On Fri, Jun 24, 2011 at 1:03 PM, Binand Sethumadhavan binand@gmail.comwrote:
Install wireshark, run a capture, and either analyze it yourself or offer it for download.
Binand
2011/6/24 Sanket Shah 88.sanket@gmail.com
On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 arch) on the office wired LAN (Intranet, not connected to internet),
there
is a constant 6-15 kilobytes/second data down happening. The LAN works normally at all times, but even with no activity this data down is
running.
I checked with internet connected wifi on laptop and a USB dongle on
both,
but there was no such data transfer in idle conditions. It doesn't happen when on Windows 7.
Is there a tool to find out which port or software is taking this data? I tried netstat but couldn't make a headway. Searched on ubuntuforums but found nothing close enough. Can somebody please guide me how to go about it.
-- Sanket Shah -- http://mm.glug-bom.org/mailman/listinfo/linuxers
Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming on ARP & UDP.
I'm not sure how to proceed now. How do I find which application is causing this or how to block it. Sample details of a ARP log (Destination is empty):
No. Time Source Destination Protocol Info 661 2.987881 Hewlett-_01:03:d9 ARP Who has 172.136.81.142? Tell 172.136.38.12
Frame 661: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) Arrival Time: Jun 29, 2011 11:05:09.163967000 IST Epoch Time: 1309325709.163967000 seconds [Time delta from previous captured frame: 0.011841000 seconds] [Time delta from previous displayed frame: 0.011841000 seconds] [Time since reference or first frame: 2.987881000 seconds] Frame Number: 661 Frame Length: 62 bytes (496 bits) Capture Length: 62 bytes (496 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:arp] [Coloring Rule Name: ARP] [Coloring Rule String: arp] Linux cooked capture Packet type: Broadcast (1) Link-layer address type: 1 Link-layer address length: 6 Source: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Protocol: ARP (0x0806) Trailer: 63484d585018f8e7ca9e000000000037ff53 Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) [Is gratuitous: False] Sender MAC address: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Sender IP address: 172.136.38.12 (172.136.38.12) Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 172.136.81.142 (172.136.81.142)
Could someone help me how to go about it now. It looks like a machine broadcasting info. There are several sender machines that repeat (here Hewlett-xxx being the machine).
Thanks a lot.