questionshow do i tell where my internet traffic is going ?

vote-for29vote-against
vote-for12vote-against

I take it you have only one computer, and that it's running windows (or macos). Please post back with the operating system, and what type of "router" or cable/dsl modem you are using. Be as specific as possible, please. It would also be nice if you have an old multiple port hub laying around. Remember, you did say free. I might be able to provide you steps in looking at your traffic.

If it were me, I'd just be using tcpdump on the incoming/outgoing packets, but I'm not sure that windows has such a thing handy. I'll be back much later. Who knows? Maybe someone will come up with some tools for winders.

vote-for13vote-against

@shrdlu: Its windows based Win 7 64 Bit. I do have multiple devices hitting it but I am assuming the desktop that is always on is the offender as it runs most of the services.

I have a Cisco EA4500 router and a Motorloa Surfbaord cable modem (6121) all owned by me not comcast. I do have a dumb 10/100 switch that I could throw into the loop if needed.

vote-for13vote-against

Couple things to note:

1. When you send a 20GB file, it doesn't just require 20GB of bandwidth since there is a bunch of overhead. Many of the ISP calculations for usage include the overhead. An example is when you send a packet, you also receive a packet acknowledging receipt. Your incoming packets also count toward usage.

2. Since this is going overseas, you might be losing several packets and your system is resending them without your knowledge. That's the difference between UDP and TCP. UDP doesn't resend any missing packets.

3. Did you leave your Wifi router to default settings where everyone in the neighborhood is sharing your internet connection?

4. Depending on your router, you can turn on logging and review those logs later.

5. If you get a program, that will only track usage on the computer you installed the application. If you have other network traffic in the house, those packets will not be part of the statistics.

vote-for9vote-against

@shrdlu: and frankly for you given our back and forth over the years would be happy to give you the cloud login to my router firmware if you thought that would help ... That's supposed to be the cool part of that router that I can access it remotely

vote-for6vote-against

have tried changing your wifi password? You could have a neighbor borrowing your connection for porn or bittorrent.

vote-for10vote-against

@cengland0: changed away from default settings using a WPA 2 Personal and MAC filter for all wifi

vote-for13vote-against

Others have already noted what could drive up your usage, there is a free packet sniffer called wireshark that will let you monitor the activity on your network.

vote-for7vote-against

Those numbers sound cumulative. Could it be a billing error?

j5 j5
vote-for8vote-against

@j5: your comment is the only one I understand AT ALL. :D

vote-for13vote-against

Ditto!

First thing to check for is an unknown WiFi connection. Strangers may be piggybacking your network. The router should tell you attached devices and allow you to lock out specific MACs.

You could've picked up malware that's using your machine as a remote bot/server. Simple test, open Task Manager. Network tab. Right click and add columns for total bytes in and out. Start watching the Network tab for unusual activity. The control panel also has deep monitoring logs you can enable for the network.

Your firewall will also report net traffic, open ports and IP addresses. Check that for unexpected or unnamed services/apps.

Alternately, go to the Sysinternals/network_tools site (http://technet.microsoft.com/en-us/sysinternals/bb795532). Get TCPview. Drill down for connections.

The most complete solution would be a hub between modem and router. Connect a clean machine to the hub with Wireshark set to monitor all traffic. It'll tell all if you've patience to analyze the logs.

vote-for10vote-against

@djbowman: First off, thanks for the vote of confidence. I expected that you'd been smart enough to change passwords, You say your firmware has a cloud login? One expects that you've changed the password there, also. I'd recommend a nice round of change everything, once this is solved, but no sense bothering now (just in case you have something listening).

Others recommended Wireshark, which also exists on Windows, and is a nice graphical interface over precisely the same information that you'd get from tcpdump.

https://www.wireshark.org/

I'd first use it just to watch incoming traffic for a while, before bothering with the fancy stuff. When you say "dumb switch" I hope you mean hub and not switch. Switches by definition are port to port, where hubs have all traffic visible to anything connected to the hub. That aside, I'm going to have to sit back and think about detailed instructions.

For now, just check out the traffic with Wireshark.

Back in a while...

vote-for3vote-against

This sounds like the space aliens are using your internet connection to watch hulu . Just kidding, I agree that this could be an accounting error but good luck if it turns out to be anything else.

vote-for3vote-against

I have one little suggestion, check with Comcast to make sure they have the correct MAC address for the modem associated with your account.

vote-for3vote-against

@missellienc: that's actually where I got the data

vote-for3vote-against

@shrdlu: yeah hub not switch . I do have a 3560 sitting on the shelf but that's for the day I get around to cracking the CCNA book I bought ... It's a 10/100 4 port dlink hub I bought from woot actually

vote-for3vote-against

Looking at there usage meter again tonight I've jumped 36GB of consumption in 24 hours. Talked them they are no help. Other than uh yeah do you download alot ?

I've got wireshark running now so an overnight run should provide some information ...

vote-for3vote-against

one of the largest offenders in the wireshark data (admittedly I am having a hard time reading it it's starting to stretch my knowledge) is 38.108.170.0 "Application Data" IP Locate says its in NY but that's all I can find

vote-for3vote-against

hmmm my bandwidth speed seems to be hovering in the 50-60MB range right now .... that's not bad since I am paying for 12 .... did a full reset on MAC filtering passwords etc.... ill let wireshark run overnight and then see where it goes from there I guess...

Thanks for the help everyone..

vote-for2vote-against

@djbowman: I use Comcast too but couldn't view my usage. Perhaps that's because I'm on business class and have no limit.

*Are you sure that meter is showing Megabytes and not Megabits? *

Funny story. I received a cease and desist letter from Comcast over 10 years ago because I was using too much bandwidth. They did not have an advertised limit but they did say that 10% of their users consume 90% of their bandwidth and I was in the top 1%. My activities were considered abuse so I had to stop or they would terminate my account.

Switched to BellSouth and used them for about 10 years. No problems until AT&T bought the company. I received another personalized letter explaining that they are now imposing limits and I am one of the few customers that frequently go over that limit and what the fees are if it happens again.

Had to go back to Comcast business class and now have no limits again but expensive at $120/month just for internet with no TV or phone.

vote-for3vote-against

Change your wireless setting asap.
When in you router check you DNS to ensure it is pointing to comcast.
Wireshark, it is a bit intimidating. I would use also use Comodo, it is a free firewall that makes you decide on the traffic you want to allow out program by program, after all you more then want to know, you want to stop the traffic. http://www.majorgeeks.com/files/details/comodo_personal_firewall.html

Do you have anything else
Smart phone
Smart TV
Video on demand

vote-for3vote-against

@djbowman: It's early for me. That IP suggests that it's related to the data you are sending to Africa. That IP isn't necessarily in NY (I see it in CA), but then, COGENT is teh suck when it comes to useful information on the other end of whois/rwhois. I need MOAR COFFEE.

Back in a while.

I'd think that you might want to start changing your passwords, now. No, I didn't say anything about a compromise, but it can't hurt. Why are you sending image files to AFRINIC? I'm just trying to understand this...

vote-for3vote-against

@cengland0: I am afraid that is likely going to be my only option. I can actually get a better price on the business line even but they wont let you be a business internet customer and a residential tv customer at the same time. The business side though wont actually let me get a few channels of what I want.

vote-for3vote-against

Why/ How stuff is getting to Africa:
I currently have a dedicated computer that runs a CETON Cable Card Quad TV Tuner. I run this in combination with Windows Media Center and it allows me to run my own DVR and I pay no one for boxes, rental fees, subscription, etc... Basically it's my own tivo. As it's always on oftentimes it also serves as my main server machine for other stuff in the house.

Anyway the files record into a common windows format and can be shared.my dad and I got into this and over the years Recently he relocated to South Africa in South Africa you can imagine no American cable. Frankly the internet on most days is sub T1 speeds. So when I say Send them to africa let's be accurate. I have a very large dropbox that I put the files in his computer in Africa is synced to that dropbox once he empties the dropbox from there it's empty and I add more stuff so I would assume that traffic is a part of the dropbox traffic that I would see in a wiresshark.

vote-for3vote-against

My assumed traffic is maybe 50GB a week from that project so over a month we would be looking at 200GB for that and as we have been checking this everyday now I had a huge jump yesterday but I did not add anything new to the dropbox.

The strange IP I can also verify is not the computer in Africa I know it’s IP and dropbox’s stuff is conveniently labeled in the wireshark

Other things that are running on this machine that require constant access that I suppose could contribute to this issue
SkyDrive Google Drive DropBox
I have a western digital NAS drive that has an remote access login haven't used it in ages but I wonder if someones accessing that and thus sucking through to my network ...
and BackBlaze - This is the one that I have a potential idea that it could be it runs a backup of everything constantly. Their help desk is working on parsing some logs to give me an idea on how much they have sucked through in the last month or two to see if it is that...

vote-for3vote-against

Yes there are other devices 3 laptops. 2 tables 1 ipad 1 kindle fire, 2 Ipones 5 and 4s , I also have a remote camera system Uniden Guardian that is plugged into the router that has remote access but only when logging in and waking up I think I don't think that is doing a constant stream (though I will check on that), There is also an XBOX and blu ray player which have occasional access.

All the devices are rare usage with the exception of the following that are essentially always on
The NAS Western Digital MYBook
Iphone 5 all day long every day this is the wife
Iphone 4s me at night all the time
The media server (the machine I am assuming is the offender)

vote-for2vote-against

@cengland0: The cease and desist letter is actually what I am afraid of. Thought I am doing this all on my own just because I saw their graph I would expect them to start freaking out now ....

vote-for2vote-against

@djbowman: I'm pretty sure you can have business class and TV at the same time. They keep sending me solicitations for TV and phone service. When I go view my account, it looks like they let me add it.

And, here's my last bill detail so you can see I'm really on business class.

vote-for3vote-against

@cengland0: They have offered me the same thing but there was limitation on which channels I think or something I cant remember. It may be time to look into it again ....

vote-for3vote-against

Another weird thing I am noticing on the wireshark is that 192.168.200.2 (if memory serves this is a local IP vs external ) is constantly pinging 192.168.200.255 (another internal) NBNS protocol with " NameQuery BowmanAsusLaptop" that particular laptop is dead and hasn't been on the network since 2012 so I am not sure what is causing that to ping stuff

vote-for3vote-against

@djbowman: My guess on that is it's completely unrelated. Maybe you have a network share or shared printer from that old laptop installed on 192.168.200.2 and the computer is repeatedly sending a NETBIOS broadcast (.255) to ask which computer owns that name.

vote-for3vote-against

@djbowman: I know I'm late to the party, but 38.108.170.0 is very close to the network range being used by Backblaze 2 years ago:

https://help.backblaze.com/entries/20202037-What-IP-addresses-does-BackBlaze-use-

Looks like you need to exclude some folders from BackBlaze.

vote-for0vote-against

I have a theory that no such agency is data mining your computer and creating the additional traffic for You. It is a joke but with todays news it is possible and if it is true You probably won't find out how it was done or how to stop it. Then again If it is the Chinese then who knows it might be possible to stop or figure it out.