Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
steady 175K/s outbound stream to 224.0.0.56
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Thu Mar 13, 2014 6:13 am    Post subject: steady 175K/s outbound stream to 224.0.0.56 Reply with quote

I'm running Gentoo x86_64:
Code:
3.13.6-gentoo #2 SMP Mon Mar 10 13:42:12 WST 2014 x86_64 Intel(R) Core(TM) i7-3820 CPU @ 3.60GHz GenuineIntel GNU/Linux

Profile:
Code:
13.0/Desktop


I apologise if this thread should have been under Multimedia, but as far as I'm concerned it's a network problem.

I've noticed that I have a constant stream of data (175K/sec) going out from this machine to 224.0.0.56.

I'm in Australia and all broadband is metered so 175K/s 24 hours a day is adding up.

How do I determine what is causing this?

There is some conjecture that it may be PulseAudio; if it is PA I have searched high and low and I can't find a way to disable this steady outbound stream by reviewing the USE flags.

Emerge Info: http://pastebin.com/1kAnXbCE

PulseAudio Package USE Flags:
Code:
[ebuild   R    ] media-sound/pulseaudio-5.0  USE="X alsa asyncns avahi bluetooth caps dbus gdbm glib gnome gtk ipv6 libsamplerate orc qt4 ssl tcpd udev webrtc-aec -doc -equalizer -jack -lirc (-neon) (-oss) -realtime (-system-wide) -systemd {-test} -xen" ABI_X86="(64) -32 (-x32)" 0 kB


I have just installed NTOP and am allowing it to aggregate data, but I'm not sure that's the right tool for this.

Any help is greatly appreciated,

Kirk
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1241
Location: 42.68n 85.41w

PostPosted: Thu Mar 13, 2014 7:33 am    Post subject: Reply with quote

https://wiki.gentoo.org/wiki/Ufw

add this

and then emerge ufwfrontends

then ufw-gtk and block the traffic from going out until you can figure out what is causing the traffic. ill buy you some time :twisted:
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Thu Mar 13, 2014 7:36 am    Post subject: Reply with quote

666threesixes666 wrote:
https://wiki.gentoo.org/wiki/Ufw

add this

and then emerge ufwfrontends

then ufw-gtk and block the traffic from going out until you can figure out what is causing the traffic. ill buy you some time :twisted:


Thank you, I'll report back when I have a result.

K
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2245

PostPosted: Thu Mar 13, 2014 8:56 am    Post subject: Reply with quote

splurben ...

I can't think why 666threesixes666 is suggesting iptables (ufw) for network analysis, its the wrong tool for the job ... there are various tools out there for such a task, net-analyzer/tcpdump or net-analyzer/wireshark to name two.

Code:
# tcpdump -i eth0

Anyhow, 244.0.0.56 is a muticast address, so my guess would be Multicast RTP (given you seem to think its pulseaudio). Not ever having used PA I can only guess what might be the issue but I would grep it's config file(s) for "rtp" and disable it.

best ... khay
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1241
Location: 42.68n 85.41w

PostPosted: Thu Mar 13, 2014 9:00 am    Post subject: Reply with quote

im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam...
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2245

PostPosted: Thu Mar 13, 2014 9:58 am    Post subject: Reply with quote

666threesixes666 wrote:
im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam...

You mean "immediately" after emerging pygtk and and its dependencies?

Code:
iptables -I OUTPUT -o eth0 -d 244.0.0.56 -j DROP

... and btw, the next time you refer to me as 'kazam' I will be hitting the report button.

khay
Back to top
View user's profile Send private message
blu3bird
Retired Dev
Retired Dev


Joined: 04 Oct 2003
Posts: 610
Location: Munich, Germany

PostPosted: Thu Mar 13, 2014 10:29 am    Post subject: Reply with quote

Code:
netstat -apn | grep 224.0.0.56


Unless it's some sort of rootkit, this will show you which pid/process is sending the data.
_________________
Black Holes are created when God divides by zero!


Last edited by blu3bird on Fri Mar 14, 2014 8:52 am; edited 1 time in total
Back to top
View user's profile Send private message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Thu Mar 13, 2014 11:53 pm    Post subject: blu3bird, I like this answer the best Reply with quote

blu3bird wrote:
Code:
netstat -apn | grep 244.0.0.56


Unless it's some sort of rootkit, this will show you which pid/process is sending the data.


Thank you EVERYONE for all the suggestions. I have already made a comprehensive check for a rootkit but I'm still not ruling it out.

I was fortunate to be able to turn the system off for a few days over my weekend, but it normally needs to stay on 24/7.

I'm 90% certain it's PulseAudio. If it is PA I'll try to cut out RTP as suggested by khayyam or determine if the PA has some malware using it for clandestine purposes. I vaguely remember encountering 'net sinks' for PA, so with that and RTP to work from, we should be good soon.

I will post results.
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9066

PostPosted: Fri Mar 14, 2014 1:32 am    Post subject: Reply with quote

If you have a suspicion about the culprit and can afford temporary degradation of service, you could SIGSTOP the suspected culprit. If you are right, outbound traffic will cease while the culprit is suspended by the SIGSTOP. If you are wrong, you lose only the time taken for the test. Use SIGCONT when you are ready to resume the process, either because you were wrong and want to restore service or because you were right and you want to gracefully exit it.
Back to top
View user's profile Send private message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Fri Mar 14, 2014 2:54 am    Post subject: Culprit is PulseAudio Reply with quote

The netstat command with 224.0.0.56 shows three PulseAudio processes.

I've instructed pfSense to throw away the packets so they don't accrue WAN bandwidth and will research stopping PulseAudio's RTP Multicast (probably PA Net Sinks).

Thank you everyone for your help.

If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later.

Cheers,

Kirk
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
blu3bird
Retired Dev
Retired Dev


Joined: 04 Oct 2003
Posts: 610
Location: Munich, Germany

PostPosted: Fri Mar 14, 2014 8:54 am    Post subject: Re: Culprit is PulseAudio Reply with quote

splurben wrote:
If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later.

Done
_________________
Black Holes are created when God divides by zero!
Back to top
View user's profile Send private message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Sat May 03, 2014 11:56 pm    Post subject: Still not resolved Reply with quote

For whatever reason, although I've configured my firewall to throw out this traffic, so it's no longer an issue for our Internet connection, I still haven't found a way to tell pulseaudio to disable its network sinks.

Has anyone done this successfully once they're already running?
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2245

PostPosted: Sun May 04, 2014 3:03 am    Post subject: Re: Still not resolved Reply with quote

splurben wrote:
I still haven't found a way to tell pulseaudio to disable its network sinks.

splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send.

HTH & best ... khay
Back to top
View user's profile Send private message
splurben
Apprentice
Apprentice


Joined: 03 Feb 2004
Posts: 177
Location: Augusta, Southwest Western Australia

PostPosted: Sun May 04, 2014 7:05 am    Post subject: Re: Still not resolved Reply with quote

khayyam wrote:
splurben wrote:
I still haven't found a way to tell pulseaudio to disable its network sinks.

splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send.


I’ve been through there, and a couple of other sites also suggest default.pa, I’ll have another look. I have a number of machines running like this. I remember getting into the GUI at some point just on this machine and being able to enable/disable this feature in there. It’s still in the GUI but it’s greyed out and enabled, I’ve tried accessing as my user, sudo, and root, and the dialogue is still greyed out in paprefs. It’s only a problem on this machine for some reason. I’ve checked permissions and can't find a reason for sections of the GUI being greyed out.

That’ll teach me to play with my settings! — It’s not a huge problem, it’s just annoying seeing activity on the network interface all the time.

Thank you for the suggestion.

Cheers
_________________
--=>Like... Goodness had nothing to do with it.<=--
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum