1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WAN Traffic

Discussion in 'Internet, Connectivity and Communications' started by Boycie, Dec 20, 2006.

  1. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Last night i got up in the middle of the night and noticed the DSL light on my Zyxel 660HW was flashing like mad even though there were no machines on. :blink
    I was half asleep so didn't really take much notice.

    Tonight, it is doing the same. I did a little test with nothing running from Ubuntu with only the config page of the router open ten minutes apart (attached). The ten minute gap is with no computers on, so I don't understand why there is so much packet transfer. I am going to swop the router over, re-check and e-mail the ISP if it is the same.

    Can anyone think why there is what I think is a lot going on with no machines turned on?

    Thanks

    Si
     

    Attached Files:

    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  2. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    Boycey, although that's a few more packets than I'd expect, I would expect some as there is always going to be some overhead traffic between your router and your ISP carrying things like DHCP information and so on.
     
    Certifications: A+, Network+
    WIP: 70-270
  3. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Baba,

    That's just it matey, i don't know what is normal- I have never noticed the DSL light constantly flashing or looked at packet transfer.

    I am sure someone (Harry :biggrin ) knows exactly what is normal and possibly what is going on.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  4. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    I just did a quick test. The two attached screenshots have a 1 minute gap between them and although I had a PC running, absolutely everything that might access the net was closed down.


    As you can see, in that minute my ADSL modem received 232 bytes and transmitted 24 bytes.

    Do you use any p2p programs? I've found that you receive traffic from those networks even if you're not running the application at the time. I guess they are "pings" to see if your node is active. I imagine that could account for a fair amount of traffic over time.
     

    Attached Files:

    Certifications: A+, Network+
    WIP: 70-270
  5. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Hi Baba,

    No, i don't use any peer to peer software and although I haven't sat looking at the DSL light for any given amount of time, I guess I just haven't noticed it.

    Edit- I am sure it never used to flash like that. :dry

    Merry Christmas

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  6. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    Guess we'll just have to wait for Harry...:D
     
    Certifications: A+, Network+
    WIP: 70-270
  7. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Is the Zyxel attached to the Internet? Why wouldn't packets from the Internet cause the activity light to flicker, even with no active PCs on your network?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  8. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Mike,

    The light is working correctly if there is traffic, but the reason I started the thread was because I don't know what is *normal*- I have never noticed the light flashing constantly.

    I have had it for over a year, been with the same ISP for six months and it is placed where the activity lights are viewable easily.

    It doesn't seem to make any difference whether there is any machines on or not.

    A confused Si.
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  9. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Hm. I always see activity on my Charter cable Internet connection.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Boycey

    Absolutely normal background noise mate. As well as things like DHCP activity from your ISP, you have to take into account the regular background net scans from things like Slammer, MyDoom, Messenger Spam & crap like that. Also, even with nowt running, you've probably still got things like WMP, Winamp, Acrobat (Adobe's stuff is amongst the worst) and RealPlayer 'phoning home' on a regular basis.

    just to put your mind at rest, here's the last few minutes of my firewall logs - inbound only:

    [​IMG]

    If you really want to have a peek at whats going on, get yourself some SNMP logging set up on your router/firewall. You'd be surprised at just how much traffic there is out there!
     
    Certifications: A few
    WIP: None - f*** 'em
  11. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Zeb,

    Thanks for that mate. I think it isn't the light on the routers fault, it's my light - i'm turning in to a geek! :)

    I have just downloaded Wallwatcher, although having a bit of trouble getting it to talk to the Zyxel unit - it is on their approved list.

    Thanks again.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  12. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    No worries - and if you think YOU'RE a geek for caring, you should see what i do with MY firewall logs every month!

    Suffice it to say it involves Excel spreadhseets, reformatting, importing to an database on SQL server and compiling charts & graphs back in Excel.

    Now THAT'S sad :oops:
     
    Certifications: A few
    WIP: None - f*** 'em
  13. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Zeb,

    Blimey, you have just removed my beard and long hair! :)

    Seriously, where would you say a lot of the crap comes from? People port scanning from oversea's?

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  14. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Well, the vast majority of activity you'll see is from Bots or compromised/unpatched Windows boxes. This goes for pretty much all scans for ports 1025-1033 (Messenger spam), port 135/137/139/445 (Windows share vulnerabilities - usually Bugbear, Sasser etc), 3127 (MyDoom), 1433/1434 (Slammer or SQL Server connections) and a whole host of others.

    There are much, much less frequent attempts for less well-known exploits that turn up in my logs from time to time. For instance, a couple of months back I started to see a few hits on port 6129 (looking for Dameware) and port 27374 (SubSeven). These lasted about two weeks and were very sneakily spread out. This type of activity is usually more indicative of an 'active' attempt to hack you - but it takes patience (or a pretty good IDS) to discover them.

    Speaking of IDS - I run Snort with the ACID console on a Windows box - logging to SQL Server with IIS running PHP. It works an absolute treat (when I can be arsed to turn it on, which, at the moment, isn't very often cos I've got six other boxes running pretty much 24/7 - my last leccy bill was £285 for a quarter :eek: ) and provides pretty much all the functionality of a commercial IDS for free...

    I find it fantastically entertaining when a new worm breaks out just to watch how my scans go through the roof. When Slammer hit a few years back, I saw compromised boxes on the local Telewest subnets hit my box like buggery - it was pretty funny to get all those calls from the DBAs I'd worked with previously saying that none of their systems worked and they were being screamed at left right and centre by their bosses. Of course, I knew all this in advance from watching my firewall logs and hanging around on newsgroups... and all the DBs I managed were nicely patched on networks that didn't expose 1433/1434 to the Internet :biggrin

    Sometimes being a nerd has its benefits...
     
    Certifications: A few
    WIP: None - f*** 'em
  15. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Zeb,

    Thanks for a good explanation - you have cleared up a lot of my questions.

    I seem to recall in previous posts you favouring Linksys boxes because you can nuke them and install a *nix based system with a good range of utilities. A *quick* google brought up many wireless mod's. What do you use?

    Merry Christmas

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  16. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Hey mate

    I use the WRT54G. Its a fantastic piece of kit - but beware of getting one that can't be tinkered with. LinkSys threw their toys out the pram a year or so ago and changed the onboard gubbins that allowed you to modify the firmware - basically crippling it so that there wasn't enough memory to run anything other than the bog standard Linksys firmware.

    There's a couple of very good articles around that list the specific model/revisions that are moddable - I'll dig them out when i get the chance.

    As for firmware, I've used lots of different kinds - Alchemy from Sveasoft, DD-WRT and HyperWRT and have concluded that, whilst DD-WRT gives the best range of options, HyperWRT is by far the most stable out there. I have flashed tons of WRT54G's and NEVER bricked one with HyperWRT, but haven't had the same success ratio with DD-WRT. That said, HyperWRT doesn't support SNMP and, as its not maintained any more, support for it isn't likely to be added (I miss being able to graph traffic using PRTG/MRTG :cry: )

    Sveasoft is a different matter entirely - I won't use their stuff on general principle owing to the company owner's (ahem) 'liberal' interpretation of the GPL - for more info on that, just Google 'SveaSoft' and 'GPL'...

    This link gives a potted history of the controversy.
     
    Certifications: A few
    WIP: None - f*** 'em
  17. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Zeb,

    Interesting read. It is a shame someone has taken their own *view* on GPL. :dry

    If you do find anything else on modding the WRT's i'd love to read them.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT

Share This Page

Loading...