IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 1 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Open Forum / Ok, I've captured some traffic. Now what?
Post #329,753
by Another Scott
7/17/10 10:02:24 AM
Reply
New Ok, I've captured some traffic. Now what?
(This is on my T61 laptop with WinXP. Sorry if I said Win2k earlier.)

I updated my FF plugins and the FF crash on startup seems to be gone. I've still got the 2020 plugin disabled.

The mysterious ~ 200kB background download is still happening, but only when Firefox is running. I'm not seeing it with Chrome (which I'm using now).

I installed Wireshark. It's neat. With FF running, I did Capture -> Interfaces -> Intel Pro Wireless -> Start and let it run from a few seconds.

I don't know how to Analyze the stuff, but on sorting by the Source column I'm mainly getting stuff from:

12.4.198.133
174.129.88.133
174.37.113.144
204.9.177.195
204.9.178.11 - HTTP and TCP traffic (GIF 89a, content server, reassembled PDU, etc.)
64.207.133.176 - TCP segment of a reassembled PDU
64.215.158.100 - lots of mixed HTTP and TCP traffic
64.215.158.101 - TCP interleaved channel 546 bytes
64.215.158.102 - TCP interleaved channel 608 bytes
64.215.158.103 - TCP interleaved channel 608 bytes
64.215.158.108 - TCP interleaved channel 366 bytes
64.215.158.109 - TCP interleaved channel 639-641 bytes
64.215.158.111 - HTTP continuation or non-HTTP traffic
64.215.158.116 - TCP interleaved channel 1460 bytes
64.215.158.117 - TCP interleaved channel 606-641 bytes
64.215.158.94 - TCP interleaved channel 606-641 bytes
64.215.158.95 - TCP interleaved channel 1266 bytes

Most of the packets seems to be coming from the 64.xxx servers, which seem to be GlobalCrossing boxes according to a web Whois.

Now what?

Could I have a hidden BitTorrent process going when FF is running, or something? I do have an old BitTorrent program installed on this box, but AFAIK it is not running and I haven't used it in years. I notice there's a BitTorrent 1.0.0.1 and BitTorrent DNA 1.0.0.1 plugin installed in FF (but AFAIK they've been there for years). Nothing other than FF shows up in the process list as being active when this is happening, and nothing shows up in FF's Downloads window (ctrl-j) but I haven't tried loading all of the same 73-some-odd tabs in Chrome yet. (I am concerned that I have 123 processes showing up in the process list and I don't know what 98% of them are...)

What else can I do to figure out what is taking over my wireless bandwidth?

Thanks very much.

Cheers,
Scott.
Post #329,754
by mvitale
Picture of mvitale
7/17/10 10:18:05 AM
7/17/10 12:18:34 PM
Reply
New Re: Ok, I've captured some traffic. Now what?
12.4.198.133 - www.crutchfield.com
174.129.88.133 - ec2-174-129-88-133.compute-1.amazonaws.com
174.37.113.144 - kaching.cacetech.com
204.9.177.195 - ??unknown??
204.9.178.11 - www.typepad.com
64.207.133.176 - skitch.com
64.215.158.100 - ??unknown??
64.215.158.101 - ??unknown??
64.215.158.102 - ??unknown??
64.215.158.103 - ??unknown??
64.215.158.108 - ??unknown??
64.215.158.109 - ??unknown??
64.215.158.111 - ??unknown??
64.215.158.116 - ??unknown??
64.215.158.117 - ??unknown??
64.215.158.94 - ??unknown??
64.215.158.95 - ??unknown??



I didn't do anything extensive to look those up, just nslookup/dig on my command-line.

So, that said....There's a couple of things you can do.

First, you could edit your (forgive me if it's not exact) c:\windows\system32\etc\hosts file to redirect any unknown-or-unwanted IP addresses to localhost, which is effectively making them go nowhere. Add lines to this etc\hosts file like so:

64.215.158.109 localhost
64.215.158.111 localhost

One IP address per line, redirecting to localhost. I cannot say for sure if you need to "only" restart your browser each time you edit the file, or if you "completely" need to reboot in order for this to be effective. It's obviously your choice, but you could either do 'em one-at-a-time to narrow down which one is the offending IP address, or you could add-em-all-at-once and see if that cures your ills in one swell foop. Note that it's recommended that you also make a backup (before and after editing) of this hosts file. Put it, say, on your Desktop. If, after rebooting, you still have issues and go back to look at this etc\hosts file and it's altered from the state you left it in, you'll know you have problems.
-Mike

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
Expand Edited by mvitale July 17, 2010, 12:17:28 PM EDT
Expand Edited by mvitale July 17, 2010, 12:18:34 PM EDT
Expand All History
Post #329,759
by Another Scott
7/17/10 11:43:36 AM
Reply
New Excellent. I should have rememberd that. Thanks.
Post #329,769
by folkert
Picture of folkert
7/17/10 2:20:16 PM
Reply
New Re: Excellent. I should have rememberd that. Thanks.
doing a "wget" of the webserver on one of those IPs produces this: 

[Reference]

Ref1=http://64.215.158.101/?MSWMExt=.asf

Ref2=http://64.215.158.101:80/?MSWMExt=.asf


I believe its a set of reflectors for a video stream.

At least that is what it looks like to me.

Porn site producers use them a lot... AS? What should we think now?
Post #329,771
by Another Scott
7/17/10 2:32:25 PM
Reply
New That shouldn't be it. ;-)
Post #329,796
by mvitale
Picture of mvitale
7/17/10 10:03:33 PM
Reply
New Re: Excellent. I should have rememberd that. Thanks.
Porn site producers use them a lot... AS? What should we think now?
We should think that you know more about what porn sites do than AScott does. ;-)
-Mike

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #329,806
by drook
Picture of drook
7/18/10 9:22:33 AM
Reply
New Dang, beat me to it
--

Drew
     Is it just me? Fast Company's "Influence" thingy. - (Another Scott) - (19) - July 14, 2010, 07:35:37 AM EDT
         SBS&D didn't find anything. - (Another Scott) - (9) - July 14, 2010, 08:04:11 AM EDT
             Try Wireshark? - (mvitale) - (7) - July 14, 2010, 08:08:45 AM EDT
                 Ok, I've captured some traffic. Now what? - (Another Scott) - (6) - July 17, 2010, 10:02:24 AM EDT
                     Re: Ok, I've captured some traffic. Now what? - (mvitale) - (5) - July 17, 2010, 12:18:34 PM EDT
                         Excellent. I should have rememberd that. Thanks. -NT - (Another Scott) - (4) - July 17, 2010, 11:43:36 AM EDT
                             Re: Excellent. I should have rememberd that. Thanks. - (folkert) - (3) - July 17, 2010, 02:20:16 PM EDT
                                 That shouldn't be it. ;-) -NT - (Another Scott) - July 17, 2010, 02:32:25 PM EDT
                                 Re: Excellent. I should have rememberd that. Thanks. - (mvitale) - (1) - July 17, 2010, 10:03:33 PM EDT
                                     Dang, beat me to it -NT - (drook) - July 18, 2010, 09:22:33 AM EDT
             check your plug-in directory - (beepster) - July 14, 2010, 08:50:07 AM EDT
         you have a new plugin - (boxley) - July 14, 2010, 09:22:50 AM EDT
         Hmm, wasn't aware of that - (drook) - July 14, 2010, 11:42:27 AM EDT
         Probably coincidence. - (Another Scott) - (1) - July 14, 2010, 12:27:03 PM EDT
             Update. - (Another Scott) - July 15, 2010, 07:22:43 AM EDT
         As you might expect, it was a false alarm. - (Another Scott) - (4) - July 25, 2010, 10:48:38 PM EDT
             Yeah.. that rotating thingi appears oblivious to some common - (Ashton) - July 26, 2010, 01:53:34 AM EDT
             72 tabs? when you can see at most 10 at a whack? -NT - (boxley) - (2) - July 26, 2010, 09:15:53 AM EDT
                 Something like that. - (Another Scott) - (1) - July 26, 2010, 09:54:22 AM EDT
                     I ended up having firefox get... - (folkert) - July 26, 2010, 10:16:43 AM EDT

I seem to remember a rather Stupid rendition sometime back.
115 ms