Re: Continuous internet activity

MikeM wrote:
I have checked the task manager several time. Usually the only entries
with activity are the usual ones that have been there a long time. I
don't know what most of them are, but I assume they are connected with
Windows or other applications I have been running for years. One thing
I can't remember seeing, there are 8 entires for svchost. For a while
there was a lot of activity on 1 of them but it has now stopped. Just
an occasional small amount of activity on one of them.

The only high activity is on the application I am running. I tried
stopping it but the activity continued unchanged. The activity monitor
is still solid green and the led on the router is flashing so I assume
it is still sending/receiving.


A program like Wireshark might be used, to see what the packets
contain and where they're going. There is nothing stopping a malware
application, from using compression or encryption of the stream,
preventing you from learning anything. But at least you'll get an
IP address out of the exercise (dest address for the packets).

If you select View:Name Resolution:Network Layer, the captured
Ethernet packets will have the IP addresses resolved to symbolic
addresses. Which saves the nuisance of looking them up separately.

After that, Capture:Interfaces, and clicking the Start button
for your actual network interface, starts the capture.

Some malware, is aware of programs like Wireshark, and may
respond in some way once it is started. For example, a key logger
may store key presses locally, until a time arrives where
Wireshark is not running, and then it is "safe" to transmit
the passwords or credit card numbers.

The continuous activity, at least to me, suggests
something like Back Orifice - like something has
your machine under some degree of control, and
the continuous packets are for monitoring purposes.

You could also be part of a botnet, and DDOSing some
node on the Internet, or sending spam emails and so
on. It could be, that the control connection is
only made intermittently, and most of the traffic is
the scripted activity entrusted to your node.

There is a small probability of a networking problem, where
something is tied in a loop. I have seen looped behavior
between my router and my ADSL modem, and power cycling them
stopped it. To debug problems like that, you'd need a box
which could be inserted between devices and transparently capture
all transmit and receive traffic. Wireshark only covers the
cases, where a computer is at one end of the link.


Relevant Pages

  • Re: netstat ?
    ... Wireshark can do this. ... Capturing packets with Wireshark/Tshark ...   There are two ways of installing Wireshark/Tshark on Debian: ... Installing dumpcap and allowing non-root users to capture packets ...
  • Re: Update: UDP 770 Potential Worm
    ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ...
  • Re: Auditing / Logging
    ... to explicitly set these values and capture the text output seperately. ... The key is that dumping anything to console or making tcpdump generate ... wants in order to capture full packets, save them to disk, and go ...
  • flooding an embedded device with isic and tcpreplay causing different results
    ... I'm trying to force a reload of an embedded SOHO router/NAT Gateway. ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
  • [TOOL] RPCAP, Remote Packet Capture System
    ... RPCAP is a Remote Packet Capture system. ... and uplink the captured packets to another ... the server which captures network traffic on a remote system, ... and a client, which receives and processes these packets. ...