I am using MTNL's Triband combo offer which gives 600 mb download a month. This has been upped from 400 mb just last month.
All this while, I was easily remaining within the 400 mb limit. Suddenly this month's bill shows a usage of 870 mb for march. On complaining to mtnl they said that that was the usage according to them.
I usually run a check with knetworkmonitor and gkrellm and there would always be a small discrepancy between the usage shown on my machine and that shown by mtnl, where mtnl would always show slightly lower usage than on my machine.
For last month gkrellm shows a usage of 560 mb as opposed to mtnl showing 870 mb. What can explan this large difference ? Btw, according to the chap I spoke to at mtnl, _it is definitely hackers_ sic !!
Now that I'm keeping a watch, imagine my surprise when both my programs show download activity without a single browser window open and fetchmail having been killed !!
How do I find out what is being downloaded ? or what program is the guilty one ?
regards,
Sharukh.
On Saturday 18 April 2009 10:54:30 jtd wrote:
How do I find out what is being downloaded ? or what program is the guilty one ?
assuming you have one nic connected to the modem
tcpdump -vv -i eth0 will dump all packets passing thru eth0
maybe somewhere he has told some package to automatically update itself? Or is someone trying a brute force attempt to ssh into the system? shutting down sshd - if it is running - may help. /var/log/messages would normally show attempts at ssh login.
On Sat, 18 Apr 2009, Kenneth Gonsalves wrote:
On Saturday 18 April 2009 10:54:30 jtd wrote:
How do I find out what is being downloaded ? or what program is the guilty one ?
assuming you have one nic connected to the modem
tcpdump -vv -i eth0 will dump all packets passing thru eth0
maybe somewhere he has told some package to automatically update itself? Or is someone trying a brute force attempt to ssh into the system? shutting down sshd - if it is running - may help. /var/log/messages would normally show attempts at ssh login. -- regards Kenneth Gonsalves
There's nothing in /var/log/messages. I always have a tail -f running on it. I'm also running arno's iptables firewall with no changes in the last couple of months.
regards,
Sharukh
On Sat, 18 Apr 2009, jtd wrote:
On Friday 17 April 2009, Dr. Sharukh K. R. Pavri. wrote:
How do I find out what is being downloaded ? or what program is the guilty one ?
assuming you have one nic connected to the modem
tcpdump -vv -i eth0 will dump all packets passing thru eth0
ok will do that and get back. The machine is at my clinic so can only do this on monday.
-- Rgds JTD --
regards,
Sharukh.
Dr. Sharukh K. R. Pavri. wrote:
I am using MTNL's Triband combo offer which gives 600 mb download a month. This has been upped from 400 mb just last month.
All this while, I was easily remaining within the 400 mb limit. Suddenly this month's bill shows a usage of 870 mb for march. On complaining to mtnl they said that that was the usage according to them.
I usually run a check with knetworkmonitor and gkrellm and there would always be a small discrepancy between the usage shown on my machine and that shown by mtnl, where mtnl would always show slightly lower usage than on my machine.
For last month gkrellm shows a usage of 560 mb as opposed to mtnl showing 870 mb. What can explan this large difference ? Btw, according to the chap I spoke to at mtnl, _it is definitely hackers_ sic !!
This (hacker) is quiet possible. Please check your user name and password. A standard MTNL process is to have your telephone no as user name and Customer number as password. So it is possible for anyone who has any of your phone bills to be able to access triband with the billing coming to you. If you have not already done so, please change your password, both on mtnl site and on your modem. This matter was discussed earlier so details of it should be in the archieves. (if you miss one of the steps you will get stuck)
Now that I'm keeping a watch, imagine my surprise when both my programs show download activity without a single browser window open and fetchmail having been killed !!
How do I find out what is being downloaded ? or what program is the guilty one ?
regards,
Sharukh.
On Saturday 18 Apr 2009, scrapo wrote:
For last month gkrellm shows a usage of 560 mb as opposed to mtnl showing 870 mb. What can explan this large difference ? Btw, according to the chap I spoke to at mtnl, _it is definitely hackers_ sic !!
This (hacker) is quiet possible. Please check your user name and password. A standard MTNL process is to have your telephone no as user name and Customer number as password. So it is possible for anyone who has any of your phone bills to be able to access triband with the billing coming to you. If you have not already done so, please change your password, both on mtnl site and on your modem. This matter was discussed earlier so details of it should be in the archieves. (if you miss one of the steps you will get stuck)
If you're quite sure that you haven't done the transfers (whether intentionally or unintentionally), you could also ask MTNL to produce caller ID records of all the connections to your account in the past month. For obvious reasons, all the connections must have been from your phone. If any aren't, you can always register an FIR, take things to court and spend a year or two in a tripartite fight (you, MTNL and the supposed ``hacker'') recovering your money :)
Seriously, though, MTNL should be able to provide you with CID records for your account on demand in case of a dispute anyway. If they don't that /is/ something worth fighting for IMO. Try a formal notice to the Commercial Officer on paper through snail mail.
Regards,
-- Raju
On Saturday 18 April 2009 11:26:28 scrapo wrote:
For last month gkrellm shows a usage of 560 mb as opposed to mtnl showing 870 mb. What can explan this large difference ? Btw, according to the chap I spoke to at mtnl, _it is definitely hackers_ sic !!
This (hacker) is quiet possible.
how can it be a hacker if he sees traffic going through *his* modem??? Unless he has a gremlin in his box?
On Sat, 18 Apr 2009, scrapo wrote:
Dr. Sharukh K. R. Pavri. wrote:
I am using MTNL's Triband combo offer which gives 600 mb download a month. This has been upped from 400 mb just last month.
All this while, I was easily remaining within the 400 mb limit. Suddenly this month's bill shows a usage of 870 mb for march. On complaining to mtnl they said that that was the usage according to them.
I usually run a check with knetworkmonitor and gkrellm and there would always be a small discrepancy between the usage shown on my machine and that shown by mtnl, where mtnl would always show slightly lower usage than on my machine.
For last month gkrellm shows a usage of 560 mb as opposed to mtnl showing 870 mb. What can explan this large difference ? Btw, according to the chap I spoke to at mtnl, _it is definitely hackers_ sic !!
This (hacker) is quiet possible. Please check your user name and password. A standard MTNL process is to have your telephone no as user name and Customer number as password.
done that long ago.
regards,
Sharukh
Dr. Sharukh K. R. Pavri. wrote:
Now that I'm keeping a watch, imagine my surprise when both my programs show download activity without a single browser window open and fetchmail having been killed !!
How do I find out what is being downloaded ? or what program is the guilty one ?
Whenever you start the OS, some amount of background internet activity takes place due to KDE and Gnome based package update checking utilities. However after a few minutes it should stop. you can find out active connections by running 'netstat' as admin. Your Triband usage session history is available at register.mtnl.net.in . If you have the username as TelephoneNum@a then use the alternate link on the same page to log in.
You haven't mentioned the usage pattern of your internet. Is it single computer and single user or do other systems in your premises connect too?
On Sat, 18 Apr 2009, Rony wrote:
Dr. Sharukh K. R. Pavri. wrote:
Now that I'm keeping a watch, imagine my surprise when both my programs show download activity without a single browser window open and fetchmail having been killed !!
How do I find out what is being downloaded ? or what program is the guilty one ?
Whenever you start the OS, some amount of background internet activity takes place due to KDE and Gnome based package update checking utilities. However after a few minutes it should stop. you can find out active connections by running 'netstat' as admin. Your Triband usage session history is available at register.mtnl.net.in . If you have the username as TelephoneNum@a then use the alternate link on the same page to log in.
You haven't mentioned the usage pattern of your internet. Is it single computer and single user or do other systems in your premises connect too?
single user, single computer, hardly any browsing, mainly checking on medical stuff on medscape, webmd, wikipedia. Some email. Nothing different from what I've been doing for the last couple of years. In fact I didn't even know that the download cap had been increased to 600 mb till almost the end of march.
regards,
Sharukh.
Dr. Sharukh K. R. Pavri. wrote:
single user, single computer, hardly any browsing, mainly checking on medical stuff on medscape, webmd, wikipedia. Some email. Nothing different from what I've been doing for the last couple of years. In fact I didn't even know that the download cap had been increased to 600 mb till almost the end of march.
What does your session history on the mtnl site show. Are you downloading too much compared to your usage? How long does your background involuntary network activity go on?
On Friday 17 Apr 2009, Dr. Sharukh K. R. Pavri. wrote:
I am using MTNL's Triband combo offer which gives 600 mb download a month. This has been upped from 400 mb just last month.
It is quite likely there is a glitch in the MTNL billing system. I just got my bill yesterday for March. Starting from March, I had switched to the 512 Kbps unlimited plan in which the CPE rental of Rs. 50 is waived. Yet, lo behold there is a line item for CPE rental Rs. 50!
Their punch line "MTNL hai to sahi hai."
I usually run a check with knetworkmonitor and gkrellm and there would always be a small discrepancy between the usage shown on my machine and that shown by mtnl, where mtnl would always show slightly lower usage than on my machine.
You can capture the total packet traffic on eth0 from the output of ifconfig when you reboot/poweroff
<transcript> ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1F:D0:E9:15:61 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10488 errors:0 dropped:0 overruns:0 frame:0 TX packets:9436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10218799 (9.7 Mb) TX bytes:1105652 (1.0 Mb) Interrupt:252 Base address:0xc000 <transcript>
Capture the line RX bytes and TX bytes into a table and sum it up at the end of the month for your totals. (write a shell script and include it in the shutdown/reboot process)
HTH, Arun Khan
On Sunday 19 Apr 2009, Arun Khan wrote:
Capture the line RX bytes and TX bytes into a table and sum it up at the end of the month for your totals. (write a shell script and include it in the shutdown/reboot process)
The following in _one_ line should get the ball rolling for the script
/sbin/ifconfig eth0 | egrep "RX bytes" | sed -e 's/[ ]{2, }//g' -e 's/([0-9]{1,}.[0-9]{1,} [KM]b)//g' >> <filename>
sidebar: for regular expression see this http://www.regular-expressions.info/reference.html
HTH
/sbin/ifconfig eth0 | egrep "RX bytes" | sed -e 's/[ ]{2, }//g' -e 's/([0-9]{1,}.[0-9]{1,} [KM]b)//g' >> <filename>
I feel people who can write regular expression are the most brilliant people on this earth :-))
Warm Regards,
Mr. Mukund Deshmukh, Beta Computronics Pvt Ltd. 10/1 IT Park, Parsodi, Nagpur -440022 India. Web site - http://betacomp.com
Meet us at our Booth 10.1 A09 , CHINAPLAS 2009 , May 18 - 21, 2009, Pazhou Complex, Gaungzhou, CHINA.
On Monday 20 Apr 2009, Mukund Deshmukh wrote:
/sbin/ifconfig eth0 | egrep "RX bytes" | sed -e 's/[ ]{2, }//g' -e 's/([0-9]{1,}.[0-9]{1,} [KM]b)//g' >> <filename>
I feel people who can write regular expression are the most brilliant people on this earth :-))
The above is quite simple, some of the stuff that I seen from PERL geeks boggles my mind but testing our regular expressions before putting it into action/production is a must :D
On Monday 20 Apr 2009 09:28:49 Arun Khan wrote:
On Monday 20 Apr 2009, Mukund Deshmukh wrote:
/sbin/ifconfig eth0 | egrep "RX bytes" | sed -e 's/[ ]{2, }//g' -e 's/([0-9]{1,}.[0-9]{1,} [KM]b)//g' >> <filename>
I feel people who can write regular expression are the most brilliant people on this earth :-))
Actually, It could take more effort to read and decipher a complex regex written by someone else :P
The above is quite simple,
Well, I figure that its all the extra \ that BRE makes you put in makes it look `impressive' to newbies ;) For instance, with ERE, one could use just + instead of {1,}. GNU's sed allows ERE with -r btw. Not portable, of course.
some of the stuff that I seen from PERL geeks boggles my mind
Hehehe, like a `proper' regex for matching email addresses :P http://www.regular-expressions.info/email.html
but testing our regular expressions before putting it into action/production is a must :D
Agreed.
Mrugesh
On Monday 20 April 2009 09:12:51 Mukund Deshmukh wrote:
/sbin/ifconfig eth0 | egrep "RX bytes" | sed -e 's/[ ]{2, }//g' -e 's/([0-9]{1,}.[0-9]{1,} [KM]b)//g' >> <filename>
I feel people who can write regular expression are the most brilliant people on this earth :-))
no - the most brilliant ones are those that can *read* regexes that other people write.
Hi,
Now that I'm keeping a watch, imagine my surprise when both my programs show download activity without a single browser window open and fetchmail having been killed !!
How do I find out what is being downloaded ? or what program is the guilty one ?
$ netstat -ntpa
btw, a. The hacker theory is not too far fetched ...although, i'll make no comments of the ability of MTNL folks to figure that out as a _definite_ reason. b. With what you've mentioned about it is possible that you have some background updates or some such thing. c. The last (and a bit unlikely ...tho' plausible) explanation is a faulty driver update or a faulty NIC. For example, in such cases, you'd have an increase in overhead traffic like unnecessary RSTs or dup ACKs etc ...it is not common but it is possible. Here tcpdump is your best bet to capture (and hopefully understand) what is happening.
cheers, - steve
-
Arun Khan -
Dr. Sharukh K. R. Pavri. -
jtd -
Kenneth Gonsalves -
Mrugesh Karnik -
Mukund Deshmukh -
Raj Mathur -
Rony -
scrapo -
steve