I sometimes watch The Daily Show on Hulu, and have wondered about my bandwidth usage. Also, I have been messing around with uTorrent on my WinXP desktop, and learning more about ports and firewalls. AND, as indicated above, I checked out electricsheep, which uses BitTorrent to get the new sheep.
With my first running of electrisheep, it sat there just saying "Downloading first sheep", but nothing happened, for hours. So I wanted to figure out if anything actually WAS downloading.
So I started trying to find a way to get some real-time network monitoring.
System Monitor does have Network History, which is alright. Not much detail, and no options.
I looked around, and found a couple interesting options.
For real-time monitoring, Speedometer is a pretty good little program.
I used Synaptic and installed 2.4-1.
After RTFM, here's the command I use
Useful for watching. I can see Hulu buffering my videos, etc. But, the main drawback is:
speedometer -i .25 -rx eth1 -tx eth1
- Not giving any information about what program(s) are using bandwidth
- Non-intuitive non-linear "y-axis" scale, which can't be modified
- Faster "interval" catches more accurate information, but with less "depth of history", i.e. no way to change the scale of the "x-axis"
So, now to figure out what connections are actually being made, tcptrack works alright. Installed 1.2.0-1, again with Synaptic
Again, RTFM to figure out the options
sudo tcptrack -f -r 600 -i eth1
- The destination IP is revealed, so you can try to figure out what kind of network traffic it actually is
- With the -r switch, you can set how long to wait before removing a closed connection; essentially sets the history length
- Some interactive options; Sort, and Pause
- No way to interactively clear the display
And then, of course, I found the tool actually included with Ubuntu by default, tcpdump.
- Can give TONS of information, including IPs, and lots more
- Captures everything
I run the program with
And this was how I finally got what I wanted. I re-started electricsheep, and watched packets get sent out, caught the destination IP address, and figured out that electricsheep was indeed contacting its server, as well as checking with random other connections (assumed in a swarm of some sort). So I let it run all night and the next day, and finally I did end up with my initial sheep, and then on to neat flame fractals.
sudo tcpdump -n -vv -i eth1
I figured out which server was being contacted with the useful The last interesting thing was that on System Monitor, I have seen some occasional small blips, but never known what they are. Well, tcpdump solved that easily. Speedometer had seen this activity, but couldn't tell me anything about it. And tcptrack didn't record any open connection
I didn't have to wait very long to catch the IP 22.214.171.124.123 which a quick Google search revealed to be the Canonical NTP time server, "Keep Synchronized with internet servers". These guys point that out (in addition to wasting space flaming each other, idiots.
So now I can sit around semi-obsessively watching my network traffic live, and catching every bit </pun> of it.