View previous topic :: View next topic |
Author |
Message |
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Thu Mar 13, 2014 6:13 am Post subject: steady 175K/s outbound stream to 224.0.0.56 |
|
|
I'm running Gentoo x86_64:
Code: | 3.13.6-gentoo #2 SMP Mon Mar 10 13:42:12 WST 2014 x86_64 Intel(R) Core(TM) i7-3820 CPU @ 3.60GHz GenuineIntel GNU/Linux |
Profile:
I apologise if this thread should have been under Multimedia, but as far as I'm concerned it's a network problem.
I've noticed that I have a constant stream of data (175K/sec) going out from this machine to 224.0.0.56.
I'm in Australia and all broadband is metered so 175K/s 24 hours a day is adding up.
How do I determine what is causing this?
There is some conjecture that it may be PulseAudio; if it is PA I have searched high and low and I can't find a way to disable this steady outbound stream by reviewing the USE flags.
Emerge Info: http://pastebin.com/1kAnXbCE
PulseAudio Package USE Flags: Code: | [ebuild R ] media-sound/pulseaudio-5.0 USE="X alsa asyncns avahi bluetooth caps dbus gdbm glib gnome gtk ipv6 libsamplerate orc qt4 ssl tcpd udev webrtc-aec -doc -equalizer -jack -lirc (-neon) (-oss) -realtime (-system-wide) -systemd {-test} -xen" ABI_X86="(64) -32 (-x32)" 0 kB |
I have just installed NTOP and am allowing it to aggregate data, but I'm not sure that's the right tool for this.
Any help is greatly appreciated,
Kirk _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Thu Mar 13, 2014 7:33 am Post subject: |
|
|
https://wiki.gentoo.org/wiki/Ufw
add this
and then emerge ufwfrontends
then ufw-gtk and block the traffic from going out until you can figure out what is causing the traffic. ill buy you some time |
|
Back to top |
|
|
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Thu Mar 13, 2014 7:36 am Post subject: |
|
|
666threesixes666 wrote: | https://wiki.gentoo.org/wiki/Ufw
add this
and then emerge ufwfrontends
then ufw-gtk and block the traffic from going out until you can figure out what is causing the traffic. ill buy you some time :twisted: |
Thank you, I'll report back when I have a result.
K _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Mar 13, 2014 8:56 am Post subject: |
|
|
splurben ...
I can't think why 666threesixes666 is suggesting iptables (ufw) for network analysis, its the wrong tool for the job ... there are various tools out there for such a task, net-analyzer/tcpdump or net-analyzer/wireshark to name two.
Anyhow, 244.0.0.56 is a muticast address, so my guess would be Multicast RTP (given you seem to think its pulseaudio). Not ever having used PA I can only guess what might be the issue but I would grep it's config file(s) for "rtp" and disable it.
best ... khay |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Thu Mar 13, 2014 9:00 am Post subject: |
|
|
im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam... |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Mar 13, 2014 9:58 am Post subject: |
|
|
666threesixes666 wrote: | im suggesting immediately stopping the traffic, so he can gather himself, and take time to understand what the root issue is kazam... |
You mean "immediately" after emerging pygtk and and its dependencies?
Code: | iptables -I OUTPUT -o eth0 -d 244.0.0.56 -j DROP |
... and btw, the next time you refer to me as 'kazam' I will be hitting the report button.
khay |
|
Back to top |
|
|
blu3bird Retired Dev
Joined: 04 Oct 2003 Posts: 614 Location: Munich, Germany
|
Posted: Thu Mar 13, 2014 10:29 am Post subject: |
|
|
Code: | netstat -apn | grep 224.0.0.56 |
Unless it's some sort of rootkit, this will show you which pid/process is sending the data. _________________ Black Holes are created when God divides by zero!
Last edited by blu3bird on Fri Mar 14, 2014 8:52 am; edited 1 time in total |
|
Back to top |
|
|
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Thu Mar 13, 2014 11:53 pm Post subject: blu3bird, I like this answer the best |
|
|
blu3bird wrote: | Code: | netstat -apn | grep 244.0.0.56 |
Unless it's some sort of rootkit, this will show you which pid/process is sending the data. |
Thank you EVERYONE for all the suggestions. I have already made a comprehensive check for a rootkit but I'm still not ruling it out.
I was fortunate to be able to turn the system off for a few days over my weekend, but it normally needs to stay on 24/7.
I'm 90% certain it's PulseAudio. If it is PA I'll try to cut out RTP as suggested by khayyam or determine if the PA has some malware using it for clandestine purposes. I vaguely remember encountering 'net sinks' for PA, so with that and RTP to work from, we should be good soon.
I will post results. _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21639
|
Posted: Fri Mar 14, 2014 1:32 am Post subject: |
|
|
If you have a suspicion about the culprit and can afford temporary degradation of service, you could SIGSTOP the suspected culprit. If you are right, outbound traffic will cease while the culprit is suspended by the SIGSTOP. If you are wrong, you lose only the time taken for the test. Use SIGCONT when you are ready to resume the process, either because you were wrong and want to restore service or because you were right and you want to gracefully exit it. |
|
Back to top |
|
|
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Fri Mar 14, 2014 2:54 am Post subject: Culprit is PulseAudio |
|
|
The netstat command with 224.0.0.56 shows three PulseAudio processes.
I've instructed pfSense to throw away the packets so they don't accrue WAN bandwidth and will research stopping PulseAudio's RTP Multicast (probably PA Net Sinks).
Thank you everyone for your help.
If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later.
Cheers,
Kirk _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
blu3bird Retired Dev
Joined: 04 Oct 2003 Posts: 614 Location: Munich, Germany
|
Posted: Fri Mar 14, 2014 8:54 am Post subject: Re: Culprit is PulseAudio |
|
|
splurben wrote: | If blu3bird would go back and edit / amend his replies of the command to use 224.0.0.56 instead of 244.0.0.56 it might help others more easily later. |
Done _________________ Black Holes are created when God divides by zero! |
|
Back to top |
|
|
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Sat May 03, 2014 11:56 pm Post subject: Still not resolved |
|
|
For whatever reason, although I've configured my firewall to throw out this traffic, so it's no longer an issue for our Internet connection, I still haven't found a way to tell pulseaudio to disable its network sinks.
Has anyone done this successfully once they're already running? _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun May 04, 2014 3:03 am Post subject: Re: Still not resolved |
|
|
splurben wrote: | I still haven't found a way to tell pulseaudio to disable its network sinks. |
splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send.
HTH & best ... khay |
|
Back to top |
|
|
splurben Apprentice
Joined: 03 Feb 2004 Posts: 197 Location: Augusta, Southwest Western Australia
|
Posted: Sun May 04, 2014 7:05 am Post subject: Re: Still not resolved |
|
|
khayyam wrote: | splurben wrote: | I still haven't found a way to tell pulseaudio to disable its network sinks. |
splurben ... I don't use pulseaudio but there should be configuration files under /etc/pulse ... in one of these (default.pa, daemon.conf, client.conf) there should be the some entry for module-rtp-send. |
I’ve been through there, and a couple of other sites also suggest default.pa, I’ll have another look. I have a number of machines running like this. I remember getting into the GUI at some point just on this machine and being able to enable/disable this feature in there. It’s still in the GUI but it’s greyed out and enabled, I’ve tried accessing as my user, sudo, and root, and the dialogue is still greyed out in paprefs. It’s only a problem on this machine for some reason. I’ve checked permissions and can't find a reason for sections of the GUI being greyed out.
That’ll teach me to play with my settings! — It’s not a huge problem, it’s just annoying seeing activity on the network interface all the time.
Thank you for the suggestion.
Cheers _________________ --=>Like... Goodness had nothing to do with it.<=-- |
|
Back to top |
|
|
|