What’s Causing that Network Traffic on Linux?

I noticed some periodic network traffic on my Ubuntu 12.04 box.

System monitor network history
Screenshot of Ubuntu’s System Monitor Network Traffic

Naturally, I wonder what was polling like that…

Then I realized netstat -ap  will tell me the process using a port, but just doesn’t provide enough info to figure out which is responsible for the traffic.

sudo apt-get-install iftop
sudo iftop -Pp

Iftop is closer to what I wanted, showing traffic, but it didn’t connect the ports with traffic to the PID.  At least it showed me all the traffic was local or to google’s 1e100.net, rather than to any of the other connections netstat showed. But I still didn’t know which process was responsible.

A little googling turned up Nethogs. Much closer to what I needed and easy to install.

sudo apt-get install nethogs
sudo nethogs

Nethogs console output
Nethogs console output

But here I get stuck.  I killed the synergy client and chromium, but the traffic pattern is still there.  Nethogs lumps all the packets it can’t associate with a PID in the ‘?’ row.

To sum up…

  • netstat connect ip-port to pid
  • iftop connects port to traffic
  • nethogs connects pid to traffic, but most traffic is lumped into ‘unknown’

Then, there’s ntop, which runs as a daemon, has a web interface, and produces incredibly detailed reports.  I installed it. We’ll see what it comes up with after it’s run for a while.

sudo apt-get install ntop

You have to create an admin password during the install.

Virus Scanning Windows from Knoppix

Why worry about scanning Windows for viruses from inside Windows? Use Knoppix to scan for viruses from the safety of a linux-based, read-only OS.

If you don’t already have it, get Knoppix with your favorite BitTorrent client (I use Azureus 2.5) and this tracker. I use the DVD, but the CD version should work the same for this.

You can find downloading, burning, and booting help here. Boot to Knoppix.

In order to update virus definitions, a working internet connection is needed. In my case (a DHCP-enabled Linksys Cable/DSL router) things “just worked” with Knoppix’s magic boot configuration. If you run into problems, I suggest starting with the FAQ Pages then trying Google.

Naturally, the disks I want to scan need to be available–that is, they need to be recognized by the kernel and mounted. For me this just works again thanks to Knoppix boot config magic. If you run into bad magic, consult the above sources, or whatever divine ones you have access to.

I check to see if they’re already there. Since I have SATA drives in this box, they should appear as /dev/sd*. IDE drives would appear as /dev/hd*.

# df
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm

No harddisks are mounted, so I check /etc/fstab to see if Knoppix recognized them.

# cat /etc/fstab
/proc /proc proc rw,nosuid,nodev,noexec 0 0
...
# Added by KNOPPIX
/dev/sdc1 /media/sdc1 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
# Added by KNOPPIX
/dev/sdc2 /media/sdc2 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0

The Added by KNOPPIX entries are the two partitions on my SATA drive. Since Knoppix recognized them, I can simply mount them.

# mount /dev/sdc1
# mount /dev/sdc2
# df -k
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
/dev/sdc1 ... /media/sdc1
/dev/sdc2 ... /media/sdc2

Just like any OS, Knoppix gets patched regularly. Since I want to have the latest, greatest virus scan, I’ll get (some of) the updates with the bundled Debian package manager.

#apt-get update

There’s a lot of output from that command to update the Debian package manager’s package list. It just means the installer knows about the latest stuff now.

I use ClamAV to scan for viruses. So, I’ll check that it’s up-to-date per the package installer.

#apt-get install clamav
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed: libclamav2
Suggested packages: unrar
The following packages will be upgraded: clamav
...
Do you want to continue [Y/n]? Y

The changelogs are presented (press ‘q’ to exit) and there are more prompts to follow, but the install should work without any errors.

I also want to update the ClamAV utility that fetches the current virus definitions.

#apt-get install clamav-freshclam

This time, the install wants to replace a conf file that has been locally modified. I choose to install the package maintainer’s versions, after I compare them side-by-side.

When that’s done, I update the virus definitions.

# freshclam

Finally, scan.

# cd /media
# clamscan -r -l /var/clamlog

The options -r and -l [filename] are for recursively scan directories and log scan output, respectfully. Note that this will only identify viruses. If I wanted to take action when an infection is found, I’d have to specify what to do in different options.

As I write this up, I’m scanning my squeeky-clean new computer. I don’t expect any problems there. Once it’s done, I’ll scan my older Windows machine and that might be more interesting.