Mystery Router Activity

[hughvane]

Situation
Rural location, wired broadband using NetComm (w/less) router
Mac Mini with El Capitan

Early hours of the morning, but internet slow as a wet week. Quit browser. NetComm router (wired) kept going at full tilt, but nothing using it. Checked for an auto update from App Store - nothing - in fact App Store could not load. No other apps operating.

Changed router to wired-only D-Link - same thing (therefore cannot have been someone poaching my wireless connection). What might ElCap have been doing that would use data with no applications involved?

Rebooted to SLpd with D-Link, problem ceased, b/band speeds back to maximum possible. Checked my b/band usage for the hour the problem was occurring, and it had spiked to nearly 250 Mb, but I was only reading online newspapers, no video involved.

Switched network to Airport Express and the D-Link, and rebooted to ElCap, no unusual activity UNTIL Chrome was activated to check connection via Speedtest. Connection speed had dropped dramatically, with Ping at 540 ms, Download at 2.3 and Upload at 0.21. Note: this is only when wireless is being used, wired seems okay. [Even as I typed this update, Chrome was using data, when the connection should have been idle. No other device, eg. mobile phone, was using the connection.]

Update #2 - the issue is almost certainly with El Capitan. The excessive broadband activity continued even when no applications were operating, and it occurred when wireless connection had been discontinued and changed back to wired-only. Rebooting to SLpd stopped the excessive network activity. A check with my ISP of broadband usage during the problem period once again showed a spike when ElCap was the relevant OS. Wireless diagnostics have shown a DNS failure, which doesn't make sense to me, as there is obvious connection to a domain somewhere, as evidenced by the router activity.

Is there an application for MacOS (El Capitan) that will detect a device that is 'poaching' or connecting to my broadband network?

 

[Ember1205]

Depends on how comfortable you are "under the hood"...

A simple "netstat -n" from a prompt will show you all of the active connections between your computer and another. Look for ones that are not part of your LAN address space and try to decipher the kinds of communications based on the ports being used. If you issue netstat without the command line switch, it will try and resolve the IPs to host names. This can sometimes add a LOT of time to the output which is why I always skip it.

You could also install something like Wireshark and actively trace the communications in a graphical tool, or just use tcpdump from the command line to capture packets.

 

[hughvane]

Depends on how comfortable you are "under the hood"... A simple "netstat -n" from a prompt will show you all of the active connections between your computer and another.

Thank you, did that, and was presented with a veritable array of information, included in which was my IP address, plus some others I have no way of recognising.

Look for ones that are not part of your LAN address space and try to decipher the kinds of communications based on the ports being used.

I didn't recognise a way to decipher the port(s) being used.

You could also install something like Wireshark

There are problems loading that for MacOS, even via Macupdate, but will check again regularly. No joy with tcpdump (whatever that is) either.

Thanks again .... Hugh

 

[Ember1205]

Here are a couple of things you could do if you'd like. In a terminal window, enter

sudo netstat -n > net.out
more net.out

Copy everything below

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)

and above

Active Multipath Internet connections
Proto/ID  Flags      Local Address          Foreign Address        (state)

and paste it here. This will show us a list of all open network "sockets" (connections) and listeners on your machine.

You can also grab a quick packet capture when you're seeing the traffic like this:

sudo tcpdump -i any -S -w net.cap

You can end the capture after about 20 seconds by pressing CTRL-C. Then, you read the capture file back into tcpdump and put its output into a text format like this:

sudo tcpdump -r net.out > cap.txt

Paste the contents of the cap.txt file here for us to view. Remove the temp files with

sudo rm net.cap
sudo rm cap.txt

 

[hughvane]

To Ember1205 - thank you for the help you're offering, and I would like to do the Terminal tests - but not right now. I'm about to head away until the end of the month, and my Mini - which is the problem source - will be staying put, as will the two routers and Airport I'm using. I shall run a hardware test with First Aid on the Mini to see if it shows anything amiss.

In the meantime however, I can inform any interested readers that I have tried a number of permutations with my computers and devices, using El Capitan OS, the results thus:
1. Mini + NetComm + wireless = problem
2. Mini + NetComm + wired = problem
3. Mini + D-Link + Airport + wireless = problem
4. Mini + D-Link + wired = problem

5. Macbook Pro + NetComm + wireless = no problem.

My ISP informs me the problem is with my Mini, El Capitan and how the OS is using my network, and from the results as listed above, I think they're right. It doesn't explain HOW, nor does it explain why the Mackbook Pro with the same OS and using the same devices does not exhibit a problem.

I have investigated various secure web sites I use, and there appears to be no sign of compromise or tampering.

 

[Ember1205]

The steps I outlined above should take you about five minutes to run through if you want to give them a run before you leave. Otherwise, any time you update the thread, I'll be notified that there's more info to look at. Totally up to you.

 

[hughvane]

The steps I outlined above should take you about five minutes to run through.

Okay, test run, document attached. View attachment Analysis.txt

 

[Ember1205]

Not sure why the tcpdump bombed out, but it didn't capture many packets. I'll look through the hosts and see if I can find any that could be problematic. I see hosts for Google and Twitter so far if that helps you to understand anything that might be going on.

 

[hughvane]

I'll look through the hosts and see if I can find any that could be problematic. I see hosts for Google and Twitter.

Twitter shouldn't be there, I've never been a user thereof.

Of possible interest is that the frenetic, congested activity ceased late morning (NZ time), after having been going on - if & when enabled - for the previous 7 hours. The only changes made were randomly to an ethernet port (from 4 to 3) on the NetComm, an update of Flash Plugins, and of course the Terminal activity. I shall check internet activity again on a regular basis until I shut the Mini down for a fortnight on Thurs morning.

 

[Ember1205]

I looked through the information you posted and I see connections to Google (expected, since you're running Chrome), Twitter, LinkedIn, what appears to be your ISP, Apple, and a couple of cloud services that help to deliver content for you more quickly.

The packet trace detail wasn't present, but it did show that it only captured about 25 packets or so in 30 seconds (or whatever time you let it run for). This seems pretty light, and might be correct if that traffic load you mentioned stopped prior to when you tried to run it.

 

[hughvane]

Latest update - the problem of excessive b/band data 'poaching' appears to have been resolved by a) updating Flash, and b) changing a social media website password. There is one more streaming real-time website password to change, and then time will tell if any or all of those three were the definitive cause of the problem. Thanks again for the help.