iftop and traffic on blocked port

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm analyzing the network traffic with iftop an I'm puzzled by this output:



188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
<= 162KB 51KB 30KB


My ip is 188.25.15.139.



The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)



My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.



Also I have no process listening on 11596 or 8880; I checked this with:



sudo ss -lptn 'sport = :11596' 
sudo ss -lptn 'sport = :8880'


Main question: how could one explain the traffic "from me"?



lsb_release -a


No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 16.04.4 LTS

Release: 16.04

Codename: xenial



uname -a


Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



EDIT



iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"

sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[1] 22 LIMIT IN Anywhere
[2] 80 ALLOW IN Anywhere
[3] 443 ALLOW IN Anywhere






share|improve this question


























    up vote
    0
    down vote

    favorite












    I'm analyzing the network traffic with iftop an I'm puzzled by this output:



    188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
    <= 162KB 51KB 30KB


    My ip is 188.25.15.139.



    The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)



    My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.



    Also I have no process listening on 11596 or 8880; I checked this with:



    sudo ss -lptn 'sport = :11596' 
    sudo ss -lptn 'sport = :8880'


    Main question: how could one explain the traffic "from me"?



    lsb_release -a


    No LSB modules are available.

    Distributor ID: Ubuntu

    Description: Ubuntu 16.04.4 LTS

    Release: 16.04

    Codename: xenial



    uname -a


    Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



    EDIT



    iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"

    sudo ufw status numbered
    Status: active

    To Action From
    -- ------ ----
    [1] 22 LIMIT IN Anywhere
    [2] 80 ALLOW IN Anywhere
    [3] 443 ALLOW IN Anywhere






    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm analyzing the network traffic with iftop an I'm puzzled by this output:



      188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
      <= 162KB 51KB 30KB


      My ip is 188.25.15.139.



      The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)



      My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.



      Also I have no process listening on 11596 or 8880; I checked this with:



      sudo ss -lptn 'sport = :11596' 
      sudo ss -lptn 'sport = :8880'


      Main question: how could one explain the traffic "from me"?



      lsb_release -a


      No LSB modules are available.

      Distributor ID: Ubuntu

      Description: Ubuntu 16.04.4 LTS

      Release: 16.04

      Codename: xenial



      uname -a


      Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



      EDIT



      iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"

      sudo ufw status numbered
      Status: active

      To Action From
      -- ------ ----
      [1] 22 LIMIT IN Anywhere
      [2] 80 ALLOW IN Anywhere
      [3] 443 ALLOW IN Anywhere






      share|improve this question














      I'm analyzing the network traffic with iftop an I'm puzzled by this output:



      188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
      <= 162KB 51KB 30KB


      My ip is 188.25.15.139.



      The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)



      My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.



      Also I have no process listening on 11596 or 8880; I checked this with:



      sudo ss -lptn 'sport = :11596' 
      sudo ss -lptn 'sport = :8880'


      Main question: how could one explain the traffic "from me"?



      lsb_release -a


      No LSB modules are available.

      Distributor ID: Ubuntu

      Description: Ubuntu 16.04.4 LTS

      Release: 16.04

      Codename: xenial



      uname -a


      Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



      EDIT



      iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"

      sudo ufw status numbered
      Status: active

      To Action From
      -- ------ ----
      [1] 22 LIMIT IN Anywhere
      [2] 80 ALLOW IN Anywhere
      [3] 443 ALLOW IN Anywhere








      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 4 at 13:39

























      asked Apr 1 at 19:58









      adrhc

      497




      497




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          Shortly the answer is:



          a javascript application is sending and receiving data to/from 104.31.112.90:8880.



          In order to find out that I used with success:



          telnet 104.31.112.90 8880


          This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.



          Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f434896%2fiftop-and-traffic-on-blocked-port%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            Shortly the answer is:



            a javascript application is sending and receiving data to/from 104.31.112.90:8880.



            In order to find out that I used with success:



            telnet 104.31.112.90 8880


            This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.



            Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.






            share|improve this answer
























              up vote
              0
              down vote



              accepted










              Shortly the answer is:



              a javascript application is sending and receiving data to/from 104.31.112.90:8880.



              In order to find out that I used with success:



              telnet 104.31.112.90 8880


              This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.



              Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.






              share|improve this answer






















                up vote
                0
                down vote



                accepted







                up vote
                0
                down vote



                accepted






                Shortly the answer is:



                a javascript application is sending and receiving data to/from 104.31.112.90:8880.



                In order to find out that I used with success:



                telnet 104.31.112.90 8880


                This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.



                Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.






                share|improve this answer












                Shortly the answer is:



                a javascript application is sending and receiving data to/from 104.31.112.90:8880.



                In order to find out that I used with success:



                telnet 104.31.112.90 8880


                This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.



                Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 4 at 13:38









                adrhc

                497




                497






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f434896%2fiftop-and-traffic-on-blocked-port%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?