OT: Why is my PC uploading 15Gb per day to the internet

Am having a bit of a panic over this...

I recently upgraded my router firmware to the OpenSource DD-WRT and consequently I now have a lot more information available to me than previously about my home network. One of the features that DD-WRT provides is a daily log of the amount of data the router uploads and downloads to the internet, and I'm gobsmacked to find out that over the fortnight or so since I've installed DD-WRT, I've apparently been uploading data at a rate varying between 5 and 15 Gb per day.

I can't think of any legit reason for this; eg although we have bittorrent here nobody's apparently been using it recently; nobody's been sending out massive emails or conducting huge file transfers to Dropbox or anything.

I run Avast antivirus and Malwarebytes antimalware (free versions) and neither has found anything untoward.

There are a lot of internet-linked devices and users here (computers, smartphones, iPad, TV, VirginMedia box etc) so difficult to pin down the culprit; that said, my desktop PC seems to spend an inordinate amount of time accessing its HDD, which I'd put down to Windows indexing...

I'm sure there must be a sinister explanation for this and Would be very grateful for advice from the experts as to where to go from here. Google ain't helping!

David

Reply to
Lobster
Loading thread data ...

I'm by no means an expert, but if your torrent software is still running then it's entirely possible that you're uploading even though you haven't downloaded anything for some time. But this is so obvious that I'm sure you must have considered it.

Good luck in sorting this out.

Reply to
Bert Coules

I'm by no means an expert, but if your torrent software is still running then it's entirely possible that you're uploading even though you haven't downloaded anything for some time. But this is so obvious that I'm sure you must have considered it.

Good luck in sorting this out.

Reply to
Bert Coules

First thing I would do is to go through your router status and make sure that you recognise *all* the devices that are using it for internet connections. It's possible that a neighbour is using your connection and sharing torrents or whatever. This is why it's fairly important to either rename all of your own devices for the purposes of recognising them on your router "status" pages, or at least keep a list of their MAC addresses.

Then, just to be sure, I'd disconnect every device from your router. Best practise in my opinion is to change the WIFI password, this will disconnect any outsider plus all of your own devices, it'll make sure there's not a device somewhere that you've forgotten, and it also means you can re-connect all *your* devices one at a time (while checking the logs) until you find which device is using all that bandwidth. Personally, I use MAC "whitelist" filtering on the router, which means that *only* the devices I put on the whitelist are allowed to connect to the router, everything else gets refused. It can be a pain to keep adding new devices as and when I buy them but it means that even if someone else knows my WIFI password, they can't use my broadband. May also be worth at this point, changing the master login details for the router.

Once you've found the culprit, it should be a simple job to find out what's uploading all that data. Xbox or PS3 perhaps?

Reply to
Mentalguy2k8

Have you checked whether bittorrent is running in the background (its default mode)? Even if *you're* not using it your PC is still part of a network and other folk may be downloading stuff from your PC.

Tim

Reply to
Tim+

If you look at your network adaptor status, it should show you the amount of data is has transferred since it was started (so when the PC was rebooted) start by looking at that, to see if this could be the culprit - but as Bert has said, it the torrent software is running (they are usually defaulted to starting themselves when the PC boots, and sitting in the system tray, near the clock) this could be the culpret here.

Reply to
Toby

In other words one might still be "seeding" a torrent and have forgotten to remove it from the uTorrent (or whatever) software

Reply to
stuart noble

Do you have a torrent client on the machine perhaps?

Brian

Reply to
Brian Gaff

I do hope you let us know the culprit to help others. Do you have Voip?

Brian

Reply to
Brian Gaff

That's quite a lot of data, and with my lack of knowledge about your VirginMedia box, I would investigate how much data it requires. I would have thought it would effectively bypass the router and so not be truly connected to your home network.

In times like this I use Wireshark to check how much and where data is being requested and sent to. It's best on wired networks as most wireless adaptors don't allow promiscuous mode where all wireless packets can be intercepted.

As others have suggested a torrent client could easily be the culprit.

Do let us know how you get on.

Reply to
Fredxx

could be Music, eg Spotify uploads as necessary

rusty

Reply to
therustyone

Have you considered the possibility that your new router firmware may be lying? Do you have any independent corroboration that this amount of data is *actually* being transmitted? What is your upload speed, and how long would it take to transmit 15GB?

Does your ISP provide a usage log? If so, what does that say? Does your ISP impose a monthly bandwidth limit? If so, what is it? It must be pretty generous if you're *really* using 15GB per day without exceeding it. My limit is 10GB per *month* and I never get close to it!

Reply to
Roger Mills

Well a torrent client would be a likely culprit, but probably easier to get a bit scientific on it and find out for sure....

Looking at the network adaptor status in widows control panel will show you the amount of data moved over that particular interface since boot or last reconfiguration of it. So if a PC has been on a day, and only shows a small amount of uplink activity, then its a good indication its not that one. If it does show a large amount of traffic, then remember this is all information sent, including stuff to other devices on your lan etc.

Another quick check is to run task manager and look at the networking tab. That will show a graph of network activity for the machine over the recent minutes. You can change the scroll speed to get a longer average if you want.

Other "quick indication" tests would come from looking at your network switch status LEDs. If one is being hammered far more than the others, then follow that wire to the machine on the other end.

Now open a command prompt and type:

netstat -a

that will list all the open TCP/IP end points. On a normal windows machine in a lan you should seem perhaps 10 or so listening sockets - most not connected. Any established connections ought to be obvious based on what you have open software wise (i.e. email, web browser etc).

Something like:

Proto Local Address Foreign Address State TCP tallboy:http tallboy:0 LISTENING TCP tallboy:epmap tallboy:0 LISTENING TCP tallboy:microsoft-ds tallboy:0 LISTENING TCP tallboy:1028 tallboy:0 LISTENING TCP tallboy:2559 tallboy:0 LISTENING TCP tallboy:4048 localhost:4049 ESTABLISHED TCP tallboy:4049 localhost:4048 ESTABLISHED TCP tallboy:netbios-ssn tallboy:0 LISTENING TCP tallboy:1834 fa-in-f104.1e100.net:https TIME_WAIT TCP tallboy:1835 we-in-f103.1e100.net:https ESTABLISHED TCP tallboy:4044 192.168.1.5:microsoft-ds ESTABLISHED TCP tallboy:4055 tallboy:http CLOSE_WAIT TCP tallboy:4059 mailex.mailcore.me:imap ESTABLISHED TCP tallboy:4060 mailex.mailcore.me:imap ESTABLISHED

If you see connections that look unexpected (i.e. to hosts you don't recognise, or using unexpected protocols) then you can find out which executables on your computer are using those connections with:

netstat -b

(of if you need more infomation, then use -vb)

Reply to
John Rumm

Yes, Wireshark can be very useful. One thing to watch out for on modern network switches is that they partition traffic at layer 2 once they have learnt the MAC addresses of the equipment they are serving. Hence you can find it difficult to see all the traffic flowing on the whole LAN since packets moving from ports A to B may never appear on port C. (a pain if you monitoring from port C)

There are ways to defeat this and snoop on everything though. One would be if you have either a router or a managed switch that will allow LAN port mirroring. This can allow you to direct all the traffic intended for one port to also be mirrored at another even if it would not normally be directed there.

I also keep and old 10 Mbps ethernet hub around (i.e. a dumb device that echos everything on each port to all the others). If you can cope with the loss of throughput on the link you are testing its an easy way to break into a connection close to an end point router.

Another trick is with a multihomed PC (i.e. one with two physical network cards). Plug you lan into one, and the the router into the other such that the PC is the only connection between LAN and router. Configure one or more of the NICs manually if required (you may only be able to DHCP on one of them). Now in the windows network connections dialogue, CTRL Click on both adaptors, and then right click and select "Bridge Connections". This will bridge them together at layer 2 to make them look like a transparent connection at the IP layer. This will create a new virtual network adaptor that you can now wireshark, and that will have all the traffic.

(The last trick can also be used to bridge wired and wireless network adaptors).

Reply to
John Rumm

Thanks very much to all the respondents. I feel a bit of a muppet now posting back with the outcome, but it's only polite....

So I started investigating this morning, working my way round the various devices on my network. I got to the PC of my 19-year-old in his room, as he emerged from his pit about mid-day, and asked to inspect it. He'd already assured me last night he hadn't been using bittorrent etc for ages, so the problem couldn't be that.

First thing I find? Utorrent icon in the task bar. "So what the bloody hell's that then?" "Oh. Yeah, sorry, forgot it was running. Whatever". He'd downloaded something with it a while back apparently, and left it seeding. Better yet, upon looking at it I find that he's got the damned thing set to unlimited upload/download speed, so for however long he's been chucking gigabytes of data up my broadband connection, which fortunately(?) is a VM unlimited package. I know VM throttle your connection if you overuse it; maybe they focus on d/l rather than u/l? Fortunately he's only got a wifi connection, or God knows how much worse it would have been.

We have had words.

Thanks again all

Reply to
Lobster

I've done the same thing a few times myself, and I'm a lot older than 19! VM is so bloody fast these days that you probably wouldn't notice it being throttled anyway

Reply to
stuart noble

Setting up several SSIDs on the wifi with different levels of service is a way around this... ;-)

Reply to
John Rumm

And calling the internet one " police mobile unit" is a great way to stop people using it.

Reply to
Jethro_uk

Thanks, never come across that one before. I use ipconfig and ping (and tracert, when I can remember it). This prompted me to look for a list of other command utilities and I found this useful reminder.

formatting link

Reply to
newshound

Hey! You been sniffing my wi-fi?

Nick aka Police Surveillance Unit No 3

Reply to
Nick Odell

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.