Post #329,597
7/14/10 8:04:11 AM
|
SBS&D didn't find anything.
It's (whatever it is) seems to be still there after restarting Firefox. (I'm still getting some sort of 150-200 kB/s network traffic.) The only thing that's showing significant CPU load is Firefox.
Nothing shows up in FF's download box (ctrl-J) and it doesn't seem to be doing a background FF update download (but I can't be sure).
I guess I'll let it run a while and see what happens.... :-/
(This is on Win2k.)
Cheers,
Scott.
|
Post #329,598
7/14/10 8:08:45 AM
|
Try Wireshark?
It's a network sniffer program, if you're not familiar with it. It will listen on your ethernet (or wireless) card, and capture EVERYTHING about what's being downloaded. What you'd mostly be interested in (to start with) is the destination IP address (IE, where you're downloading this data from.) Once you have that, you can use "dig" or "nslookup" (which I could use on my Mac or Linux boxen...Not sure if they exist on Win2k) or some other tool to convert that IP address to a human-readable domain name (sometimes.) If it doesn't resolve to a domain name (or one that you readily recognize), follow up with us here....
-Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #329,753
7/17/10 10:02:24 AM
|
Ok, I've captured some traffic. Now what?
(This is on my T61 laptop with WinXP. Sorry if I said Win2k earlier.)
I updated my FF plugins and the FF crash on startup seems to be gone. I've still got the 2020 plugin disabled.
The mysterious ~ 200kB background download is still happening, but only when Firefox is running. I'm not seeing it with Chrome (which I'm using now).
I installed Wireshark. It's neat. With FF running, I did Capture -> Interfaces -> Intel Pro Wireless -> Start and let it run from a few seconds.
I don't know how to Analyze the stuff, but on sorting by the Source column I'm mainly getting stuff from:
12.4.198.133
174.129.88.133
174.37.113.144
204.9.177.195
204.9.178.11 - HTTP and TCP traffic (GIF 89a, content server, reassembled PDU, etc.)
64.207.133.176 - TCP segment of a reassembled PDU
64.215.158.100 - lots of mixed HTTP and TCP traffic
64.215.158.101 - TCP interleaved channel 546 bytes
64.215.158.102 - TCP interleaved channel 608 bytes
64.215.158.103 - TCP interleaved channel 608 bytes
64.215.158.108 - TCP interleaved channel 366 bytes
64.215.158.109 - TCP interleaved channel 639-641 bytes
64.215.158.111 - HTTP continuation or non-HTTP traffic
64.215.158.116 - TCP interleaved channel 1460 bytes
64.215.158.117 - TCP interleaved channel 606-641 bytes
64.215.158.94 - TCP interleaved channel 606-641 bytes
64.215.158.95 - TCP interleaved channel 1266 bytes
Most of the packets seems to be coming from the 64.xxx servers, which seem to be GlobalCrossing boxes according to a web Whois.
Now what?
Could I have a hidden BitTorrent process going when FF is running, or something? I do have an old BitTorrent program installed on this box, but AFAIK it is not running and I haven't used it in years. I notice there's a BitTorrent 1.0.0.1 and BitTorrent DNA 1.0.0.1 plugin installed in FF (but AFAIK they've been there for years). Nothing other than FF shows up in the process list as being active when this is happening, and nothing shows up in FF's Downloads window (ctrl-j) but I haven't tried loading all of the same 73-some-odd tabs in Chrome yet. (I am concerned that I have 123 processes showing up in the process list and I don't know what 98% of them are...)
What else can I do to figure out what is taking over my wireless bandwidth?
Thanks very much.
Cheers,
Scott.
|
Post #329,754
7/17/10 10:18:05 AM
7/17/10 12:18:34 PM
|
Re: Ok, I've captured some traffic. Now what?
12.4.198.133 - www.crutchfield.com
174.129.88.133 - ec2-174-129-88-133.compute-1.amazonaws.com
174.37.113.144 - kaching.cacetech.com
204.9.177.195 - ??unknown??
204.9.178.11 - www.typepad.com
64.207.133.176 - skitch.com
64.215.158.100 - ??unknown??
64.215.158.101 - ??unknown??
64.215.158.102 - ??unknown??
64.215.158.103 - ??unknown??
64.215.158.108 - ??unknown??
64.215.158.109 - ??unknown??
64.215.158.111 - ??unknown??
64.215.158.116 - ??unknown??
64.215.158.117 - ??unknown??
64.215.158.94 - ??unknown??
64.215.158.95 - ??unknown??
I didn't do anything extensive to look those up, just nslookup/dig on my command-line.
So, that said....There's a couple of things you can do.
First, you could edit your (forgive me if it's not exact) c:\windows\system32\etc\hosts file to redirect any unknown-or-unwanted IP addresses to localhost, which is effectively making them go nowhere. Add lines to this etc\hosts file like so:
64.215.158.109 localhost
64.215.158.111 localhost
One IP address per line, redirecting to localhost. I cannot say for sure if you need to "only" restart your browser each time you edit the file, or if you "completely" need to reboot in order for this to be effective. It's obviously your choice, but you could either do 'em one-at-a-time to narrow down which one is the offending IP address, or you could add-em-all-at-once and see if that cures your ills in one swell foop. Note that it's recommended that you also make a backup (before and after editing) of this hosts file. Put it, say, on your Desktop. If, after rebooting, you still have issues and go back to look at this etc\hosts file and it's altered from the state you left it in, you'll know you have problems.
-Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
Edited by mvitale
July 17, 2010, 12:17:28 PM EDT
Edited by mvitale
July 17, 2010, 12:18:34 PM EDT
|
Post #329,759
7/17/10 11:43:36 AM
|
Excellent. I should have rememberd that. Thanks.
|
Post #329,769
7/17/10 2:20:16 PM
|
Re: Excellent. I should have rememberd that. Thanks.
doing a "wget" of the webserver on one of those IPs produces this:
[Reference]
Ref1=http://64.215.158.101/?MSWMExt=.asf
Ref2=http://64.215.158.101:80/?MSWMExt=.asf
I believe its a set of reflectors for a video stream.
At least that is what it looks like to me.
Porn site producers use them a lot... AS? What should we think now?
|
Post #329,771
7/17/10 2:32:25 PM
|
That shouldn't be it. ;-)
|
Post #329,796
7/17/10 10:03:33 PM
|
Re: Excellent. I should have rememberd that. Thanks.
Porn site producers use them a lot... AS? What should we think now? We should think that you know more about what porn sites do than AScott does. ;-) -Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #329,806
7/18/10 9:22:33 AM
|
Dang, beat me to it
--
Drew
|
Post #329,599
7/14/10 8:50:07 AM
|
check your plug-in directory
make sure what's there belongs there.
There have been a couple of reports of malware targeting firefox via the plugin interface.
I will choose a path that's clear. I will choose freewill.
|
