measuring netusage problem

[theDT]

Hello!

I have made an application that is going to measure the net usage on my network. I have used SOCK_PACKET and RAW_SOCK to get hold of all the IP-packets...

Now to the problem:
I run the app and the result on the logging shows that it's more traffic than the real traffic in the network.
I started to try to find out what the reason was for the extra usage (according to my app).
I examined the packets 1 by 1 and checked which packets actually going and to which port they was adressed to/from.

Then I saw that there were alot of TCP packets that was 40 Bytes and adressed to diffrent IP's. The port was 0 for destination and source.

Can anyone figure out what theese packets are?
I would be very greatful if anyone could help me out with this one.

You have to exuse me for my bad english.

/Daniel Tängmark
dete@spattstorm.com

 

[manarth]

I wasn't too sure, so I googled "tcp port 0" and came up with this:

http://compnetworking.about.com/library/ports/blports_0.htm

the answer is that it could be a unix trick.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[theDT]

Thanks for your answer!

But that can't be the reason why there are packets in the network with a source and destination port 0?

As I understand, when binding a socket to a port, you don't actually get the port 0 even if you specify it. Kernel assigns a free port in the range 1024-65535.
The result of that must be that the sent packet don't have port 0, but in range 1024-65535.

I´ve read that some people think it is some attempt to get information about the network, but i don't believe that can be all true. Some of the packets actually comes from my home network, but maybe they're some kind of reply of an incoming request.

I don't have any clue where those packets comes from, or if it's some kind of error in my way implementing.

More sugestions are most welcome.


/Daniel Tängmark
dete@spattstorm.com

 

[bcastner]

My experience has been that it is a NIC driver issue. It confounds XP's own counters.

This Thread is typical of the symptoms:

thread779-526667

 

[theDT]

The application runs under Linux Slackware 8.1 so it can't be that driver problem?
You mean that all computers in the network running XP can cause some of the strange small packages ?( with uPNP service )
If i'm can add right, those small 40 Byte packages must be empty on data, (IP header 20 Bytes + TCP header 20 Byte).


/Daniel Tängmark
dete@spattstorm.com

 

[bcastner]

It is not necessarily uPnP traffic. My own guess is that the driver misinterprets how to handle a failed DNS query that ends up hitting the &quot;Router of last resort&quot; in the routing table.

 

[bcastner]

The driver issue is on the client side, not your Linux monitor.

 

[theDT]

Ok!

That sounds like a resonable cause.

Thanks again for your input!

These things are so hard to debug/find out what the package actually are, I think.
This is the first app monitoring a network that i've made, so i'm not that good on the subject.

/Daniel Tängmark
dete@spattstorm.com

 

[pansophic]

theDT,

Have you looked at Etherape? It sounds as if it is similar to what you are doing, although I would guess that its historisis is way too short for what you are trying to do.

However, it may be a decent model to start from.


pansophic

 

[theDT]

Thanks for letting me know about that!
I'll check it out!

/Daniel Tängmark
dete@spattstorm.com