constant traffic

Hi,
I just set up my wireless network at home and am thinking of basic security
issues. I'm concerned to see a constant 1000 bytes per second going both
ways along the Wireless Network Connection. Is this normal polling or
something possibly sinister ? I renamed the default network and added a WEP
encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL modem
and a single PCMCIA card also from D-LINK. I have my Desktop hardwired to
the Router, but the same traffic is seen even when that's powered down.
Thanks for your help...

There is no background traffic in wifi that would consume 8kbps (8
kilobits/sec :-). There is beaconing going on in an idle net, but really
short frames 10 times a second.

What are you looking at that tells you you have 8kb/s (8 kilobits/sec :-)
in the background?

"boots" <(E-Mail Removed)> wrote in message
news:aBAqb.3$(E-Mail Removed)...
> Hi,
> I just set up my wireless network at home and am thinking of basic
security
> issues. I'm concerned to see a constant 1000 bytes per second going both
> ways along the Wireless Network Connection. Is this normal polling or
> something possibly sinister ? I renamed the default network and added a
WEP
> encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL
modem
> and a single PCMCIA card also from D-LINK. I have my Desktop hardwired to
> the Router, but the same traffic is seen even when that's powered down.
> Thanks for your help...
>
>

I hard-wired the laptop to the router and problem persists (So I'm probably
in the wrong newsgroup). It shows now as about 4 packets a second. I scanned
for viruses - none found.
To answer Gary's question, it shows in network connections/right click on
wireless connection/status/Activity. If I disconnect Internet
Connection/Internet Gateway it ceases. If I connect that again, it starts up
again. (I have 2 connections in Network Connections - Internet Connection
and Wireless Network Connection) NETSTAT doesnt show any foreign
connections.
"gary" <(E-Mail Removed)> wrote in message
newsaBqb.2088$(E-Mail Removed) ...
> There is no background traffic in wifi that would consume 8kbps (8
> kilobits/sec :-). There is beaconing going on in an idle net, but really
> short frames 10 times a second.
>
> What are you looking at that tells you you have 8kb/s (8 kilobits/sec :-)
> in the background?
>
> "boots" <(E-Mail Removed)> wrote in message
> news:aBAqb.3$(E-Mail Removed)...
> > Hi,
> > I just set up my wireless network at home and am thinking of basic
> security
> > issues. I'm concerned to see a constant 1000 bytes per second going both
> > ways along the Wireless Network Connection. Is this normal polling or
> > something possibly sinister ? I renamed the default network and added a
> WEP
> > encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL
> modem
> > and a single PCMCIA card also from D-LINK. I have my Desktop hardwired
to
> > the Router, but the same traffic is seen even when that's powered down.
> > Thanks for your help...
> >
> >
>
>

The activity panel shows packets/sec. How did you get to 1000 bytes/sec?
Just curious.

Actually, I looked up the beacon frame, and minimum-sized frames at 10/sec
actually could consume 4kbps. But it would not show up in the activity panel
or netstat. The beacons are received by the adapter and never passed to the
driver.

Anyway, it sounds innocent. If you really want to know what it is, goto

http://www.ethereal.com/

and install Ethereal. It's a free network analyzer that will let you trap
all of your TCP/IP traffic.

"boots" <(E-Mail Removed)> wrote in message
news:FRVqb.2$(E-Mail Removed)...
> I hard-wired the laptop to the router and problem persists (So I'm
probably
> in the wrong newsgroup). It shows now as about 4 packets a second. I
scanned
> for viruses - none found.
> To answer Gary's question, it shows in network connections/right click on
> wireless connection/status/Activity. If I disconnect Internet
> Connection/Internet Gateway it ceases. If I connect that again, it starts
up
> again. (I have 2 connections in Network Connections - Internet Connection
> and Wireless Network Connection) NETSTAT doesnt show any foreign
> connections.
> "gary" <(E-Mail Removed)> wrote in message
> newsaBqb.2088$(E-Mail Removed) ...
> > There is no background traffic in wifi that would consume 8kbps (8
> > kilobits/sec :-). There is beaconing going on in an idle net, but really
> > short frames 10 times a second.
> >
> > What are you looking at that tells you you have 8kb/s (8 kilobits/sec
:-)
> > in the background?
> >
> > "boots" <(E-Mail Removed)> wrote in message
> > news:aBAqb.3$(E-Mail Removed)...
> > > Hi,
> > > I just set up my wireless network at home and am thinking of basic
> > security
> > > issues. I'm concerned to see a constant 1000 bytes per second going
both
> > > ways along the Wireless Network Connection. Is this normal polling or
> > > something possibly sinister ? I renamed the default network and added
a
> > WEP
> > > encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL
> > modem
> > > and a single PCMCIA card also from D-LINK. I have my Desktop hardwired
> to
> > > the Router, but the same traffic is seen even when that's powered
down.
> > > Thanks for your help...
> > >
> > >
> >
> >
>
>

What you are seeing may be Spanning Tree Protocol (a network bridging
protocol that prevents loops) in action. I don't know if the Linksys
wireless routers use it or not, but their wireless access points do. I have
a WAP54G, and it sends out a 60 byte STP packet every two seconds like
clockwork, also causing activity lights to blink constantly on that network
segment. Like another poster said, get Ethereal, install and run it, and
you will be able to see what's going on. I too was concerned when I first
set up the WAP, seeing the constant traffic.

Steve H.


"boots" <(E-Mail Removed)> wrote in message
news:aBAqb.3$(E-Mail Removed)...
> Hi,
> I just set up my wireless network at home and am thinking of basic
security
> issues. I'm concerned to see a constant 1000 bytes per second going both
> ways along the Wireless Network Connection. Is this normal polling or
> something possibly sinister ? I renamed the default network and added a
WEP
> encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL
modem
> and a single PCMCIA card also from D-LINK. I have my Desktop hardwired to
> the Router, but the same traffic is seen even when that's powered down.
> Thanks for your help...
>
>

If your router claims to support 802.1d, it almost certainly does send STP
frames. But these are processed entirely at the MAC, and normally would not
be sent up the stack (they're not IP). I'd be surprised if they showed up in
the activity pane packet count - wireless beacons are similar, and they
don't appear in the packet count.

BTW, if you install Ethereal, you may not be able to use it in promiscuous
mode with your wifi adapter. Check the Ethereal and WinPcap web sites for
more information.

"Steve" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What you are seeing may be Spanning Tree Protocol (a network bridging
> protocol that prevents loops) in action. I don't know if the Linksys
> wireless routers use it or not, but their wireless access points do. I
have
> a WAP54G, and it sends out a 60 byte STP packet every two seconds like
> clockwork, also causing activity lights to blink constantly on that
network
> segment. Like another poster said, get Ethereal, install and run it, and
> you will be able to see what's going on. I too was concerned when I first
> set up the WAP, seeing the constant traffic.
>
> Steve H.
>
>
> "boots" <(E-Mail Removed)> wrote in message
> news:aBAqb.3$(E-Mail Removed)...
> > Hi,
> > I just set up my wireless network at home and am thinking of basic
> security
> > issues. I'm concerned to see a constant 1000 bytes per second going both
> > ways along the Wireless Network Connection. Is this normal polling or
> > something possibly sinister ? I renamed the default network and added a
> WEP
> > encryption key, but it persists. I have a D-Link DSL-604+ Router/ADSL
> modem
> > and a single PCMCIA card also from D-LINK. I have my Desktop hardwired
to
> > the Router, but the same traffic is seen even when that's powered down.
> > Thanks for your help...
> >
> >
>
>

"Steve" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> What you are seeing may be Spanning Tree Protocol (a network bridging
> protocol that prevents loops) in action

no, he allready said its TCP/IP traffic
Not ARP not STP nor 80.211 beacons
Its some kind of Virus trojan , just too new for scanners

Pozdrawiam.
--
RusH // [502-20-14-27 tylko SMS]
http://kiti.pulse.pdi.net/qv30/ <-- to prawdziwy ja
Pent-up passive-aggressive dork alert! Whoop! Whoop!
Whoop! Whoop! Boy, you're really lighting up this alarm here!

Further testing:
Restored to clean winXP image, re-installed hardware and drivers, traffic
persists, therefore not a virus.
Installed Ethereal. Traced for 36 seconds. Observed only TCP and HTTP frames
beween 192.168.0.1 and 192.168.0.2. 63,000 bytes in all.
If this is benign, there's an awful lot of it.
If anyone wants to have a look:
http://www.wigg.dircon.co.uk/trace.txt

"RusH" <(E-Mail Removed)> wrote in message
news:Xns942E6402AA176RusHcomputersystems@193.110.1 22.80...
> "Steve" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> > What you are seeing may be Spanning Tree Protocol (a network bridging
> > protocol that prevents loops) in action
>
> no, he allready said its TCP/IP traffic
> Not ARP not STP nor 80.211 beacons
> Its some kind of Virus trojan , just too new for scanners
>
> Pozdrawiam.
> --
> RusH // [502-20-14-27 tylko SMS]
> http://kiti.pulse.pdi.net/qv30/ <-- to prawdziwy ja
> Pent-up passive-aggressive dork alert! Whoop! Whoop!
> Whoop! Whoop! Boy, you're really lighting up this alarm here!

On Mon, 10 Nov 2003 21:39:32 -0000, in alt.internet.wireless , "boots"
<(E-Mail Removed)> wrote:

>Further testing:
>Restored to clean winXP image, re-installed hardware and drivers, traffic
>persists, therefore not a virus.
>Installed Ethereal. Traced for 36 seconds. Observed only TCP and HTTP frames
>beween 192.168.0.1 and 192.168.0.2. 63,000 bytes in all.

These addresses are both on your lan. So what do both machines have
in common, and what port is that data being transferred on? Maybe both
Windows machines having a netbios chat, exchanging conversations about
who is the manager of the local network?


Mark McIntyre

I looked at your trace file. It appears to be embedded in a SOAP envelope,
and I can't display it properly, but after slogging through the XTML it
looks to me like there are periodic connection keepalives associated with a
Mozilla agent.

Disable keepalive. No, I don't know how to do that. Do a Yahoo or Google
advanced search on "mozilla keepalive". You should see dozens of hits
complaining about keepalive consuming cpu, delaying file opens, etc. At
least a few should explain how to turn it off.

BTW, trace.txt didn't look like any kind of ethereal output I've ever seen.
How did you create it?

"boots" <(E-Mail Removed)> wrote in message
newsATrb.4$(E-Mail Removed)...
> Further testing:
> Restored to clean winXP image, re-installed hardware and drivers, traffic
> persists, therefore not a virus.
> Installed Ethereal. Traced for 36 seconds. Observed only TCP and HTTP
frames
> beween 192.168.0.1 and 192.168.0.2. 63,000 bytes in all.
> If this is benign, there's an awful lot of it.
> If anyone wants to have a look:
> http://www.wigg.dircon.co.uk/trace.txt
>
> "RusH" <(E-Mail Removed)> wrote in message
> news:Xns942E6402AA176RusHcomputersystems@193.110.1 22.80...
> > "Steve" <(E-Mail Removed)> wrote in
> > news:(E-Mail Removed):
> >
> > > What you are seeing may be Spanning Tree Protocol (a network bridging
> > > protocol that prevents loops) in action
> >
> > no, he allready said its TCP/IP traffic
> > Not ARP not STP nor 80.211 beacons
> > Its some kind of Virus trojan , just too new for scanners
> >
> > Pozdrawiam.
> > --
> > RusH // [502-20-14-27 tylko SMS]
> > http://kiti.pulse.pdi.net/qv30/ <-- to prawdziwy ja
> > Pent-up passive-aggressive dork alert! Whoop! Whoop!
> > Whoop! Whoop! Boy, you're really lighting up this alarm here!
>
>