang of using Wireshark.I always have to read up on it if I feel the need to use it. Some other tools that can help with checking on network activity are ntop and ntopng.
-- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
participants (13)
-
Alvin Starr -
CAREY SCHUG -
D. Hugh Redelmeier -
Don Tai -
Giles Orr -
James Knott -
Kevin Cozens -
Lennart Sorensen -
Mauro Souza -
Ron -
Scott Allen -
Steve Litt -
William Park