internet activity while not browsing

[loudog]

 just a simple question about network activity . when i am not using the internet i still see quite a bit of activity in the gkrellem monitor window , is this normal

[muungwana]

is your computer connected directly to the internet or to a LAN?

do you have file sharing or any other service running that listens and responds to other computers on the network the computer is in?

If there is some chit chat over the network, your computer may be picking it up and participating.

There is always constant and low lever chitchat traffic going on.How much of it is happening depends on whats running over the network your computer is connected to

[T6]

some cablemodem(those connected to coaxial cable, could be called different where you live) sometimes reports a 10 kbps activity no matter what you or don't do

is this what you see?

if you have a bittorrent client it could be that too

if you have a widget that constantly searches for info it could be another reason

[loudog]

the coax modem has 4 out ports, i am connected to one of them and the wireless router for the motel is connected to another . i believe the only widget i have that does any searching is synaptic updater. when i am not using the net i will see 750 to 1.0 k as reported by gkrellem under etho. no file sharing etc that i am aware of. just paranoid i guess with 5 to fifteen people at a time connected to the wireless router.

[muungwana]

shut down everything you know that uses the internet and then open the terminal, log in as root and then run these commands

service syslog restart

echo "" > /var/log/syslog

iptables -I OUTPUT -o eth0 -j LOG

iptables -I INPUT -i eth0 -j LOG

kwrite /var/log/syslog

now just press "reload" on kwrite to reload the text file and you will all traffic going in and out of your computer.

when you are done, run "service iptables restart" to take your system back to where it was.

[scoundrel]

noticed something like this and found that my ebook readers wifi was doing it.. I shut if off and it quit doing it.

[loudog]

 i did the suggested commands and got a full page of results. most are repetitive every couple of seconds but here is a small portion from the bottom, the first two represent the bulk of the repeats and then a couple oddball's. i also noticed an error after the kwrite command which is at the very last of the sample. ill do a quick search on the error and see what thats about.

May 21 07:45:28 localhost klogd: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:42:c0:41:08:00 SRC=69.144.102.198 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=50583 PROTO=UDP SPT=67 DPT=68 LEN=308
May 21 07:45:30 localhost klogd: IN=eth0 OUT= MAC=00:16:17:94:2a:db:00:01:5c:42:c0:41:08:00 SRC=199.115.112.144 DST=184.167.89.26 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=45179 DF PROTO=TCP SPT=46107 DPT=27977 WINDOW=512 RES=0x00 SYN URGP=0
May 21 07:45:30 localhost klogd: IN= OUT=eth0 SRC=184.167.89.26 DST=199.115.112.144 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=27977 DPT=46107 WINDOW=0 RES=0x00 ACK RST URGP=0
May 21 07:45:35 localhost klogd: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:42:c0:41:08:00 SRC=69.144.102.198 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=51456 PROTO=UDP SPT=67 DPT=68 LEN=308
May 21 07:45:37 localhost klogd: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:42:c0:41:08:00 SRC=69.144.102.198 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=51832 PROTO=UDP SPT=67 DPT=68 LEN=308

kbuildsycoca4(30572) parseLayoutNode: The menu spec file contains a Layout or DefaultLayout tag without the mandatory Merge tag inside. Please fix your file.

[muungwana]

May 21 07:45:28 localhost klogd: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:42:c0:41:08:00 SRC=69.144.102.198 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=50583 PROTO=UDP SPT=67 DPT=68 LEN=308

If you examine the above entry:

IN=eth0  means the packet came to your computer.

MAC=ff:ff:ff:ff:ff:ff:00:01:5c:42:c0:41:08:00
SRC=69.144.102.198 DST=255.255.255.255

The above two means the same thing, a computer with MAC address "01:5c:42:c0:41:08:00" with IP address "69.144.102.198" sent the packet to all computers in the network domain it is in. IP address of "255.255.255.255" is called a broadcast address and it means "all computers in this subnet/network segment".

SPT=67 DPT=68.
Those two ports are used by dhcp server and client.

It is odd getting dhcp packets from the internet if you are behing a NAT(ed) router(most routers are).
You getting them suggests either you are connected directly to the internet and the packet came from your ISP or you are not but the router is forwarding some if not all broadcast traffic its getting from the ISP-router part of the ISP network.

There is always background traffic on the network whose purpose is to keep the network running and dhcp traffic makes part of it.The more dhcp using devices are on the network,the more background traffic will be there.

If you are connected to your ISP directly, then a bigger background traffic compared to if you are connected to a local LAN should be expected.

May 21 07:45:30 localhost klogd: IN= OUT=eth0 SRC=184.167.89.26 DST=199.115.112.144 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=27977 DPT=46107 WINDOW=0 RES=0x00 ACK RST URGP=0

That one says you are connected directly to the internet. The packet was generated by your computer and source IP is internet wide addressable. It also says your computer is sending traffic to the internet.If you closed all applications you think are accessing the internet before starting taking those logs then you missed atleast one.

[loudog]

4 things are certain in life death , taxes , software bloat and sometimes missing one . it may be time to learn a lot more about networking.