help, my isp invoices me twice more because of my bandwith

Yamakasi · Apprentice Joined: 28 Sep 2002 Posts: 201

Hello all,

My isp charging me twice the cost of my internet modem connection, because I have exceeded the bandwith in upstream and downstream.
Im pretty sure they are wrong. For example, my montly usage report says that I have downloaded 1 gig of data in 4 days and uploaded about 477 meg of data.
Wtf!?!?! (sorry about my language, im so frustrated)
I have a gentoo server which shares the internet modem cable connection (1.5) for my home lan (4 computers). I have asked to my bros ans sis if they had downloaded lot of stuff during this month, and they didnt...
So here my question...

I need to monitor how much data go throught my server in download and upload
I need to know from what site the data come from
I need to know the day/month/year/hour/min/sec of the data that has been transfert
I need to know from which workstation the data has been transfert

What would the best tool(s) to monitor all that?

Plz help, my isp wants me to pay 92$ for this month...thats crazy

thx a lot

ps: sorry about my poor english, my first language is french

RagManX · Posted: Sat Jun 14, 2003 8:34 pm Post subject:

Not sure what tool/tools will give you everything you need, but start out with ntop (it is in portage) to watch how much talking is going on. I think is only gives running totals, but I haven't had much need for it, so I can't say for sure what all it does. I know it can give you up to date usage data, so that will get you started on your quest.

RagManX
_________________
http://www.gamingideas.com/ - an open discussion site for game improvement and new game ideas

samokk · Posted: Sat Jun 14, 2003 8:41 pm Post subject:

elendur · n00b Joined: 14 Jun 2003 Posts: 9

I think that MRTG does what you want.
"The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network links."
From their web page:
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

samokk · Posted: Sun Jun 15, 2003 9:12 am Post subject:

dfuse · Guru Joined: 07 Apr 2003 Posts: 395 Location: Belgium

About your upload amount... I worked a while for an ISP and lot's of people have this problem, it always comes down to one thing: file sharing programs. I don't know what os's your brothers and sisters are running, but a lot of Windows filesharing programs, like WinMX and IMesh, generate a constant upstream, even if you're doing nothing. Also a lot of people don't know you can disable filesharing with other people, or are even aware they are sharing their data with others (this may seem trivial to you, I don't know, but you really wouldn't believe how many people don't know this).

Yamakasi · Apprentice Joined: 28 Sep 2002 Posts: 201

thx samokk, I will see what I can do with Telemon

dfuse · Guru Joined: 07 Apr 2003 Posts: 395 Location: Belgium

The upstream generated by games is neglectful, they do autopatch sometimes but that doesn't generate that amount of download. I think you'll just have to monitor your network traffic and if you're really sure it isn't the amount your isp says it is, call them. I know there was almost every month something wrong with the isp''s traffic monitor when I worked there.

Yamakasi · Apprentice Joined: 28 Sep 2002 Posts: 201

I have emerge the tool call "iptraft". Pretty interesting tool. I also found pretty interesting packets which in my opinion get my bandwidth exceeded.
Im not sure where they are from, that why I need you guy opinions....

here a little screenshot of iptraft (screenshot taken with XV, the only tool that I found to take windows screenshot)

[img:120ddc3c10]http://207.35.22.148/iptraf/iptraf_udp.gif[/img:120ddc3c10]

Iptraft has been installed on the gateway, and its listening to ETH0 which is my Wan interface. My isp name is called "Videotron", using a modem cable connection (1.5 m/b). I using DHCP to get my ip from the ISP. Im sharing my bandwidth with 4 workstation all using Windows XP.

As you can guy see, I got a lot of UDP packets. These UPD packets going in each 2 sec all the day long. Its like 377 byte each two seconds....(1000 byte=1 k, 1000k= 1 meg)
So in 2 days I can easily have 800 megs transfered in my eth0 interface...(it happened last week)

This morning, I have checked my "ifconfig" and I already have received 394.7 meg on my eth0 (rx) with an uptime of my time of 2 days

Yamakasi · Apprentice Joined: 28 Sep 2002 Posts: 201

So...anybody got an idea for my problem?

fusion · Tux's lil' helper Joined: 02 Nov 2002 Posts: 119

it is problly coming from your cable modem or someother network hardware router or switch maybe?
Being that they are 10.66.0.1 which is a private address. Since you have a lan disconnect your cable modem and see if they stop or are still happening. If they continue try disconnecting the other pcs on the lan one by one to see where its coming from.

Btw somemore info about how your lan is setup could help too

edit: I had the same problem which turned out to be my RCA cablem modem.

DrkPlague · Tux's lil' helper Joined: 04 Jun 2003 Posts: 107

that traffic is coming from other people on your local cable node trying to boot over bootp. my advice would be to complain to the ISP and tell them you are recieving that much data from something they SHOULD be filtering out.

or if you are really evil you could run your own bootp server and hijack other people's computers :twisted:

_________________
DKP

There are 10 kinds of people in the world:
Those who understand binary and those who don't...

elzbal · Posted: Sun Jun 22, 2003 6:07 am Post subject:

One idea... set up a firewall on your Gentoo box and block anything that you don't need. For example, set up the rules to block all, then explicitly allow certain connections (web, email, your favorite games, etc). This will give you more control over the miscellaneous traffic that certain computers (read: Windows) seem to generate.

Matje · Posted: Sun Jun 22, 2003 6:21 am Post subject:

Setting up a firewall won't help the fact that he is receiving these packages, it'll just drop them, but he will still be accounted for it. I agree with DrkPlague on the fact that you should contact your ISP. However, it isn't a client that's trying to boot. Since it's going from bootps (bootprotocol server) to bootpc (bootprotocol client), it's a broadcast message from some idiot that made his bootserver available on the www ;-)

This still is the ISP's problem because they should block broadcast messages from clients.
_________________
Life is like a box of chocolates... Before you know it, it's empty...

Yamakasi · Apprentice Joined: 28 Sep 2002 Posts: 201

zhenlin · Veteran Joined: 09 Nov 2002 Posts: 1361

BootP was the predecessor to DHCP, I'm told. Like DHCP, it is based on a broadcast system.

NetBoot utilises BootP or DHCP to get an IP address, and from there proceeds to download a kernel from the server, load it into memory, boot, and mount NFS filesystems.

Matje · Posted: Sun Jun 22, 2003 1:42 pm Post subject:

Athlon_Jedi · n00b Joined: 25 Jun 2003 Posts: 45 Location: Tifton, GA

what it soundslike to me is that some idiot is attempting to set up distributed computing ILLEGALY and wants to steal bandwith or the like. Or that the idiot in question wants to set up a cluster using everyone elses system thus bootp is actively seeking clients that are connected to your node but idle.

I would DEFFANATELY bring this to your isps attention, people like this guy are the reason bit caps exist in the first place.

MrMullen · n00b Joined: 24 Jan 2003 Posts: 27

I did not follow all of the conversion to much, but I think one of your Windows machines has a Stealth P2P on it and you don't know it.

Over the last 3 years I have found 4 P2P's installed on to my computer with out my permission or knowledge. Two, I think, came from pirated software, and two others I have no clue. I would give every computer on internal network scanned with VPROT virus scanner (It handles stealth P2P clients) and see what comes up.