[SWLUG] Odd traffic. What is going on here?

Neil Jones neil at nwjones.demon.co.uk
Tue May 8 14:33:40 UTC 2007 

Hi folks,

I'd like some advice from the more expert of you as to what may be going
on with my desktop machine. I have been having times when there seems to
be traffic going to and from it when there shouldn't have been.
The modem is flashing like mad and sometimes there is disk activity. 
This has occurred when I have come back to my computer after being out
of the room for a while so I cannot be doing it.

I am not sure what is being blocked by the firewall although I am sure
it is set up right. I am using Mandriva.

Here is a sanitised dump.the XXX things represent my box I think.
I was typing in a word processor at the time I noticed it. I had browser
windows on the desktop but was not surfing.

 /usr/sbin/tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:34:04.814498 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 4180118674 win 1460
<nop,nop,timestamp 1857843384 3311051>
12:34:04.886987 IP 64-161-36-80.sierranevada.edu.33038 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 4181018908 win 2172
<nop,nop,timestamp 1857843391 3311051>
12:34:04.821786 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: P 1:21(20) ack 0 win 1448
<nop,nop,timestamp 3311102 1857843384>
12:34:04.866862 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  18827+ PTR? 26.215.11.82.in-addr.arpa. (43)
12:34:04.876566 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  18827 1/2/1 (160)
12:34:04.877508 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  24247+ PTR? 80.36.161.64.in-addr.arpa. (43)
12:34:04.885516 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  24247 1/2/0 (129)
12:34:04.887697 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  44516+ PTR? 100.4.168.194.in-addr.arpa. (44)
12:34:04.895010 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  44516 1/2/1 (127)
12:34:04.991028 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 21 win 1460
<nop,nop,timestamp 1857843584 3311102>
12:34:04.991258 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 0:20(20) ack 21 win 1460
<nop,nop,timestamp 1857843584 3311102>
12:34:04.991584 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 20 win 1448
<nop,nop,timestamp 3311144 1857843584>
12:34:04.995949 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: P 21:725(704) ack 20 win 1448
<nop,nop,timestamp 3311145 1857843584>
12:34:05.173434 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 20:172(152) ack 725 win
1812 <nop,nop,timestamp 1857843766 3311145>
12:34:05.213123 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 172 win 1716
<nop,nop,timestamp 3311200 1857843766>
12:34:05.399740 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 172:316(144) ack 725 win
1812 <nop,nop,timestamp 1857843992 3311200>
12:34:05.399902 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 316 win 1984
<nop,nop,timestamp 3311246 1857843992>
12:34:05.510683 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: P 725:1445(720) ack 316 win 1984
<nop,nop,timestamp 3311274 1857843992>
12:34:05.690500 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 316:332(16) ack 1445 win
2172 <nop,nop,timestamp 1857844283 3311274>
12:34:05.690671 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 332 win 1984
<nop,nop,timestamp 3311319 1857844283>
12:34:05.860373 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 332:384(52) ack 1445 win
2172 <nop,nop,timestamp 1857844453 3311319>
12:34:05.860721 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 384 win 1984
<nop,nop,timestamp 3311361 1857844453>
12:34:05.861052 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: P 1445:1497(52) ack 384 win 1984
<nop,nop,timestamp 3311361 1857844453>
12:34:06.033143 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 384:468(84) ack 1497 win
2172 <nop,nop,timestamp 1857844626 3311361>
12:34:06.038199 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  63213+ PTR? 80.36.161.64.in-addr.arpa. (43)
12:34:06.056841 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  63213 1/2/0 (129)
12:34:06.058183 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  46312+ A? 64-161-36-80.sierranevada.edu. (47)
12:34:06.065406 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  46312 NXDomain 0/1/0
(105)
12:34:06.071948 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  33173+[|domain]
12:34:06.073166 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 468 win 1984
<nop,nop,timestamp 3311415 1857844626>
12:34:06.078514 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  33173 NXDomain[|domain]
12:34:06.098257 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: P 1497:1581(84) ack 468 win 1984
<nop,nop,timestamp 3311421 1857844626>
12:34:06.244849 IP 10.217.200.1.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply, length: 305
12:34:06.245510 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  21720+ PTR? 255.255.255.255.in-addr.arpa. (46)
12:34:06.252577 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  21720 NXDomain 0/1/0
(113)
12:34:06.253282 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  58684+ PTR? 1.200.217.10.in-addr.arpa. (43)
12:34:06.270135 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 468:520(52) ack 1581 win
2172 <nop,nop,timestamp 1857844861 3311421>
12:34:06.270315 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: F 520:520(0) ack 1581 win
2172 <nop,nop,timestamp 1857844861 3311421>
12:34:06.270381 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: . ack 520 win 1984
<nop,nop,timestamp 3311464 1857844861>
12:34:06.270515 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: S 693499177:693499177(0)
win 5840 <mss 1380,sackOK,timestamp 1857844862 0,nop,wscale 2>
12:34:06.270619 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: S 4186181830:4186181830(0) ack
693499178 win 5792 <mss 1460,sackOK,timestamp 3311464
1857844862,nop,wscale 2>
12:34:06.270713 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  58684 NXDomain* 0/1/0
(103)
12:34:06.272785 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33062: F 1581:1581(0) ack 521 win 1984
<nop,nop,timestamp 3311464 1857844861>
12:34:06.446346 IP 64-161-36-80.sierranevada.edu.33062 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 1582 win 2172
<nop,nop,timestamp 1857845040 3311464>
12:34:09.269427 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: S 693499177:693499177(0)
win 5840 <mss 1380,sackOK,timestamp 1857847862 0,nop,wscale 2>
12:34:09.269575 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: S 4186181830:4186181830(0) ack
693499178 win 5792 <mss 1460,sackOK,timestamp 3312214
1857844862,nop,wscale 2>
12:34:09.470892 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 1 win 1460
<nop,nop,timestamp 1857848064 3312214>
12:34:09.760649 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: P 1:21(20) ack 1 win 1448
<nop,nop,timestamp 3312336 1857848064>
12:34:09.931494 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 21 win 1460
<nop,nop,timestamp 1857848525 3312336>
12:34:09.931688 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 1:21(20) ack 21 win 1460
<nop,nop,timestamp 1857848525 3312336>
12:34:09.931913 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 21 win 1448
<nop,nop,timestamp 3312379 1857848525>
12:34:09.935301 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: P 21:725(704) ack 21 win 1448
<nop,nop,timestamp 3312380 1857848525>
12:34:10.115522 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 21:173(152) ack 725 win
1812 <nop,nop,timestamp 1857848707 3312380>
12:34:10.153433 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 173 win 1716
<nop,nop,timestamp 3312435 1857848707>
12:34:10.337194 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 173:317(144) ack 725 win
1812 <nop,nop,timestamp 1857848929 3312435>
12:34:10.337378 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 317 win 1984
<nop,nop,timestamp 3312480 1857848929>
12:34:10.422945 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: P 725:1445(720) ack 317 win 1984
<nop,nop,timestamp 3312502 1857848929>
12:34:10.603621 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 317:333(16) ack 1445 win
2172 <nop,nop,timestamp 1857849197 3312502>
12:34:10.603792 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 333 win 1984
<nop,nop,timestamp 3312547 1857849197>
12:34:10.775235 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 333:385(52) ack 1445 win
2172 <nop,nop,timestamp 1857849368 3312547>
12:34:10.775586 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 385 win 1984
<nop,nop,timestamp 3312590 1857849368>
12:34:10.775918 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: P 1445:1497(52) ack 385 win 1984
<nop,nop,timestamp 3312590 1857849368>
12:34:10.957257 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 385:485(100) ack 1497
win 2172 <nop,nop,timestamp 1857849550 3312590>
12:34:10.962779 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  53291+ PTR? 80.36.161.64.in-addr.arpa. (43)
12:34:10.969913 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  53291 1/2/0 (129)
12:34:10.973234 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  28094+ A? 64-161-36-80.sierranevada.edu. (47)
12:34:10.993508 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: . ack 485 win 1984
<nop,nop,timestamp 3312645 1857849550>
12:34:10.997555 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  28094 NXDomain 0/1/0
(105)
12:34:11.006008 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039 >
cache1.ntli.net.domain:  22737+[|domain]
12:34:11.014452 IP cache1.ntli.net.domain >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.1039:  22737 NXDomain[|domain]
12:34:11.050683 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: P 1497:1581(84) ack 485 win 1984
<nop,nop,timestamp 3312659 1857849550>
12:34:11.222286 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 485:537(52) ack 1581 win
2172 <nop,nop,timestamp 1857849815 3312659>
12:34:11.222473 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: F 537:537(0) ack 1581 win
2172 <nop,nop,timestamp 1857849815 3312659>
12:34:11.222669 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: S 4246055040:4246055040(0)
win 5840 <mss 1380,sackOK,timestamp 1857849815 0,nop,wscale 2>
12:34:11.222793 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: S 4190993577:4190993577(0) ack
4246055041 win 5792 <mss 1460,sackOK,timestamp 3312702
1857849815,nop,wscale 2>
12:34:11.224858 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33083: F 1581:1581(0) ack 538 win 1984
<nop,nop,timestamp 3312702 1857849815>
12:34:11.393202 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 1 win 1460
<nop,nop,timestamp 1857849986 3312702>
12:34:11.396756 IP 64-161-36-80.sierranevada.edu.33083 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 1582 win 2172
<nop,nop,timestamp 1857849989 3312702>
12:34:11.483089 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: P 1:21(20) ack 1 win 1448
<nop,nop,timestamp 3312767 1857849986>
12:34:11.664903 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: . ack 21 win 1460
<nop,nop,timestamp 1857850258 3312767>
12:34:11.665098 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 1:21(20) ack 21 win 1460
<nop,nop,timestamp 1857850258 3312767>
12:34:11.665324 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: . ack 21 win 1448
<nop,nop,timestamp 3312812 1857850258>
12:34:11.668671 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: P 21:725(704) ack 21 win 1448
<nop,nop,timestamp 3312813 1857850258>
12:34:11.846762 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 21:173(152) ack 725 win
1812 <nop,nop,timestamp 1857850439 3312813>
12:34:11.885541 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: . ack 173 win 1716
<nop,nop,timestamp 3312868 1857850439>
12:34:12.056973 IP 64-161-36-80.sierranevada.edu.33542 >
xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh: P 173:317(144) ack 725 win
1812 <nop,nop,timestamp 1857850649 3312868>
12:34:12.057132 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: . ack 317 win 1984
<nop,nop,timestamp 3312910 1857850649>
12:34:12.167229 IP xxxx-xxxx-x-x-xxxxxxx.xxxx.xxxxx.xxx.com.ssh >
64-161-36-80.sierranevada.edu.33542: P 725:1445(720) ack 317 win 1984
<nop,nop,timestamp 3312938 1857850649>

88 packets captured
182 packets received by filter
0 packets dropped by kernel
[root at cpc1-neat1-0-0-cust793 Desktop]# /usr/sbin/tcpdump -i eth0
>tempdump2.txt
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
136 packets captured
272 packets received by filter
0 packets dropped by kernel
[root at cpc1-neat1-0-0-cust793 Desktop]#

More information about the Swlug mailing list