How do I find out what is being downloaded ? or what program is the
guilty one ?
assuming you have one nic connected to the modem
tcpdump -vv -i eth0
will dump all packets passing thru eth0
--
Rgds
JTD
--
Ok, here are some snippets when nothing is running -- no firefox, no
fetchmail.
---------------------------------------------------
set 0, flags [DF], proto UDP (17), length 69) opium.local.59991 >
mygateway1.ar7.domain: [udp sum ok] 26904+ PTR? 57.0.9.149.in-addr.arpa.
(41)
10:29:23.483585 IP (tos 0x0, ttl 64, id 64126, offset 0, flags [DF],
proto UDP (17), length 69) opium.local.59991 > mygateway1.ar7.domain:
[udp sum ok] 26904+ PTR? 57.0.9.149.in-addr.arpa. (41)
10:29:28.587617 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 69) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 57.0.9.149.in-addr.arpa. (41)
10:29:29.591619 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 69) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 57.0.9.149.in-addr.arpa. (41)
10:29:29.913817 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 69) mygateway1.ar7.domain > opium.local.59991: [udp sum
ok] 26904 ServFail- q: PTR? 57.0.9.149.in-addr.arpa. 0/0/0 (41)
10:29:29.913850 IP (tos 0xc0, ttl 64, id 9222, offset 0, flags [none],
proto ICMP (1), length 97) opium.local > mygateway1.ar7: ICMP
opium.local udp port 59991 unreachable, length 77
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17),
length 69) mygateway1.ar7.domain > opium.local.59991: 26904 ServFail-
q:[|domain]
10:29:31.595617 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 69) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 57.0.9.149.in-addr.arpa. (41)
10:29:33.487932 IP (tos 0x0, ttl 64, id 2340, offset 0, flags [DF],
proto UDP (17), length 69) opium.local.46962 > mygateway1.ar7.domain:
[udp sum ok] 18516+ PTR? 64.5.25.85.in-addr.arpa. (41)
10:29:33.561818 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 186) mygateway1.ar7.domain > opium.local.46962: 18516
q: PTR? 64.5.25.85.in-addr.arpa. 1/2/2 64.5.25.85.in-addr.arpa.
PTR[|domain]
10:29:33.562125 IP (tos 0x0, ttl 64, id 2358, offset 0, flags [DF],
proto UDP (17), length 70) opium.local.54838 > mygateway1.ar7.domain:
[udp sum ok] 65316+ PTR? 251.0.0.224.in-addr.arpa. (42)
10:29:38.487560 arp who-has mygateway1.ar7 tell opium.local
10:29:38.487871 arp reply mygateway1.ar7 is-at 00:0f:3d:dd:3b:5a (oui
Unknown)
10:29:38.559582 IP (tos 0x0, ttl 64, id 2359, offset 0, flags [DF],
proto UDP (17), length 70) opium.local.54838 > mygateway1.ar7.domain:
[udp sum ok] 65316+ PTR? 251.0.0.224.in-addr.arpa. (42)
10:29:43.663627 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 70) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
10:29:44.667619 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 70) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
10:29:44.785969 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 70) mygateway1.ar7.domain > opium.local.54838: [udp sum
ok] 65316 ServFail- q: PTR? 251.0.0.224.in-addr.arpa. 0/0/0 (42)
10:29:44.786004 IP (tos 0xc0, ttl 64, id 9223, offset 0, flags [none],
proto ICMP (1), length 98) opium.local > mygateway1.ar7: ICMP
opium.local udp port 54838 unreachable, length 78
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17),
length 70) mygateway1.ar7.domain > opium.local.54838: 65316 ServFail-
q:[|domain]
10:29:46.671617 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto
UDP (17), length 70) opium.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
10:29:51.710645 IP (tos 0x0, ttl 39, id 8286, offset 0, flags [DF],
proto TCP (6), length 638) 192.108.114.19.9001 > opium.local.56648: P
1:587(586) ack 586 win 204 <nop,nop,timestamp 515877565 650198>
10:29:51.710691 IP (tos 0x0, ttl 64, id 22720, offset 0, flags [DF],
proto TCP (6), length 52) opium.local.56648 > 192.108.114.19.9001: .,
cksum 0xd103 (correct), 586:586(0) ack 587 win 414 <nop,nop,timestamp
662255 515877565>
10:33:14.621666 IP (tos 0x0, ttl 47, id 14674, offset 0, flags [DF],
proto TCP (6), length 638) 149.9.0.57.9001 > opium.local.34760: P
1:587(586) ack 586 win 4183 <nop,nop,timestamp 574952656 650198
------------------------------------------------------
regards,
Sharukh
--
Dr. Sharukh K. R. Pavri. Homoeopath, Linuxer.
Honi soit qui mal y pense. [Evil to him who evil thinks.] -- Motto
of the Order of the Garter (est. Edward III)
----- End forwarded message -----
--
Dr. Sharukh K R Pavri. Homoeopath, Linuxer.
Arithmetic is being able to count up to twenty without taking off
your shoes. -- Mickey Mouse.