Incoming and outgoing traffic when NOTHING is running

linux networking netstat wireshark traffic
5,928

Those packets you are seeing are regular multicast services (and while the process is similar to broadcast packets, they are not broadcasts per se); their output traffic in the network is also (usually) negligible.

Actually not only you see traffic generated by yourself, you also see traffic for those addresses generated by other machines on your network.

  • 224.0.0.1 is all-systems.mcast.net

By default, all (Linux) servers announce themselves in the network multicasting to 224.0.0.1 regularly, for reporting to nearby routers they are able to talk multicast. These packets should be the Linux kernel sending them.

  • 224.0.0.251 is mDNS

As for 224.0.0.251, it is used by Avahi/zeroconf for service announcement and discovery.

Avahi is a free zero-configuration networking (zeroconf) implementation, including a system for multicast DNS/DNS-SD service discovery.

see Cisco - Introduction to multicast

see also TLDP - Multicast over TCP/IP HOWTO

Class D Address - Multicast address / 224.0.0.0 - 239.255.255.255

o 224.0.0.1 is the all-hosts group. If you ping that group, all multicast capable hosts on the network should answer, as every multicast capable host must join that group at start-up on all it's multicast capable interfaces.

As for seeing packets that are not for you, you are supposed to listen to broadcasts and multicast packets/announcements as they are (normally) sent to all stations. There are nuances, which I will not delve here. See the introductions I am linking.

Lastly, while iftop sees the traffic, it is not the responsible for generating it.

You can also see the multicast groups the server belongs to with:

netstat -g

Lastly, not having regular users/your user running programs does not mean the system is doing nothing. Linux is a multi-user/multi-tasking system, and there is a lot of housekeeping functions happening on the background.

Share:
5,928

Related videos on Youtube

bunden
Author by

bunden

Updated on September 18, 2022

Comments

  • bunden
    bunden over 1 year

    In a system with nothing running (at least nothing I know of). Listening of incoming and outgoing traffic prints this output:

    192.168.1.1              => all-systems.mcast.net             0b     26b     19b
                         <=                                   0b      0b      0b
192.168.1.2              => 224.0.0.251                     128b     26b     19b
                         <=                                   0b      0b      0b

    (sometimes it doesn't show just 26b or 128b, but instead jumps to big numbers like there's actual information being sent)

    What is the meaning of this?

    192.168.1.1 is the gateway, my router

    192.168.1.2 is me, my machine

    But who is all-systems.mcast.net?? Also who is 224.0.0.251?? And more importantly, why there are packets being sent?

    Found this: https://davidsimpson.me/2015/11/16/why-is-my-machine-contacting-all-systems-mcast-net/ But I'm running no DLNA server. So who am I broadcasting to?

    One last (and also important question) is: I can understand 192.168.1.2 contacting with something, and I can understand 192.168.1.1 contacting with me, but I can't understand why I am seeing 192.168.1.1 in contact with all-systems.mcast.net, so how is it possible that monitoring my machine shows traffic from my router that is not being sent to me? I shouldn't be able to see that, right?

    The utility I am using is:

       iftop - display bandwidth usage on an interface by host

    Utilities tcptrack and netstat show nothing at all. Therefore the only plausible explanation is that this utility is the one responsible of that traffic??

    Question UPDATE

    So there's this multicast stuff apparently integrated in the kernel of my system and also in my router with a very rudimentary system of question&answer, a timer, once every 60 seconds. I don't quite understand why, and after some good people has tried to explain it to me, I don't think I ever will. So I would like to turn it off. Is it possible?

    • ErikF
      ErikF about 6 years
      Could you show the results of ps aux? My guess is that you are running avahi-daemon or some mDNS client, but it could be another service.
    • bunden
      bunden about 6 years
      @ErikF yes I'm running avahi-daemon. I've been reading about what Avahi does but it didn't clarify anything for me. I still don't understand a thing. Could you give me a few more hints on how a mDNS daemon relates to my questions?
    • ErikF
      ErikF about 6 years
      mDNS uses multicast addresses to implement "zero configuration" which allows you to locate resources on your network: multicast addresses are like broadcast addresses but are opt-in for interested hosts. Check the linked articles for more information, as they're out of scope to the original question.
  • bunden
    bunden about 6 years
    Good answer. I killed avahi and got rid of the second line in iftop. Still one line to get rid of :D. Could you give me a simple explanation about the relationship between 192.168.1.1 (router) and all-systems.mcast.net? Could it be wifi related? I am not very smart and these "introductions" you've linked are more like books written in chinese for me.
  • Rui F Ribeiro
    Rui F Ribeiro about 6 years
    @bunden not wifi related. I wrote "By default, all (Linux) servers announce themselves in the network multicasting to 224.0.0.1 regularly, also for reporting to nearby routers they are able to talk multicast." and that is the kernel doing that. You can try to disable multicast in your interfaces, sudo ifconfig eth0 -multicast but while that machine will stop sending all-systems.mcast.net, you will still see it from other machines in the network.
  • Rui F Ribeiro
    Rui F Ribeiro about 6 years
    Corrected the wording about all-systems.mcast.net
  • bunden
    bunden about 6 years
    Tried sudo ifconfig eth0 -multicast but it didn't work. Avahi removal didn't actually work either. I still see the two packets from the original post plus a new one from google dns servers :/
  • Rui F Ribeiro
    Rui F Ribeiro about 6 years
    @bunden as I implied before, multicast is sent to all meighbours, and whilst you stop sending, you keep seeing the other machines unless your filter for the source of your IP address
  • bunden
    bunden about 6 years
    So somehow -not sure HOW- I'm listening to all-systems.mcast.net, which is kind of a subnetwork inside my router, right? and that's why I see traffic from 192.168.1.1 to all-systems.mcast.net, because I AM all-systems.mcast.net or at least I'm "connected" to it or inside its "group". 192.168.1.1 is asking 224.0.0.1: is anyone there? and I am replying to another address (224.0.0.251), not sure why. Shouldn't I reply to 224.0.0.1? I don't think I am interested in multicast traffic, I don't even know what multicast is, so can't I just turn it off? Let's get rid of this thing I can't comprehend.
  • bunden
    bunden about 6 years
    There are no other machines!!
  • Rui F Ribeiro
    Rui F Ribeiro about 6 years
    @bunden mobile phones, the router itself...what is the source IP of the packets that you still see?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to find all the incoming traffic in the linux server
what is the command in linux to kill tcp connection or session?
ss is replacing netstat, how can I get it to list ports similarly to what I am used to?
tcpdump read both ipv4 and ipv6 packets from pcap
Reset Netstat statistics
how to decrypt SSH packets captured on Wireshark tool on a SUSE Linux box
how to use netstat on a specific port in Linux
How to get real-time network statistics in Linux with KB/MB/Bytes format and for specific port or application processID?
Using tcpdump to find strings
The PID and name of the program to which socket belongs