System Monitor/ Network activity

Support for security such as Firewalls and securing linux
Post Reply
oldwierdal
Posts: 119
Joined: 2007/04/23 13:57:42
Location: Yuma, Arizona

System Monitor/ Network activity

Post by oldwierdal » 2007/05/08 11:27:27

This could well be an ignorant question. But, here goes,.......
I have the System Monitor installed on my system tray, set up to show processor, network, load, etc.
On Centos5 I see continuous low-level network activity, 3% to 5%, just sort-of trickling, with occasional spikes to 60% to 75%, even when I'm off-line.
I had the same setup on Centos4, but I never saw that sort of network activity with Centos4.
Of course, when I am on line, as expected, I see network activity in the monitor, and If I happen to be downloading a file, the monitor reflects that.
This is a stand-alone computer, just for desktop use, not on any network.
My question, then, is this. Is there really some network activity going on, even when I'm not on line? If so, what is different with Centos5 compared to Centos4? And what is this activity? Am I being probed?
Thanks,
owa

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

System Monitor/ Network activity

Post by gerald_clark » 2007/05/08 13:05:01

There are many network services that broadcast information or respond to broadcasts.
You have arp. Are you running smb/nmb also? What about ntp?

NedSlider
Forum Moderator
Posts: 2897
Joined: 2005/10/28 13:11:50
Location: UK

Re: System Monitor/ Network activity

Post by NedSlider » 2007/05/08 19:10:37

Firstly, yes you are being probed. We all are, constantly. That's why we have firewalls. So long as you're behind a firewall, you are (relatively) safe. But that's probably not the constant low level chatter you're seeing.

How are you connected to the internet - a broadband router or straight dialup? Either way, you'll get a lot of background chatter as gerald indicated.

You can always fire up wireshark and take a look for yourself.

oldwierdal
Posts: 119
Joined: 2007/04/23 13:57:42
Location: Yuma, Arizona

Re: System Monitor/ Network activity

Post by oldwierdal » 2007/05/08 23:38:26

Ahh! I've stumbled onto the fix, if not the cause, of my little problem.
First, I had, for years, been behind a router to the internet. The router got borked, and I connected directly to the Wildblue Satellite modem. When I did that, directly connected to the modem, I noticed that my computer was no longer me@localhost, but me@. With FC3 and then with CentOS4, this posed no problem (or at least I was not aware of any problem). But, with FC5 and now CentOS5 I began to notice this low level activity. I mentioned this to a co-worker, and he suggested getting behind a router again. So, today I grabbed a Linksys WR54G router and hooked it up. The problem seems to have been solved. I'll monitor this for a while before I pronounce it well, but my computer is again identified as me@localhost, and when I disconnect from the internet, the network monitor shows no activity at all.
So, problem solved or not, this begs the question, what is different about FC5/CentOS5 that would cause this? Interesting problem. 100% self-taught, I haven't the network background to help me, so I'll have to rtfm and poke around. If anyone has a quicker answer, I'm all ears.
Thanks, both of you, for your responses. I appreciate that. Any feedback would be very welcome.
owa

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: System Monitor/ Network activity

Post by michaelnel » 2007/05/09 00:08:56

"me@localhost" or for that matter "me@anything" is not a machine name, it's an email address.

If you want to see what that low level network traffic is, run wireshark to capture and display it. I suspect some of it is arp traffic, some may be cups advertising, etc...

oldwierdal
Posts: 119
Joined: 2007/04/23 13:57:42
Location: Yuma, Arizona

Re: System Monitor/ Network activity

Post by oldwierdal » 2007/05/10 16:02:10

Thank you for your correction, but the question remains; why the change from me@localhost on CentOS4 to me@ on CentOS5? Why the change back to me@localhost now that I'm behind the router? And does this change account for seeing the network activity on CentOS5, even when off-line, when there was no activity like this on CentOS4? And, as I mentioned, behind the router, now, there is no such activity showing. The firestarter logs do reveal lotsa probes prior to installing the router, and nothing since.
Thanks,
owa

foxb
Posts: 1927
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Re: System Monitor/ Network activity

Post by foxb » 2007/05/12 12:49:12

Fist

localhos or may be changed from DHCP server that you use to obtain your IP address

Did you setup hostname on CentOS 5?

Second

Having network activity is normal (sort of)

For example On my firewall I have 3000-30000 probes a day, but that is main job of firewalls to block unwanted traffic.

Post Reply