Excessive network traffic -

Les Mikesell lesmikesell at gmail.com
Mon Nov 26 20:54:15 UTC 2007 

Bob Goodwin wrote:

>>> Mon Nov 26 12:30:44 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:49 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>
>> It's normal if you have some reason to be looking up names.  Try 
>> running tcpdump or wireshark so you can see more about the request.  
>> It seems odd that you don't see any responses coming back.  Does the 
>> modem deal with the private address/NAT for you?
>>
> 
> I can't make any sense out of Wireshark at all.  Data shoots past like a 
> machine gun!  And I can't seem to find how to save it to a log?

Tcpdump will show enough to make sense of dns requests - but assuming 
you are running the GUI for wireshark, just hit 'capture' from the top 
menu, then interfaces, then start on the interface you want.  Expand the 
window so you can see more in the bottom 2 panes.  When you stop the 
capture you can go back and select/sort the entries in the upper pane 
and get decoded info in the bottom 2. Click the triangles in the middle 
pane to expand the network layers of the selected packet and select them 
to see the contents in the lower pane.

> The Wildblue subscriber device is just a box with some flashing lights 
> and a an ethernet connector.  It normally feeds a Netgear wireless 
> router however I have box10 connected to an ethernet hub inserted 
> between the Wildblue device and the router via a cable.  So it should be 
> seeing everything passing that point.

OK, then your private address sending to a public address would be 
normal at that point.

> My problem is I really don't know how to interpret the data or for that 
> matter what Wildblue is counting as my usage?  Usage is what the 
> exercise is really about ...  I allowed a limited amount of bandwidth.

You probably want to run a caching nameserver to speed things up and 
reduce this traffic.

> "It's normal if you have some reason to be looking up names."  Yes, I 
> figured that but the box is otherwise idle except for running iptraf and 
> wireshark, perhaps they are doing DNS lookups?

Yes, they would be trying to do reverse lookups on IP addresses for display.

> Presently my signal is blocked with a rain shower, can't send!

That explains the lack of response to the requests.

---
   Les Mikesell
   lesmikesell at gmail.com

More information about the fedora-list mailing list