Weird net activity

radiospan · 14-09-2004 3:12pm #1

I'm using Clicksilver, and this morning I noticed a steady flow of net traffic in DUMeter.

I closed all of my net applications (browser, eMule, MSN, etc...) but it was still there. Uploads were at a full 12 or 13kB/sec, and downloads were around 9 or 10kB/sec. I can't find what application is sending this data, or where?

I installed NetLimiter, but it reports that there is no traffic. My router lights are flashing also.

There's a screenshot here: http://tinypic.com/548hz

I've tried rebooting both my router and my PC, but it still comes back. The other PC on the same router is not having this problem. It's been going for a few hours now and I can't stop it.

Could this be a virus or spyware?

Raam · 14-09-2004 3:16pm

could it be windows update?

radiospan · 14-09-2004 3:23pm

No, I've automatic updates turned off.

I ran "netstat 5" from the command line and there doesn't seem to be anything weird, just connections to localhost and 192.168.0.1

Ripwave · 14-09-2004 3:29pm

plazzTT wrote:

I'm using Clicksilver, and this morning I noticed a steady flow of net traffic in DUMeter.

If you're running XP, open a command prompt and run

NETSTAT -o

This will show you what applications have ports open. Use the Task Manager to find out the name of the application (Netstat only shows the processID).

radiospan · 14-09-2004 3:56pm

The only two connections that are there have PID 0 (System Idle Process) ?

Could it be a bug in DUMeter, recording something thats not really there?

Although my router lights are flashing, and DUMeter goes to zero when I plug out the router...

Cal · 14-09-2004 4:01pm

Set your DU meter to only monitor your bb connection. It may be other internal traffic that you are seeing.

Cal

radiospan · 14-09-2004 4:07pm

It's monitoring my network card only, that's the best I can do.

But this activity started suddenly this morning, I wasn't changing any settings or anything.

Two connections are always there when I use netstat. They are:

TCP john:1624 localhost:1625 ESTABLISHED
TCP john:1625 localhost:1624 ESTABLISHED

Could this be it? Are those connections normal?

radiospan · 14-09-2004 4:45pm

Is there anything else I could try to stop this? Any settings I could change?

It's definately affecting my download speeds (I'm only getting 30-40K max now because the other 10k is constantly being used by this thing) so it's probably counting towards my download cap too.

I'll have to disconnect my net for a while now.

liamo · 14-09-2004 6:21pm

Two connections are always there when I use netstat. They are:

TCP john:1624 localhost:1625 ESTABLISHED
TCP john:1625 localhost:1624 ESTABLISHED

I don't recognise those ports. And what machine is "john"? Try pinging "john" and see what ip address replies - might it be another machine on your network?

You could try installing Ethereal on your machine. This will capture all traffic that it sees on the network. Traffic on your router is no doubt switched so all you'll see is traffic to and from the PC but that's all you need. It will show you the port and IP address of both ends of all traffic. And, if you need, you can examine the contents of the packets. That should give you the answer to your question.

Regards,

Liam

radiospan · 14-09-2004 7:05pm

Thanks, I'm downloading Ethereal now. I changed my IP address on my local network from 192.168.0.3 to 192.168.0.9, I left the router disconnected for about half an hour, and I changed the network port that my LAN cable was going into on the router.

One of those changes might have done the trick, theres no mystery traffic now, although it might come back later. (john is the name of my PC, btw

)

Moriarty · 15-09-2004 12:47am

Moved to nets/comms.

Weird net activity

Comments