Excessive network traffic -

John Summerfield debian at herakles.homelinux.org
Mon Nov 26 22:17:18 UTC 2007 

Bob Goodwin wrote:
> Les Mikesell wrote:
>> Bob Goodwin wrote:
>>>
>>> Below is about thirty seconds of data recorded at the RJ45 connector 
>>> on my Wildblue receiver/modem.  The computer I'm using to test with  
>>> is a new F8 installation [192.168.1.10] and I don't know that it does 
>>> anything F7 didn't do but I see continuous activity, apparently the 
>>> result of DNS activity, since it is to the Wildblue DNS server on 
>>> port 53.  Is that normal?  60 bytes doesn't amount to much of a days 
>>> usage but still it is consuming bw.
>>>
>>> Bob Goodwin
>>>
>>> Mon Nov 26 12:30:19 2007; UDP; eth1; 63 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:24 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:29 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:34 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:39 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:44 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>> Mon Nov 26 12:30:49 2007; UDP; eth1; 60 bytes; from 
>>> 192.168.1.10:32771 to 12.189.32.61:53
>>
>> It's normal if you have some reason to be looking up names.  Try 
>> running tcpdump or wireshark so you can see more about the request.  
>> It seems odd that you don't see any responses coming back.  Does the 
>> modem deal with the private address/NAT for you?
>>
> 
> I can't make any sense out of Wireshark at all.  Data shoots past like a 
> machine gun!  And I can't seem to find how to save it to a log?

tcpdump -i eth1 -w /tmp/trace -s 9999 port 53

After a while,
^C
then
tcpdump -r /tmp/trace <and whatever the man page suggests and you find 
attactive> | less



> 
> The Wildblue subscriber device is just a box with some flashing lights 
> and a an ethernet connector.  It normally feeds a Netgear wireless 
> router however I have box10 connected to an ethernet hub inserted 
> between the Wildblue device and the router via a cable.  So it should be 
> seeing everything passing that point.
> 
> My problem is I really don't know how to interpret the data or for that 
> matter what Wildblue is counting as my usage?  Usage is what the 
> exercise is really about ...  I allowed a limited amount of bandwidth.

Round here IAPs don't count traffic within their own network; I would 
expect that to apply for you too.

> 
> "It's normal if you have some reason to be looking up names."  Yes, I 
> figured that but the box is otherwise idle except for running iptraf and 
> wireshark, perhaps they are doing DNS lookups?

Possibly resolving IP addresses in the traffic you're analysing?


> 
> Presently my signal is blocked with a rain shower, can't send!

With global warming and all, we're having less of that now:-(




-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list