- What is Ethernet doing when we are sleeping?
- Posted by Michel Hostettler on September 27th, 2003
Bonjour,
When all stations have no open applications, and just modem switch on,
what is the traffic on the LAN? Are there some frames, some signals
transmitted?
Thanks for your advice.
Regards,
JP
- Posted by Jean-David Beyer on September 27th, 2003
Michel Hostettler wrote:
It depends on what you mean by open applications. There are daemon
programs running such as smpt server, name server, printer spooler, ... .
On my machine, every hour the other machine on the network synchs the
clock with this one.
On the Internet, there is a never-ending stream of probes by crackers,
network performance jockies, etc., resulting in huge amounts of pings,
attempts at my web server, my ftp server, my printer server, my samba
server, all kinds of Microsoft ports, ... .
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 9:55am up 2:18, 3 users, load average: 2.13, 2.41, 3.05
- Posted by Davide Bianchi on September 27th, 2003
Michel Hostettler <jpballan@voila.fr> wrote:
They are talking each other, planning to take over the world and
dispose of all the half-witted carbon-based lifeform that ask
idiotic questions on usenet.
Davide
....sorry, I couldn't resist...
- Posted by jmw on September 27th, 2003
Michel Hostettler wrote:
on the off chance that this is a serious question...
if your system really does not have any other program running, even in the
background, a NIC (network interface card) transmits a 'link active' signal,
as usually indicated by a little green LED on the edge of the card. it's
been quite a while since i've looked at the standard, but at one time that
signal was used to indicate signalling capability through an auto negotiation
process. these days, 'no other background program running' is rare, so it's
likely you will notice more than simple valid link indication.
- Posted by Michael Heiming on September 27th, 2003
Michel Hostettler <jpballan@voila.fr> wrote:
Depends on the systems and what you are running, 'man tcpdump' and have
a look. M$ boxes tend to be quite chatty...
--
Michael Heiming
Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM
- Posted by Mina Naguib on September 27th, 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michel Hostettler wrote:
Hi Michel
In this day and age it's rare that absolutely no applications utilizing the network are running.
This holds especially true for boxes running MS Windows.
If your network is HUB-based, or you're willing to ARP-poison your own switches, you can use a
linux/*BSD box plus Dug Song's excellent dsniff package to convince all nodes on the network that
you're their gateway. This will then allow you to run any normal IP sniffer such as tcpdump or
ethereal to actually inspect the data going through your network.
Another less-accurate way is to add some ACLs to your router that quantify the type of data they
match, and look at their counters for a rough estimate of what's happening.
If your network's mostly *nix-based, you won't be seeing too much except for the occasional ARP
requests. On the other hand do expect a LOT of traffic (NetBios resources discovery, PDC elections,
viruses) for windows boxes.
The above only holds true of course if your claim that absolutely no networking aplications are
running is true. Even something as common as NFS or a p2p client will generate a lot of traffic.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/da0VeS99pGMif6wRAn4fAKCNw3W2ZnsGNVGq570HyI8QWPcEsg CfXTET
8eEMGxkCloJIkUkrEWsT5Tg=
=KpmR
-----END PGP SIGNATURE-----
- Posted by Dances With Crows on September 27th, 2003
On Sat, 27 Sep 2003 11:30:27 -0400, Mina Naguib staggered into the Black
Sun and said:
True, but a machine that's just running sshd+apache and not currently
being accessed shouldn't show any network activity. I *think* the
question that Michel is asking could be phrased as, "I have a
(cable)modem and several machines hooked to a switch/hub. I see the
blinking lights on the modem and/or hub flash a lot, even when the
machines aren't doing anything. Why?" Michel, écrivez en français si
vous preferez; je peux le lire.
I've seen similar things happening on my own little home LAN. The
switch doesn't report *any* traffic when I'm not using the Net at large
and no one's sshed into my machines or hit my very small, low traffic
personal website. My cablemodem's activity light blinks constantly.
Experiments with ethereal show that most of the traffic received on eth0
of the firewall/gateway is ARP requests from other cablemodems. (And, of
course, some idiot with a 'DozeXP machine trying to relay spam through
my mailserver every 5-6 seconds, but I can deal with that....)
This may cause unintended consequences. Don't try this on anything
other than your own LAN. (Dug was in my Calc 116 class a long time ago.
Why didn't I listen to him when he tried to get me interested in
computer security in 1994? Argh.)
Yes, but something like ethereal will let you make sense of the major
threads of the traffic. NFS/eMule/Napster/SMB traffic is pretty easy to
pick out when you look at it in ethereal. It's the stuff you can't
explain that's annoying.
--
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
Brainbench MVP for Linux Admin / mail: TRAP + SPAN don't belong
http://www.brainbench.com / "He is a rhythmic movement of the
-----------------------------/ penguins, is Tux." --MegaHAL
