On Fri, Jun 24, 2011 at 1:03 PM, Binand Sethumadhavan <[email protected]>wrote:
> Install wireshark, run a capture, and either analyze it yourself or offer > it > for download. > > Binand > > 2011/6/24 Sanket Shah <[email protected]> > > > On my Ubuntu 11.04 install on laptop (amd64 arch) as well as desktop (x86 > > arch) on the office wired LAN (Intranet, not connected to internet), > there > > is a constant 6-15 kilobytes/second data down happening. The LAN works > > normally at all times, but even with no activity this data down is > running. > > I checked with internet connected wifi on laptop and a USB dongle on > both, > > but there was no such data transfer in idle conditions. It doesn't happen > > when on Windows 7. > > > > Is there a tool to find out which port or software is taking this data? I > > tried netstat but couldn't make a headway. Searched on ubuntuforums but > > found nothing close enough. Can somebody please guide me how to go about > > it. > > > > -- > > Sanket Shah > > -- > > http://mm.glug-bom.org/mailman/listinfo/linuxers > > > -- > http://mm.glug-bom.org/mailman/listinfo/linuxers > Thanks a lot for the *wireshark* pointer and sorry for the late reply. I installed & played with it several times. I've found a lot of data coming on ARP & UDP. I'm not sure how to proceed now. How do I find which application is causing this or how to block it. Sample details of a ARP log (Destination is empty): No. Time Source Destination Protocol Info 661 2.987881 Hewlett-_01:03:d9 ARP Who has 172.136.81.142? Tell 172.136.38.12 Frame 661: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) Arrival Time: Jun 29, 2011 11:05:09.163967000 IST Epoch Time: 1309325709.163967000 seconds [Time delta from previous captured frame: 0.011841000 seconds] [Time delta from previous displayed frame: 0.011841000 seconds] [Time since reference or first frame: 2.987881000 seconds] Frame Number: 661 Frame Length: 62 bytes (496 bits) Capture Length: 62 bytes (496 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:arp] [Coloring Rule Name: ARP] [Coloring Rule String: arp] Linux cooked capture Packet type: Broadcast (1) Link-layer address type: 1 Link-layer address length: 6 Source: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Protocol: ARP (0x0806) Trailer: 63484d585018f8e7ca9e000000000037ff53 Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) [Is gratuitous: False] Sender MAC address: Hewlett-_01:03:d9 (00:10:83:01:03:d9) Sender IP address: 172.136.38.12 (172.136.38.12) Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 172.136.81.142 (172.136.81.142) Could someone help me how to go about it now. It looks like a machine broadcasting info. There are several sender machines that repeat (here Hewlett-xxx being the machine). Thanks a lot. -- Sanket Shah -- http://mm.glug-bom.org/mailman/listinfo/linuxers
