Solve : What is normal for packet send/recieve behavior??

1.	Solve : What is normal for packet send/recieve behavior??
Answer» Hi, If someone can help me with this, I'd appreciate it. My computer is recieving a lot of packets. I think it's more than usual. Also, I have 2 programs (Zone Alarm & NetworkActiv Sniffer) running to intercept the packets. Some packets bounce off ZA. Some of the packets are seen by the sniffer. The sniffer mainly detects 2 ips. One I identified as one of my isp's servers. The other seems to be a "relay point".(I'm not sure if that's the proper term.) I TRIED turning off a lot of unecessary net services (Windows Time for example), but it didn't help. So, what would be a "normal" amount of packets to be recieving while idle? I'm getting an average of 5 per minute past my security. Another 15 per minute are bouncing off ZA. Any suggestions? Have I been hacked? -dudemanIt's perfectly normal for your firewall to detect a lot of incoming packets. This usually doesn't pose any real danger and is commonly known as internet background noise. As long as you've got a firewall up to block it, you should be safe. It's also normal to receive packets from your ISP even though you're idle. The packets are usually to keep the connection alive. A much better way to detect malicious activity is to look at what you're computer is sending. Look for programs you don't know sending data or programs sending data to IPs they shouldn't be sending too.Okay, acording to my firewall... A certain IP is attempting to access my computer. After it bounces off a couple times, it changes ports. Then the IP changes ever-so-slightly. (221.208.xxx.xx or 221.209.xxx.xx) The "x's" change 1-2 a minute, along with the ports. These appear to be from an ISP called: CNCGROUP Heilongjiang Province Network. Since I'm not in China... I can only assume this is some sort of attack. From what my ZA logs tell me, this has been going on for days. The other IP is 24.64.xx.xxx It also changes ports & IPs. However it all seems to come from Shaw Communications Inc. This company is Canada-based. I'm not in Canada either. Those are just 2 of the many that are bouncing off the firewall. Packets are getting THROUGH the firewall from several other IPs. One of which is from my own ISP. Another like, 76.9.xx.xx Is not from my ISP, and appears to be from ISPrime, Inc. Another one is Google Inc. I don't have google-anything open at the moment. This comp doesn't host a website. Why would google be sending/recieving packets from me? In fact, Google seems to make a transfer with my computer each time I access a web page. I thought I uninstalled the google toolbar. Google = Skynet? : ) j/k Anyway, there is some more info on my problem. If anyone has any ideas. Please tell me.Quote from: dudeman2 on August 12, 2007, 12:42:10 AM Okay, acording to my firewall... A certain IP is attempting to access my computer. After it bounces off a couple times, it changes ports. Then the IP changes ever-so-slightly. (221.208.xxx.xx or 221.209.xxx.xx) The "x's" change 1-2 a minute, along with the ports. These appear to be from an ISP called: CNCGROUP Heilongjiang Province Network. Since I'm not in China... I can only assume this is some sort of attack. From what my ZA logs tell me, this has been going on for days. The other IP is 24.64.xx.xxx It also changes ports & IPs. However it all seems to come from Shaw Communications Inc. This company is Canada-based. I'm not in Canada either. That sounds like port scans. I.e. someone is scanning IP's looking for a computer with an open port. This is most likely not a attack directed specifically at you but rather someone scanning an entire IP range. Since you got a firewall up there isn't any real danger. If you want them to stop you can block the IP ranges. You could also try looking up the contact email for the ISPs and notify them of these port scans. There's a small chance they'll kick the user of their net. Quote from: dudeman2 on August 12, 2007, 12:42:10 AM Another like, 76.9.xx.xx Is not from my ISP, and appears to be from ISPrime, Inc. Another one is Google Inc. I don't have google-anything open at the moment. This comp doesn't host a website. Why would google be sending/recieving packets from me? You certain you don't have any Google related software installed? Also many webpages uses Google ads or Google Analytics which may also account for frequent transfers from Google.If you are ina public place or on a wireless connection I reccomend getting ARPWatch, so that you are AWARE if someone poisons your ARP cache. Other than that I think you might be a little paranoid, stop your illegal activities and life will be alot easier. Quote from: Deerpark on August 12, 2007, 05:40:48 AM You certain you don't have any Google related software installed? Also many webpages uses Google ads or Google Analytics which may also account for frequent transfers from Google. Heh, looks like there is Google software installed. I'll be removing it shortly. I've got those IP's blocked(from China & Canada), and it's working well. However, my "network sniffer" program is detecting a communication I don't understand. I think this is called an "internal" ip communication. I'm not sure. That's why I'm needing help. The sniffer is showing a packet sent from 10.xx.xxx.x to 255.255.255.255 . This packet was sent 771 times over the course of 8 hours. I couldn't find much information on this. The info I did find was overly technical. http://www.tcpipguide.com/free/t_TCPIPBootstrapProtocolBOOTP.htm I'm trying to keep my bandwidth as clear as possible. I need to know if and how this can be stopped. Quote from: lil_falco on August 12, 2007, 02:57:10 PM If you are ina public place or on a wireless connection I reccomend getting ARPWatch, so that you are aware if someone poisons your ARP cache. Other than that I think you might be a little paranoid, stop your illegal activities and life will be alot easier. I'm not in a public place or on wireless. I'm not a little paranoid. I'm very paranoid. However, it has nothing to do with illegal activities. I'm a gamer, and I want maximum speed out of my connection. If some thing is using 1/4 of 1% of my bandwidth (and it is not needed), I want it stopped. I also like to know that I can use Ebay, paypal, and do online banking without worry. Life will be a lot better when I understand how to keep my bandwidth clear. (Except when I specifically want to use it.)Quote from: dudeman2 on August 17, 2007, 09:09:25 PM I think this is called an "internal" ip communication. I'm not sure. That's why I'm needing help. The sniffer is showing a packet sent from 10.xx.xxx.x to 255.255.255.255 . This packet was sent 771 times over the course of 8 hours. I couldn't find much information on this. The info I did find was overly technical. http://www.tcpipguide.com/free/t_TCPIPBootstrapProtocolBOOTP.htm I'm trying to keep my bandwidth as clear as possible. I need to know if and how this can be stopped. When a packet is sent to 255.255.255.255 this means the sender is broadcasting something. This is most likely windows advertising your computer on the network (allowing other computers to see it). This is totally normal and not something you need to worry about, the broadcast can't leave your LAN. And 771 packets over 8 hours isn't exactly something that is going to bog down your connection either.Just a tip, but if you keep going around being paranoid about every single packet that your computer sends and receives then you mayswell just disconnect your internet. Seriously, the MAXIMUM size for a packet is only ~1.5KB and it's nothing to be scared about, packets are just the name for EVERY PIECE of information that is transmitted across the internet and between computers. Therefore 771 packets over eight hours is like 150KB/h, IF they were maximum size? Thats nothing and if it could be stopped it's not worth the effort. Thats nothing and your time service sends what, one packet a day, even less. Why are you killing all your net based services as well? You are not going to see any noticeable difference in speed, but will only have more troubles further down the line. You have a ZA firewall, thats the most I could recommend and it will alert you to ANY connection trying to be made to your computer. If you get hacked it's something you did bad on your end or you left a vulnerable program receiving connections on an open port. Look, you want maximum speed this isn't the way to GO around it, you want to optimize your MTU and what not. Online gamings not about speed anyway, it's latency and you can't change that at your end. A quarter of one percent of a 4000Kb (4Mb) connection is 10Kb. At 10Kbs a second it would TAKE you two hours to get a 1MB file. May I DIRECT you here: http://www.dslreports.com/tweaks

Answer»

Hi,
If someone can help me with this, I'd appreciate it.

My computer is recieving a lot of packets. I think it's more than usual. Also, I have 2 programs (Zone Alarm & NetworkActiv Sniffer) running to intercept the packets. Some packets bounce off ZA. Some of the packets are seen by the sniffer. The sniffer mainly detects 2 ips. One I identified as one of my isp's servers. The other seems to be a "relay point".(I'm not sure if that's the proper term.)

I TRIED turning off a lot of unecessary net services (Windows Time for example), but it didn't help.

So, what would be a "normal" amount of packets to be recieving while idle? I'm getting an average of 5 per minute past my security. Another 15 per minute are bouncing off ZA. Any suggestions? Have I been hacked?

-dudemanIt's perfectly normal for your firewall to detect a lot of incoming packets. This usually doesn't pose any real danger and is commonly known as internet background noise. As long as you've got a firewall up to block it, you should be safe. It's also normal to receive packets from your ISP even though you're idle. The packets are usually to keep the connection alive.

A much better way to detect malicious activity is to look at what you're computer is sending. Look for programs you don't know sending data or programs sending data to IPs they shouldn't be sending too.Okay, acording to my firewall... A certain IP is attempting to access my computer. After it bounces off a couple times, it changes ports. Then the IP changes ever-so-slightly. (221.208.xxx.xx or 221.209.xxx.xx) The "x's" change 1-2 a minute, along with the ports. These appear to be from an ISP called: CNCGROUP Heilongjiang Province Network. Since I'm not in China... I can only assume this is some sort of attack. From what my ZA logs tell me, this has been going on for days.

The other IP is 24.64.xx.xxx It also changes ports & IPs. However it all seems to come from Shaw Communications Inc. This company is Canada-based. I'm not in Canada either.

Those are just 2 of the many that are bouncing off the firewall. Packets are getting THROUGH the firewall from several other IPs. One of which is from my own ISP. Another like, 76.9.xx.xx Is not from my ISP, and appears to be from ISPrime, Inc. Another one is Google Inc. I don't have google-anything open at the moment. This comp doesn't host a website. Why would google be sending/recieving packets from me?

In fact, Google seems to make a transfer with my computer each time I access a web page. I thought I uninstalled the google toolbar. Google = Skynet? : ) j/k Anyway, there is some more info on my problem.

If anyone has any ideas. Please tell me.Quote from: dudeman2 on August 12, 2007, 12:42:10 AM

Okay, acording to my firewall... A certain IP is attempting to access my computer. After it bounces off a couple times, it changes ports. Then the IP changes ever-so-slightly. (221.208.xxx.xx or 221.209.xxx.xx) The "x's" change 1-2 a minute, along with the ports. These appear to be from an ISP called: CNCGROUP Heilongjiang Province Network. Since I'm not in China... I can only assume this is some sort of attack. From what my ZA logs tell me, this has been going on for days.

The other IP is 24.64.xx.xxx It also changes ports & IPs. However it all seems to come from Shaw Communications Inc. This company is Canada-based. I'm not in Canada either.

That sounds like port scans. I.e. someone is scanning IP's looking for a computer with an open port. This is most likely not a attack directed specifically at you but rather someone scanning an entire IP range. Since you got a firewall up there isn't any real danger.
If you want them to stop you can block the IP ranges. You could also try looking up the contact email for the ISPs and notify them of these port scans. There's a small chance they'll kick the user of their net.

Quote from: dudeman2 on August 12, 2007, 12:42:10 AM

Another like, 76.9.xx.xx Is not from my ISP, and appears to be from ISPrime, Inc. Another one is Google Inc. I don't have google-anything open at the moment. This comp doesn't host a website. Why would google be sending/recieving packets from me?

You certain you don't have any Google related software installed? Also many webpages uses Google ads or Google Analytics which may also account for frequent transfers from Google.If you are ina public place or on a wireless connection I reccomend getting ARPWatch, so that you are AWARE if someone poisons your ARP cache.

Other than that I think you might be a little paranoid, stop your illegal activities and life will be alot easier. Quote from: Deerpark on August 12, 2007, 05:40:48 AM

You certain you don't have any Google related software installed? Also many webpages uses Google ads or Google Analytics which may also account for frequent transfers from Google.

Heh, looks like there is Google software installed. I'll be removing it shortly. I've got those IP's blocked(from China & Canada), and it's working well. However, my "network sniffer" program is detecting a communication I don't understand.

I think this is called an "internal" ip communication. I'm not sure. That's why I'm needing help. The sniffer is showing a packet sent from 10.xx.xxx.x to 255.255.255.255 . This packet was sent 771 times over the course of 8 hours. I couldn't find much information on this. The info I did find was overly technical.
http://www.tcpipguide.com/free/t_TCPIPBootstrapProtocolBOOTP.htm
I'm trying to keep my bandwidth as clear as possible. I need to know *if* and *how* this can be stopped.

Quote from: lil_falco on August 12, 2007, 02:57:10 PM

If you are ina public place or on a wireless connection I reccomend getting ARPWatch, so that you are aware if someone poisons your ARP cache.

Other than that I think you might be a little paranoid, stop your illegal activities and life will be alot easier.

I'm not in a public place or on wireless. I'm not a little paranoid. I'm very paranoid. However, it has nothing to do with illegal activities. I'm a gamer, and I want maximum speed out of my connection. If some thing is using 1/4 of 1% of my bandwidth (and it is not needed), I want it stopped. I also like to know that I can use Ebay, paypal, and do online banking without worry.

Life will be a lot better when I understand how to keep my bandwidth clear. (Except when I specifically want to use it.)Quote from: dudeman2 on August 17, 2007, 09:09:25 PM

I think this is called an "internal" ip communication. I'm not sure. That's why I'm needing help. The sniffer is showing a packet sent from 10.xx.xxx.x to 255.255.255.255 . This packet was sent 771 times over the course of 8 hours. I couldn't find much information on this. The info I did find was overly technical.
http://www.tcpipguide.com/free/t_TCPIPBootstrapProtocolBOOTP.htm
I'm trying to keep my bandwidth as clear as possible. I need to know *if* and *how* this can be stopped.

When a packet is sent to 255.255.255.255 this means the sender is broadcasting something. This is most likely windows advertising your computer on the network (allowing other computers to see it). This is totally normal and not something you need to worry about, the broadcast can't leave your LAN. And 771 packets over 8 hours isn't exactly something that is going to bog down your connection either.Just a tip, but if you keep going around being paranoid about every single packet that your computer sends and receives then you mayswell just disconnect your internet. Seriously, the MAXIMUM size for a packet is only ~1.5KB and it's nothing to be scared about, packets are just the name for EVERY PIECE of information that is transmitted across the internet and between computers.

Therefore 771 packets over eight hours is like 150KB/h, IF they were maximum size? Thats nothing and if it could be stopped it's not worth the effort. Thats nothing and your time service sends what, one packet a day, even less.

Why are you killing all your net based services as well? You are not going to see any noticeable difference in speed, but will only have more troubles further down the line.

You have a ZA firewall, thats the most I could recommend and it will alert you to ANY connection trying to be made to your computer. If you get hacked it's something you did bad on your end or you left a vulnerable program receiving connections on an open port.

Look, you want maximum speed this isn't the way to GO around it, you want to optimize your MTU and what not. Online gamings not about speed anyway, it's latency and you can't change that at your end.

A quarter of one percent of a 4000Kb (4Mb) connection is 10Kb. At 10Kbs a second it would TAKE you two hours to get a 1MB file.

May I DIRECT you here: http://www.dslreports.com/tweaks

Solve : What is normal for packet send/recieve behavior??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment