Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

I can't drive 55. I'm looking forward to not being able to drive 65, either.


computers / comp.sys.raspberry-pi / Re: Network Usage Spike

SubjectAuthor
* Network Usage SpikeAdrian
`* Re: Network Usage SpikeTheo
 +* Re: Network Usage SpikeAdrian
 |`- Re: Network Usage SpikeMarco Moock
 `* Re: Network Usage SpikeAndy Burns
  `* Re: Network Usage SpikeAdrian
   `* Re: Network Usage SpikeDennis Lee Bieber
    `* Re: Network Usage SpikeAdrian
     +* Re: Network Usage SpikeTom Furie
     |`- Re: Network Usage SpikeAdrian
     `* Re: Network Usage SpikeJim Jackson
      +* Re: Network Usage SpikeJean-Pierre Kuypers
      |`- Re: Network Usage SpikeThe Natural Philosopher
      `* Re: Network Usage SpikeAdrian
       `- Re: Network Usage SpikeJim Jackson

1
Network Usage Spike

<GJva8FPHILGkFwrp@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6257&group=comp.sys.raspberry-pi#6257

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Network Usage Spike
Date: Mon, 20 Mar 2023 19:20:39 +0000
Organization: Occasionally
Lines: 339
Message-ID: <GJva8FPHILGkFwrp@ku.gro.lloiff>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8;format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: reader01.eternal-september.org; posting-host="5d19b662340088664fbaa4e5e574c1cc";
logging-data="3853931"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/aroZabMEtG5m2MQoTiocSdAGRyYBFzM0="
User-Agent: Turnpike/6.07-M (<L94zPNIH$wDAdEse8dxaFWLUK4>)
Cancel-Lock: sha1:vfPbpu5oRM013sLHgLZnGO93Szw=
 by: Adrian - Mon, 20 Mar 2023 19:20 UTC

A couple of weeks back, I upgraded one of my Pis to Bullseye, so far my
only Pi on Bullseye. Since then at 1541 each day, I've noticed a large
spike in the incoming network activity. Sunday saw a spike of 779KBytes
out of daily total of 1610KB.

Curious as to what was going on, I installed Tshark, and set it up to
run for 3 minutes from 1539, sending the output to a file. Upon looking
at the file, I found that apart from the usual network chatter (e.g. the
router asking who had a particular address), I found the following :

37 76.470812759 192.168.1.12 → 217.169.20.20 DNS 90 Standard
query 0xf19f SRV _http._tcp.security.debian.org
38 76.470842394 192.168.1.12 → 217.169.20.20 DNS 94 Standard
query 0xa59f SRV _http._tcp.archive.raspberrypi.org
39 76.470848436 192.168.1.12 → 217.169.20.20 DNS 85 Standard
query 0xc6ab SRV _http._tcp.deb.debian.org
40 76.481293450 217.169.20.20 → 192.168.1.12 DNS 134 Standard
query response 0xf19f SRV _http._tcp.security.debian.org SRV 10 1 80
debian.map.fastlydns.net
41 76.481380689 217.169.20.20 → 192.168.1.12 DNS 157 Standard
query response 0xa59f SRV _http._tcp.archive.raspberrypi.org SOA
april.ns.cloudflare.com
42 76.481644439 217.169.20.20 → 192.168.1.12 DNS 234 Standard
query response 0xc6ab SRV _http._tcp.deb.debian.org SRV 10 1 80
debian.map.fastlydns.net NS sec1.rcode0.net NS sec2.rcode0.net NS
nsp.dnsnode.net NS dns4.easydns.info
43 76.483290787 192.168.1.12 → 217.169.20.20 DNS 84 Standard
query 0x8ef4 A debian.map.fastlydns.net
44 76.483315005 192.168.1.12 → 217.169.20.20 DNS 83 Standard
query 0xbcf7 A archive.raspberrypi.org
45 76.483320057 192.168.1.12 → 217.169.20.20 DNS 83 Standard
query 0x3d05 AAAA archive.raspberrypi.org
46 76.483483911 192.168.1.12 → 217.169.20.20 DNS 84 Standard
query 0x9405 AAAA debian.map.fastlydns.net
47 76.483617296 192.168.1.12 → 217.169.20.20 DNS 84 Standard
query 0xc510 A debian.map.fastlydns.net
48 76.483654119 192.168.1.12 → 217.169.20.20 DNS 84 Standard
query 0x4d05 AAAA debian.map.fastlydns.net
49 76.494021842 217.169.20.20 → 192.168.1.12 DNS 324 Standard
query response 0xbcf7 A archive.raspberrypi.org CNAME lb.raspberrypi.org
CNAME lb.raspberrypi.com A 46.235.231.145 A 46.235.230.122 A
176.126.240.167 A 46.235.231.151 A 93.93.130.212 A 46.235.231.111 A
93.93.135.118 A 176.126.240.84 A 46.235.227.39 A 176.126.240.86 A
93.93.135.117 A 93.93.135.141
50 76.494097362 217.169.20.20 → 192.168.1.12 DNS 468 Standard
query response 0x3d05 AAAA archive.raspberrypi.org CNAME
lb.raspberrypi.org CNAME lb.raspberrypi.com AAAA 2a00:1098:80:56::3:1
AAAA 2a00:1098:84:1e0::2 AAAA 2a00:1098:80:56::1:1 AAAA
2a00:1098:82:47::1:1 AAAA 2a00:1098:82:47::2:1 AAAA 2a00:1098:84:1e0::1
AAAA 2a00:1098:84:1e0::3 AAAA 2a00:1098:88:26::1:1 AAAA
2a00:1098:82:47::1 AAAA 2a00:1098:80:56::2:1 AAAA 2a00:1098:88:26::2:1
AAAA 2a00:1098:88:26::1
51 76.495519284 217.169.20.20 → 192.168.1.12 DNS 172 Standard
query response 0x8ef4 A debian.map.fastlydns.net A 146.75.74.132 NS
ns4.fastlydns.net NS ns1.fastlydns.net NS ns2.fastlydns.net NS
ns3.fastlydns.net
52 76.495530586 192.168.1.12 → 46.235.231.145 TCP 74 56646
→ 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=2151160613 TSecr=0 WS=128
53 76.495712200 217.169.20.20 → 192.168.1.12 DNS 172 Standard
query response 0xc510 A debian.map.fastlydns.net A 146.75.74.132 NS
ns4.fastlydns.net NS ns1.fastlydns.net NS ns2.fastlydns.net NS
ns3.fastlydns.net
54 76.496102043 217.169.20.20 → 192.168.1.12 DNS 184 Standard
query response 0x4d05 AAAA debian.map.fastlydns.net AAAA
2a04:4e42:82::644 NS ns1.fastlydns.net NS ns2.fastlydns.net NS
ns3.fastlydns.net NS ns4.fastlydns.net
55 76.496171938 217.169.20.20 → 192.168.1.12 DNS 184 Standard
query response 0x9405 AAAA debian.map.fastlydns.net AAAA
2a04:4e42:82::644 NS ns1.fastlydns.net NS ns2.fastlydns.net NS
ns3.fastlydns.net NS ns4.fastlydns.net
56 76.496839905 192.168.1.12 → 146.75.74.132 TCP 74 59924
→ 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=2312770960 TSecr=0 WS=128
57 76.496944592 192.168.1.12 → 146.75.74.132 TCP 74 59930
→ 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=2312770960 TSecr=0 WS=128
58 76.506952785 146.75.74.132 → 192.168.1.12 TCP 74 80 →
59930 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 SACK_PERM=1
TSval=3782000011 TSecr=2312770960 WS=512
59 76.507027837 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2312770970
TSecr=3782000011
60 76.506956795 146.75.74.132 → 192.168.1.12 TCP 74 80 →
59924 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 SACK_PERM=1
TSval=2958653101 TSecr=2312770960 WS=512
61 76.507061691 192.168.1.12 → 146.75.74.132 TCP 66 59924
→ 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2312770970
TSecr=2958653101
62 76.507493095 192.168.1.12 → 146.75.74.132 HTTP 293 GET
/debian-security/dists/bullseye-security/InRelease HTTP/1.1
63 76.507706949 192.168.1.12 → 146.75.74.132 HTTP 270 GET
/debian/dists/bullseye/InRelease HTTP/1.1
64 76.513721823 46.235.231.145 → 192.168.1.12 TCP 74 80 →
56646 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1452 SACK_PERM=1
TSval=3611821457 TSecr=2151160613 WS=128
65 76.513789739 192.168.1.12 → 46.235.231.145 TCP 66 56646
→ 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2151160631
TSecr=3611821457
66 76.514281040 192.168.1.12 → 46.235.231.145 HTTP 279 GET
/debian/dists/bullseye/InRelease HTTP/1.1
67 76.517564726 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59924 [ACK] Seq=1 Ack=228 Win=145408 Len=0 TSval=2958653111
TSecr=2312770970
68 76.517826600 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59930 [ACK] Seq=1 Ack=205 Win=145408 Len=0 TSval=3782000022
TSecr=2312770970
69 76.518253109 146.75.74.132 → 192.168.1.12 HTTP 356 HTTP/1.1
304 Not Modified
70 76.518282015 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=205 Ack=291 Win=64128 Len=0 TSval=2312770981
TSecr=3782000023
71 76.520364663 192.168.1.12 → 146.75.74.132 HTTP 278 GET
/debian/dists/bullseye-updates/InRelease HTTP/1.1
72 76.521964189 146.75.74.132 → 192.168.1.12 HTTP 395 HTTP/1.1
304 Not Modified
73 76.522039501 192.168.1.12 → 146.75.74.132 TCP 66 59924
→ 80 [ACK] Seq=228 Ack=330 Win=64128 Len=0 TSval=2312770985
TSecr=2958653116
74 76.530218013 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59930 [ACK] Seq=291 Ack=417 Win=146432 Len=0 TSval=3782000035
TSecr=2312770983
75 76.531070823 146.75.74.132 → 192.168.1.12 TCP 689 HTTP/1.1
200 OK [TCP segment of a reassembled PDU]
76 76.531419467 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=914 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
77 76.531492071 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=2350 Win=64128 Len=0 TSval=2312770994
TSecr=3782000035
78 76.531630456 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=2350 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
79 76.531766706 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=3786 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
80 76.531815403 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=5222 Win=64128 Len=0 TSval=2312770995
TSecr=3782000035
81 76.531913997 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=5222 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
82 76.532060663 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [PSH, ACK] Seq=6658 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
83 76.532092746 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=8094 Win=64128 Len=0 TSval=2312770995
TSecr=3782000035
84 76.532144725 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=8094 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
85 76.532266339 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=9530 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
86 76.532294568 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=10966 Win=64128 Len=0 TSval=2312770995
TSecr=3782000035
87 76.532399828 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=10966 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
88 76.532763160 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=12402 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
89 76.532795660 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=13838 Win=64128 Len=0 TSval=2312770996
TSecr=3782000035
90 76.532991857 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [PSH, ACK] Seq=13838 Ack=417 Win=146432 Len=1436
TSval=3782000035 TSecr=2312770983 [TCP segment of a reassembled PDU]
91 76.533475814 146.75.74.132 → 192.168.1.12 TCP 1502 [TCP
Previous segment not captured] 80 → 59930 [PSH, ACK] Seq=21018
Ack=417 Win=146432 Len=1436 TSval=3782000036 TSecr=2312770983 [TCP
segment of a reassembled PDU]
92 76.533518418 192.168.1.12 → 146.75.74.132 TCP 78 59930
→ 80 [ACK] Seq=417 Ack=15274 Win=62720 Len=0 TSval=2312770996
TSecr=3782000035 SLE=21018 SRE=22454
93 76.533604668 146.75.74.132 → 192.168.1.12 TCP 1502 [TCP
Out-Of-Order] 80 → 59930 [ACK] Seq=15274 Ack=417 Win=146432
Len=1436 TSval=3782000036 TSecr=2312770983 [TCP segment of a reassembled
PDU]
94 76.533636074 192.168.1.12 → 146.75.74.132 TCP 78 59930
→ 80 [ACK] Seq=417 Ack=16710 Win=61312 Len=0 TSval=2312770996
TSecr=3782000036 SLE=21018 SRE=22454
95 76.533721699 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=22454 Ack=417 Win=146432 Len=1436
TSval=3782000037 TSecr=2312770983 [TCP segment of a reassembled PDU]
96 76.533753001 192.168.1.12 → 146.75.74.132 TCP 78 [TCP Dup
ACK 94#1] 59930 → 80 [ACK] Seq=417 Ack=16710 Win=61312 Len=0
TSval=2312770996 TSecr=3782000036 SLE=21018 SRE=23890
97 76.533847271 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=23890 Ack=417 Win=146432 Len=1436
TSval=3782000037 TSecr=2312770983 [TCP segment of a reassembled PDU]
98 76.533874406 192.168.1.12 → 146.75.74.132 TCP 78 [TCP Dup
ACK 94#2] 59930 → 80 [ACK] Seq=417 Ack=16710 Win=61312 Len=0
TSval=2312770997 TSecr=3782000036 SLE=21018 SRE=25326
99 76.533970500 146.75.74.132 → 192.168.1.12 TCP 1502 [TCP
Fast Retransmission] 80 → 59930 [ACK] Seq=16710 Ack=417
Win=146432 Len=1436 TSval=3782000036 TSecr=2312770983 [TCP segment of a
reassembled PDU]
100 76.534001646 192.168.1.12 → 146.75.74.132 TCP 78 59930
→ 80 [ACK] Seq=417 Ack=18146 Win=59904 Len=0 TSval=2312770997
TSecr=3782000036 SLE=21018 SRE=25326
101 76.534089406 146.75.74.132 → 192.168.1.12 TCP 1502 [TCP
Out-Of-Order] 80 → 59930 [ACK] Seq=18146 Ack=417 Win=146432
Len=1436 TSval=3782000036 TSecr=2312770983 [TCP segment of a reassembled
PDU]
102 76.534120083 192.168.1.12 → 146.75.74.132 TCP 78 59930
→ 80 [ACK] Seq=417 Ack=19582 Win=58496 Len=0 TSval=2312770997
TSecr=3782000036 SLE=21018 SRE=25326
103 76.534208103 146.75.74.132 → 192.168.1.12 TCP 1502 [TCP
Out-Of-Order] 80 → 59930 [ACK] Seq=19582 Ack=417 Win=146432
Len=1436 TSval=3782000036 TSecr=2312770983 [TCP segment of a reassembled
PDU]
104 76.534245082 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=25326 Win=64128 Len=0 TSval=2312770997
TSecr=3782000036
105 76.534331071 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=25326 Ack=417 Win=146432 Len=1436
TSval=3782000037 TSecr=2312770983 [TCP segment of a reassembled PDU]
106 76.534446592 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=26762 Ack=417 Win=146432 Len=1436
TSval=3782000037 TSecr=2312770983 [TCP segment of a reassembled PDU]
107 76.534468050 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=28198 Win=64128 Len=0 TSval=2312770997
TSecr=3782000037
108 76.534579612 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [PSH, ACK] Seq=28198 Ack=417 Win=146432 Len=1436
TSval=3782000037 TSecr=2312770983 [TCP segment of a reassembled PDU]
109 76.534692268 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=29634 Ack=417 Win=146432 Len=1436
TSval=3782000038 TSecr=2312770983 [TCP segment of a reassembled PDU]
110 76.534716539 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=31070 Win=64128 Len=0 TSval=2312770997
TSecr=3782000037
111 76.534694716 46.235.231.145 → 192.168.1.12 HTTP 176
HTTP/1.1 304 Not Modified
112 76.534764143 192.168.1.12 → 46.235.231.145 TCP 66 56646
→ 80 [ACK] Seq=214 Ack=111 Win=64256 Len=0 TSval=2151160652
TSecr=3611821477
113 76.534874976 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=31070 Ack=417 Win=146432 Len=1436
TSval=3782000038 TSecr=2312770983 [TCP segment of a reassembled PDU]
114 76.534950653 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=32506 Ack=417 Win=146432 Len=1436
TSval=3782000038 TSecr=2312770983 [TCP segment of a reassembled PDU]
115 76.534972163 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=33942 Win=64128 Len=0 TSval=2312770998
TSecr=3782000038
116 76.535087527 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=33942 Ack=417 Win=146432 Len=1436
TSval=3782000038 TSecr=2312770983 [TCP segment of a reassembled PDU]
117 76.535196850 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [PSH, ACK] Seq=35378 Ack=417 Win=146432 Len=1436
TSval=3782000038 TSecr=2312770983 [TCP segment of a reassembled PDU]
118 76.535218933 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=36814 Win=64128 Len=0 TSval=2312770998
TSecr=3782000038
119 76.535383932 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=36814 Ack=417 Win=146432 Len=1436
TSval=3782000039 TSecr=2312770983 [TCP segment of a reassembled PDU]
120 76.535509817 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=38250 Ack=417 Win=146432 Len=1436
TSval=3782000039 TSecr=2312770983 [TCP segment of a reassembled PDU]
121 76.535590025 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=39686 Win=64128 Len=0 TSval=2312770998
TSecr=3782000039
122 76.535677733 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=39686 Ack=417 Win=146432 Len=1436
TSval=3782000039 TSecr=2312770983 [TCP segment of a reassembled PDU]
123 76.535825806 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [PSH, ACK] Seq=41122 Ack=417 Win=146432 Len=1436
TSval=3782000039 TSecr=2312770983 [TCP segment of a reassembled PDU]
124 76.535867889 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=42558 Win=64128 Len=0 TSval=2312770999
TSecr=3782000039
125 76.541879325 146.75.74.132 → 192.168.1.12 TCP 1502 80
→ 59930 [ACK] Seq=42558 Ack=417 Win=146432 Len=1436
TSval=3782000046 TSecr=2312770994 [TCP segment of a reassembled PDU]
126 76.541938596 146.75.74.132 → 192.168.1.12 HTTP 1052
HTTP/1.1 200 OK
127 76.541990888 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=417 Ack=44980 Win=64128 Len=0 TSval=2312771005
TSecr=3782000046
128 78.435572392 192.168.1.12 → 46.235.231.145 TCP 66 56646
→ 80 [FIN, ACK] Seq=214 Ack=111 Win=64256 Len=0 TSval=2151162553
TSecr=3611821477
129 78.438001081 192.168.1.12 → 146.75.74.132 TCP 66 59924
→ 80 [FIN, ACK] Seq=228 Ack=330 Win=64128 Len=0 TSval=2312772901
TSecr=2958653116
130 78.440488781 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [FIN, ACK] Seq=417 Ack=44980 Win=64128 Len=0
TSval=2312772903 TSecr=3782000046
131 78.448070576 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59924 [FIN, ACK] Seq=330 Ack=229 Win=145408 Len=0 TSval=2958655042
TSecr=2312772901
132 78.448199690 192.168.1.12 → 146.75.74.132 TCP 66 59924
→ 80 [ACK] Seq=229 Ack=331 Win=64128 Len=0 TSval=2312772911
TSecr=2958655042
133 78.448074847 146.75.74.132 → 192.168.1.12 TCP 66 [TCP
Keep-Alive] 80 → 59924 [ACK] Seq=330 Ack=229 Win=145408 Len=0
TSval=2958655042 TSecr=2312772901
134 78.448290107 192.168.1.12 → 146.75.74.132 TCP 66 [TCP
Keep-Alive ACK] 59924 → 80 [ACK] Seq=229 Ack=331 Win=64128 Len=0
TSval=2312772911 TSecr=2958655042
135 78.450118694 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59930 [ACK] Seq=44980 Ack=418 Win=146432 Len=0 TSval=3782001955
TSecr=2312772903
136 78.450194944 146.75.74.132 → 192.168.1.12 TCP 66 80 →
59930 [FIN, ACK] Seq=44980 Ack=418 Win=146432 Len=0 TSval=3782001955
TSecr=2312772903
137 78.450249735 192.168.1.12 → 146.75.74.132 TCP 66 59930
→ 80 [ACK] Seq=418 Ack=44981 Win=64128 Len=0 TSval=2312772913
TSecr=3782001955
138 78.454811021 46.235.231.145 → 192.168.1.12 TCP 66 80 →
56646 [FIN, ACK] Seq=111 Ack=215 Win=65024 Len=0 TSval=3611823398
TSecr=2151162553
139 78.454937114 192.168.1.12 → 46.235.231.145 TCP 66 56646
→ 80 [ACK] Seq=215 Ack=112 Win=64256 Len=0 TSval=2151162573
TSecr=3611823398
140 78.458170748 146.75.74.132 → 192.168.1.12 TCP 60 80 →
59924 [RST] Seq=331 Win=0 Len=0


Click here to read the complete article
Re: Network Usage Spike

<MTq*cJJbz@news.chiark.greenend.org.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6258&group=comp.sys.raspberry-pi#6258

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!.POSTED.chiark.greenend.org.uk!not-for-mail
From: theom+n...@chiark.greenend.org.uk (Theo)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: 20 Mar 2023 22:49:46 +0000 (GMT)
Organization: University of Cambridge, England
Message-ID: <MTq*cJJbz@news.chiark.greenend.org.uk>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
Injection-Info: chiark.greenend.org.uk; posting-host="chiark.greenend.org.uk:212.13.197.229";
logging-data="20706"; mail-complaints-to="abuse@chiark.greenend.org.uk"
User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-20-amd64 (x86_64))
Originator: theom@chiark.greenend.org.uk ([212.13.197.229])
 by: Theo - Mon, 20 Mar 2023 22:49 UTC

Adrian <bulleid@ku.gro.lioff> wrote:
> A couple of weeks back, I upgraded one of my Pis to Bullseye, so far my
> only Pi on Bullseye. Since then at 1541 each day, I've noticed a large
> spike in the incoming network activity. Sunday saw a spike of 779KBytes
> out of daily total of 1610KB.
>
> Curious as to what was going on, I installed Tshark, and set it up to
> run for 3 minutes from 1539, sending the output to a file. Upon looking
> at the file, I found that apart from the usual network chatter (e.g. the
> router asking who had a particular address), I found the following :
>
> A bit of whois'ing suggests that :
>
> 217.169.20.20 is my ISP
> 46.235.231.145 is Mythic Beasts, with an address in Cambridge (UK)
> 146.75.74.132 is Fastly with a location of San Francisco
>
> So what is going on ? It looks as though it is looking for updates, is
> it harmless ?

Mythic Beasts host raspberrypi.com and some of the Raspbian infrastructure.

I'm not sure about Fastly, but that appears to be DNS traffic. I can't see
anything immediately obvious around raspbian.org, raspberrypi.com,
raspberrypi.org etc using Fastly for its DNS, but it's possible something
is, especially if you have other things in your /etc/apt/sources.list
(are there any third party repos in there, like Wolfram?)

I would guess the traffic is it checking for updates, so that wouldn't worry
me.

Theo

Re: Network Usage Spike

<abn94vTmeOGkFw5C@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6259&group=comp.sys.raspberry-pi#6259

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Mon, 20 Mar 2023 23:09:26 +0000
Organization: Occasionally
Lines: 64
Message-ID: <abn94vTmeOGkFw5C@ku.gro.lloiff>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=us-ascii;format=flowed
Injection-Info: reader01.eternal-september.org; posting-host="54dcb62e66b4d8d4c2ec2758374c44a1";
logging-data="3928960"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/UOkfQduObS+tlQwjQldBAonroNFo0dN0="
User-Agent: Turnpike/6.07-M (<7U6zPpC3$wjg6Esey94aFWsedr>)
Cancel-Lock: sha1:BAhgyoGlsOrlJQjuwJesBTeRROs=
 by: Adrian - Mon, 20 Mar 2023 23:09 UTC

In message <MTq*cJJbz@news.chiark.greenend.org.uk>, Theo
<theom+news@chiark.greenend.org.uk> writes
>Adrian <bulleid@ku.gro.lioff> wrote:
>> A couple of weeks back, I upgraded one of my Pis to Bullseye, so far my
>> only Pi on Bullseye. Since then at 1541 each day, I've noticed a large
>> spike in the incoming network activity. Sunday saw a spike of 779KBytes
>> out of daily total of 1610KB.
>>
>> Curious as to what was going on, I installed Tshark, and set it up to
>> run for 3 minutes from 1539, sending the output to a file. Upon looking
>> at the file, I found that apart from the usual network chatter (e.g. the
>> router asking who had a particular address), I found the following :
>>
>> A bit of whois'ing suggests that :
>>
>> 217.169.20.20 is my ISP
>> 46.235.231.145 is Mythic Beasts, with an address in Cambridge (UK)
>> 146.75.74.132 is Fastly with a location of San Francisco
>>
>> So what is going on ? It looks as though it is looking for updates, is
>> it harmless ?
>
>Mythic Beasts host raspberrypi.com and some of the Raspbian infrastructure.
>

I suspected that might be the case.

>I'm not sure about Fastly, but that appears to be DNS traffic. I can't see
>anything immediately obvious around raspbian.org, raspberrypi.com,
>raspberrypi.org etc using Fastly for its DNS, but it's possible something
>is, especially if you have other things in your /etc/apt/sources.list
>(are there any third party repos in there, like Wolfram?)
>

$ cat /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main
contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
# Uncomment deb-src lines below then 'apt-get update' to enable 'apt-get
source'
#deb-src http://deb.debian.org/debian bullseye main contrib non-free
#deb-src http://security.debian.org/debian-security bullseye-security
main contrib non-free
#deb-src http://deb.debian.org/debian bullseye-updates main contrib
non-free

>I would guess the traffic is it checking for updates, so that wouldn't worry
>me.
>

What struck me as strange wasn't so much that it was checking for
updates (although I'm not sure that it is succeeding, as I did a manual
one this afternoon), but the volume of data that the checking involved.

Thanks

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Re: Network Usage Spike

<tvbnpg$4e5$7@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6262&group=comp.sys.raspberry-pi#6262

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Tue, 21 Mar 2023 08:53:20 +0100
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <tvbnpg$4e5$7@dont-email.me>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk>
<abn94vTmeOGkFw5C@ku.gro.lloiff>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 21 Mar 2023 07:53:20 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="30a6f56250dbff02917a863c47b6aa2a";
logging-data="4549"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ziJsUlYg0D7wa9t1mvkiJ"
Cancel-Lock: sha1:X0VoneixuU9QnwnFB7lKrcg0Z7g=
 by: Marco Moock - Tue, 21 Mar 2023 07:53 UTC

Am 20.03.2023 um 23:09:26 Uhr schrieb Adrian:

> deb http://deb.debian.org/debian bullseye main contrib non-free

That is a CNAME, maybe for easily changing the server and do some load
balancing.

deb.debian.org. 2 IN CNAME debian.map.fastlydns.net.
debian.map.fastlydns.net. 28 IN AAAA 2a04:4e42:8d::644

So the behavior of your machine is completely normal.

Re: Network Usage Spike

<k7thkjFc02dU3@mid.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6267&group=comp.sys.raspberry-pi#6267

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.szaf.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Tue, 21 Mar 2023 11:10:11 +0000
Lines: 7
Message-ID: <k7thkjFc02dU3@mid.individual.net>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net nSa+sY8P+n8H2hPhed7RjgUFjFdYmaa33YNdrHGgpxHwiPJvL0
Cancel-Lock: sha1:wNkg2wOL9GT885VYBhG7RlK8q9k=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.8.0
Content-Language: en-GB
In-Reply-To: <MTq*cJJbz@news.chiark.greenend.org.uk>
 by: Andy Burns - Tue, 21 Mar 2023 11:10 UTC

Theo wrote:

> I would guess the traffic is it checking for updates, so that wouldn't worry
> me.

it's not so much a spike as a grain of dust under the carpet ...

Re: Network Usage Spike

<SMRew8IVlaGkFwYj@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6271&group=comp.sys.raspberry-pi#6271

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Tue, 21 Mar 2023 12:55:49 +0000
Organization: Occasionally
Lines: 23
Message-ID: <SMRew8IVlaGkFwYj@ku.gro.lloiff>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=us-ascii;format=flowed
Injection-Info: dont-email.me; posting-host="54dcb62e66b4d8d4c2ec2758374c44a1";
logging-data="137343"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+HrORWF8Fu9iIz3GUtv72aGb8E+H0XLCE="
User-Agent: Turnpike/6.07-M (<z+4zPBAf$wjAQGseY1waF2EUIp>)
Cancel-Lock: sha1:H9LOgio8KJtGmGwQrphgUj9mvFA=
 by: Adrian - Tue, 21 Mar 2023 12:55 UTC

In message <k7thkjFc02dU3@mid.individual.net>, Andy Burns
<usenet@andyburns.uk> writes
>Theo wrote:
>
>> I would guess the traffic is it checking for updates, so that wouldn't worry
>> me.
>
>it's not so much a spike as a grain of dust under the carpet ...
>

In the grand scheme of things, you're right. However, for that
particular Pi, it stood out like a sore thumb (~50% of the days incoming
network traffic in under a minute), hence why it attracted my attention.
From past experience (with pre-Bullseye Pis), it was unexpected, and I
get suspicious if things aren't working as expected. In this case, it
appears that it is doing what it should be doing, so that is OK.

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Re: Network Usage Spike

<ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6275&group=comp.sys.raspberry-pi#6275

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border-2.nntp.ord.giganews.com!nntp.giganews.com!Xl.tags.giganews.com!local-1.nntp.ord.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 22 Mar 2023 01:38:09 +0000
From: wlfr...@ix.netcom.com (Dennis Lee Bieber)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Tue, 21 Mar 2023 21:38:09 -0400
Organization: IISS Elusive Unicorn
Message-ID: <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff> <MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net> <SMRew8IVlaGkFwYj@ku.gro.lloiff>
User-Agent: ForteAgent/8.00.32.1272
X-No-Archive: yes
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 13
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-SACGejXb+mGpvStXqeZVfsNuaYy1kXdbx2nL2XwwgztDrShz2qCQd5CIZ1jkcgJkPCDhrzmjpo0Pqnh!wFQEqIsgTaOCdwC7FruJBTKZLsR5JeFmE+icWl3BDC00FZfrtwiO5deXIzq0aRaDLGarllb3
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
 by: Dennis Lee Bieber - Wed, 22 Mar 2023 01:38 UTC

On Tue, 21 Mar 2023 12:55:49 +0000, Adrian <bulleid@ku.gro.lioff> declaimed
the following:

>In the grand scheme of things, you're right. However, for that
>particular Pi, it stood out like a sore thumb (~50% of the days incoming
>network traffic in under a minute), hence why it attracted my attention.
> From past experience (with pre-Bullseye Pis), it was unexpected, and I
>get suspicious if things aren't working as expected. In this case, it
>appears that it is doing what it should be doing, so that is OK.
>

Have you looked at the various crontab files (both logged in user and
system tables) for something set to trigger around that time?

Re: Network Usage Spike

<xj3QuyCw$wGkFw$9@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6276&group=comp.sys.raspberry-pi#6276

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 14:25:52 +0000
Organization: Occasionally
Lines: 29
Message-ID: <xj3QuyCw$wGkFw$9@ku.gro.lloiff>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff> <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=us-ascii;format=flowed
Injection-Info: dont-email.me; posting-host="45b5550fcc2d8beb5b0652df4a4664d1";
logging-data="710325"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/SxNvf792P7BjqXUD5UN57mEcf3Er/Jjw="
User-Agent: Turnpike/6.07-M (<Pw+zP5Zn$wDF7FsekZ8aFG$MJf>)
Cancel-Lock: sha1:LwgCCVDbccjFPKH3tFtM4QlBK1U=
 by: Adrian - Wed, 22 Mar 2023 14:25 UTC

In message <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>, Dennis Lee
Bieber <wlfraed@ix.netcom.com> writes
>On Tue, 21 Mar 2023 12:55:49 +0000, Adrian <bulleid@ku.gro.lioff> declaimed
>the following:
>
>>In the grand scheme of things, you're right. However, for that
>>particular Pi, it stood out like a sore thumb (~50% of the days incoming
>>network traffic in under a minute), hence why it attracted my attention.
>> From past experience (with pre-Bullseye Pis), it was unexpected, and I
>>get suspicious if things aren't working as expected. In this case, it
>>appears that it is doing what it should be doing, so that is OK.
>>
>
> Have you looked at the various crontab files (both logged in user and
>system tables) for something set to trigger around that time?

Thanks.

I hadn't, but I have now.

There isn't anything that I've set up (/var/spool/cron/crontab/*) and
there doesn't appear to be anything for that time in /etc/crontab

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Re: Network Usage Spike

<tvf4kv$ged$1@freeq.furie.org.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6277&group=comp.sys.raspberry-pi#6277

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!news.furie.org.uk!.POSTED.2001:470:1f1d:50e:f425:35ff:fe70:8d66!not-for-mail
From: tom...@furie.org.uk (Tom Furie)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 14:51:11 -0000 (UTC)
Message-ID: <tvf4kv$ged$1@freeq.furie.org.uk>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff>
<ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff>
Injection-Date: Wed, 22 Mar 2023 14:51:11 -0000 (UTC)
Injection-Info: freeq.furie.org.uk; posting-host="2001:470:1f1d:50e:f425:35ff:fe70:8d66";
logging-data="16845"; mail-complaints-to="usenet@furie.org.uk"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:V0x0CvCWb57aZfrIRMQKDM4YAHg=
 by: Tom Furie - Wed, 22 Mar 2023 14:51 UTC

On 2023-03-22, Adrian <bulleid@ku.gro.lioff> wrote:
> There isn't anything that I've set up (/var/spool/cron/crontab/*) and
> there doesn't appear to be anything for that time in /etc/crontab

Do you have unattended-upgrades or apt-config-auto-update installed?

Cheers,
Tom

Re: Network Usage Spike

<WTKZyVKHRyGkFwZB@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6278&group=comp.sys.raspberry-pi#6278

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 15:52:39 +0000
Organization: Occasionally
Lines: 29
Message-ID: <WTKZyVKHRyGkFwZB@ku.gro.lloiff>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff> <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff> <tvf4kv$ged$1@freeq.furie.org.uk>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=us-ascii;format=flowed
Injection-Info: dont-email.me; posting-host="45b5550fcc2d8beb5b0652df4a4664d1";
logging-data="736679"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19o00D2tTzstqbQ2HZr3fBWubNn5JJf/V0="
User-Agent: Turnpike/6.07-M (<j0xzPpkP$wzC5Gse8l6aF2twl4>)
Cancel-Lock: sha1:4btY0KNxA4mAM/ihWX6i+/BGZXM=
 by: Adrian - Wed, 22 Mar 2023 15:52 UTC

In message <tvf4kv$ged$1@freeq.furie.org.uk>, Tom Furie
<tom@furie.org.uk> writes
>On 2023-03-22, Adrian <bulleid@ku.gro.lioff> wrote:
>> There isn't anything that I've set up (/var/spool/cron/crontab/*) and
>> there doesn't appear to be anything for that time in /etc/crontab
>

Thanks.

>Do you have unattended-upgrades

No

>or apt-config-auto-update installed?
>

running

systemctl status apt-daily.timer

It looks like it, but it is set to run at 0115, and there is no obvious
sign of it doing any updating. The activity that I'm seeing is at 1541.

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Re: Network Usage Spike

<slrnu1mmdi.2ci.jj@iridium.wf32df>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6280&group=comp.sys.raspberry-pi#6280

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: jj...@franjam.org.uk (Jim Jackson)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 19:40:34 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 32
Message-ID: <slrnu1mmdi.2ci.jj@iridium.wf32df>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff>
<ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff>
Injection-Date: Wed, 22 Mar 2023 19:40:34 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="ea1577fec541f19ff759f0cddad3af71";
logging-data="812463"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18/tOJWyci/OX7Ybn1IpN+9gppvFTCvqXA="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:QDNEAY+oJ3kuTOqrTACEq9+qg0o=
 by: Jim Jackson - Wed, 22 Mar 2023 19:40 UTC

On 2023-03-22, Adrian <bulleid@ku.gro.lioff> wrote:
> In message <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>, Dennis Lee
> Bieber <wlfraed@ix.netcom.com> writes
>>On Tue, 21 Mar 2023 12:55:49 +0000, Adrian <bulleid@ku.gro.lioff> declaimed
>>the following:
>>
>>>In the grand scheme of things, you're right. However, for that
>>>particular Pi, it stood out like a sore thumb (~50% of the days incoming
>>>network traffic in under a minute), hence why it attracted my attention.
>>> From past experience (with pre-Bullseye Pis), it was unexpected, and I
>>>get suspicious if things aren't working as expected. In this case, it
>>>appears that it is doing what it should be doing, so that is OK.
>>>
>>
>> Have you looked at the various crontab files (both logged in user and
>>system tables) for something set to trigger around that time?
>
> Thanks.
>
> I hadn't, but I have now.
>
> There isn't anything that I've set up (/var/spool/cron/crontab/*) and
> there doesn't appear to be anything for that time in /etc/crontab
>

Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}

The jobs there are run by either cron or anacron.

both cron and anacron syslog messages indicating when they run jobs in
those directories.

Re: Network Usage Spike

<220320232047209922%Kuypers@address.invalid>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6281&group=comp.sys.raspberry-pi#6281

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!news.alphanet.ch!alphanet.ch!.POSTED!Kuypers
From: Kuyp...@address.invalid (Jean-Pierre Kuypers)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 20:47:20 +0100
Organization: Posted through news.alphanet.ch
Message-ID: <220320232047209922%Kuypers@address.invalid>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff> <MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net> <SMRew8IVlaGkFwYj@ku.gro.lloiff> <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com> <xj3QuyCw$wGkFw$9@ku.gro.lloiff> <slrnu1mmdi.2ci.jj@iridium.wf32df>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Info: shakotay.alphanet.ch; posting-account="kuypers";
logging-data="23864"; mail-complaints-to="usenet@alphanet.ch"; posting-host="a9183427da4cdd04e3f64f270bac09f8.nnrp.alphanet.ch"
User-Agent: Thoth/1.9.1F (Mac OS X)
Cancel-Lock: sha256:E/kb4tE5gUX23vdu7Cz78ZN3j7a4T2htrOFdAuFVrS0=
X-Face: GI\+Qjzy|+pI?Iv#Z`q8>9B.lMEdYivZtgHz]H]a,L<<=~W^2~~#9#'jQ>p$nD|%Q4vQ<7-|hS`p%
Mail-Copies-To: nobody
 by: Jean-Pierre Kuypers - Wed, 22 Mar 2023 19:47 UTC

In article (Dans l'article) <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim
Jackson <jj@franjam.org.uk> wrote (écrivait) :

> Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}

What about "crontab -l"?

--
Jean-Pierre Kuypers

Re: Network Usage Spike

<tvfneg$p2av$3@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6282&group=comp.sys.raspberry-pi#6282

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 20:12:00 +0000
Organization: A little, after lunch
Lines: 16
Message-ID: <tvfneg$p2av$3@dont-email.me>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff> <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff> <slrnu1mmdi.2ci.jj@iridium.wf32df>
<220320232047209922%Kuypers@address.invalid>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 22 Mar 2023 20:12:00 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="51a1b963dbd9ec9d052cb6cc0174baab";
logging-data="821599"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19rOpNzMetJ0cZCvjzjkEZ0R3/UFztLThA="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.8.0
Cancel-Lock: sha1:GT/TaJIeKIJvfRWtjppoGlB/5Cc=
In-Reply-To: <220320232047209922%Kuypers@address.invalid>
Content-Language: en-GB
 by: The Natural Philosop - Wed, 22 Mar 2023 20:12 UTC

On 22/03/2023 19:47, Jean-Pierre Kuypers wrote:
> In article (Dans l'article) <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim
> Jackson <jj@franjam.org.uk> wrote (écrivait) :
>
>> Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
>
> What about "crontab -l"?
>
that only shows the jobs running under the inquirers UID

--
All political activity makes complete sense once the proposition that
all government is basically a self-legalising protection racket, is
fully understood.

Re: Network Usage Spike

<gxg0a7QtM2GkFw84@ku.gro.lloiff>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6283&group=comp.sys.raspberry-pi#6283

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: bull...@ku.gro.lioff (Adrian)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 20:21:01 +0000
Organization: Occasionally
Lines: 35
Message-ID: <gxg0a7QtM2GkFw84@ku.gro.lloiff>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff> <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff> <slrnu1mmdi.2ci.jj@iridium.wf32df>
Reply-To: Adrian <bulleid@ffoil.org.uk>
MIME-Version: 1.0
Content-Type: text/plain;charset=us-ascii;format=flowed
Injection-Info: dont-email.me; posting-host="45b5550fcc2d8beb5b0652df4a4664d1";
logging-data="827233"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+eNNVhnuyrHAv2VN4keN2MXTBmVUW5bEk="
User-Agent: Turnpike/6.07-M (<LD8zP1aD$wD11EsePd9aFWzHrm>)
Cancel-Lock: sha1:93an+T5EoqTrg0twWvqeaSDBFDM=
 by: Adrian - Wed, 22 Mar 2023 20:21 UTC

In message <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim Jackson
<jj@franjam.org.uk> writes
>Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
>

Thanks

Ah.

$ ls -lrt /etc/cron.daily
....
-rwxr-xr-x 1 root root 1478 Jun 10 2021 apt-compat

Which appears to run /usr/lib/apt/apt.systemd.daily

>both cron and anacron syslog messages indicating when they run jobs in
>those directories.
>

In /var/log/syslog, I get :

Mar 22 15:40:21 pi5 PackageKit: refresh-cache transaction /30_cbeebbce
from uid 1000 finished with success after 3718ms
Mar 22 15:40:32 pi5 PackageKitL get-updates transaction /31_dacabccd
from uid 1000 finished with success after 10649ms

I think that explains it.

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Re: Network Usage Spike

<slrnu1mrjm.2ci.jj@iridium.wf32df>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=6284&group=comp.sys.raspberry-pi#6284

 copy link   Newsgroups: comp.sys.raspberry-pi
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: jj...@franjam.org.uk (Jim Jackson)
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Network Usage Spike
Date: Wed, 22 Mar 2023 21:09:10 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 32
Message-ID: <slrnu1mrjm.2ci.jj@iridium.wf32df>
References: <GJva8FPHILGkFwrp@ku.gro.lloiff>
<MTq*cJJbz@news.chiark.greenend.org.uk> <k7thkjFc02dU3@mid.individual.net>
<SMRew8IVlaGkFwYj@ku.gro.lloiff>
<ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>
<xj3QuyCw$wGkFw$9@ku.gro.lloiff> <slrnu1mmdi.2ci.jj@iridium.wf32df>
<gxg0a7QtM2GkFw84@ku.gro.lloiff>
Injection-Date: Wed, 22 Mar 2023 21:09:10 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="ea1577fec541f19ff759f0cddad3af71";
logging-data="840095"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/N3fjuCdVToQhXGjZqQclKVfgylnhPq3w="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:kgcX4OVo9RHcrjATqDlXKW22rI4=
 by: Jim Jackson - Wed, 22 Mar 2023 21:09 UTC

On 2023-03-22, Adrian <bulleid@ku.gro.lioff> wrote:
> In message <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim Jackson
><jj@franjam.org.uk> writes
>>Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
>>
>
> Thanks
>
> Ah.
>
> $ ls -lrt /etc/cron.daily
> ...
> -rwxr-xr-x 1 root root 1478 Jun 10 2021 apt-compat
>
> Which appears to run /usr/lib/apt/apt.systemd.daily
>
>
>>both cron and anacron syslog messages indicating when they run jobs in
>>those directories.
>>
>
> In /var/log/syslog, I get :
>
> Mar 22 15:40:21 pi5 PackageKit: refresh-cache transaction /30_cbeebbce
> from uid 1000 finished with success after 3718ms
> Mar 22 15:40:32 pi5 PackageKitL get-updates transaction /31_dacabccd
> from uid 1000 finished with success after 10649ms
>
> I think that explains it.
>

glad to have helped!

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor