iftop and traffic on blocked port
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm analyzing the network traffic with iftop an I'm puzzled by this output:
188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
<= 162KB 51KB 30KB
My ip is 188.25.15.139.
The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)
My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.
Also I have no process listening on 11596 or 8880; I checked this with:
sudo ss -lptn 'sport = :11596'
sudo ss -lptn 'sport = :8880'
Main question: how could one explain the traffic "from me"?
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
uname -a
Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
EDIT
iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[1] 22 LIMIT IN Anywhere
[2] 80 ALLOW IN Anywhere
[3] 443 ALLOW IN Anywhere
networking iftop
asked Apr 1 at 19:58
adrhc
497
add a comment |Â
up vote
0
down vote
favorite
I'm analyzing the network traffic with iftop an I'm puzzled by this output:
188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
<= 162KB 51KB 30KB
My ip is 188.25.15.139.
The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)
My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.
Also I have no process listening on 11596 or 8880; I checked this with:
sudo ss -lptn 'sport = :11596'
sudo ss -lptn 'sport = :8880'
Main question: how could one explain the traffic "from me"?
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
uname -a
Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
EDIT
iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[1] 22 LIMIT IN Anywhere
[2] 80 ALLOW IN Anywhere
[3] 443 ALLOW IN Anywhere
networking iftop
asked Apr 1 at 19:58
adrhc
497
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm analyzing the network traffic with iftop an I'm puzzled by this output:
188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
<= 162KB 51KB 30KB
My ip is 188.25.15.139.
The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)
My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.
Also I have no process listening on 11596 or 8880; I checked this with:
sudo ss -lptn 'sport = :11596'
sudo ss -lptn 'sport = :8880'
Main question: how could one explain the traffic "from me"?
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
uname -a
Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
EDIT
iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[1] 22 LIMIT IN Anywhere
[2] 80 ALLOW IN Anywhere
[3] 443 ALLOW IN Anywhere
networking iftop
asked Apr 1 at 19:58
adrhc
497
I'm analyzing the network traffic with iftop an I'm puzzled by this output:
188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB
<= 162KB 51KB 30KB
My ip is 188.25.15.139.
The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)
My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.
Also I have no process listening on 11596 or 8880; I checked this with:
sudo ss -lptn 'sport = :11596'
sudo ss -lptn 'sport = :8880'
Main question: how could one explain the traffic "from me"?
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
uname -a
Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
EDIT
iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[1] 22 LIMIT IN Anywhere
[2] 80 ALLOW IN Anywhere
[3] 443 ALLOW IN Anywhere
networking iftop
asked Apr 1 at 19:58
adrhc
497
edited Apr 4 at 13:39
asked Apr 1 at 19:58
adrhc
497
asked Apr 1 at 19:58
adrhc
497
asked Apr 1 at 19:58
adrhc
497
497
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
Shortly the answer is:
a javascript application is sending and receiving data to/from 104.31.112.90:8880.
In order to find out that I used with success:
telnet 104.31.112.90 8880
This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.
Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.
answered Apr 4 at 13:38
adrhc
497
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Shortly the answer is:
a javascript application is sending and receiving data to/from 104.31.112.90:8880.
In order to find out that I used with success:
telnet 104.31.112.90 8880
This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.
Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.
answered Apr 4 at 13:38
adrhc
497
add a comment |Â
up vote
0
down vote
accepted
Shortly the answer is:
a javascript application is sending and receiving data to/from 104.31.112.90:8880.
In order to find out that I used with success:
telnet 104.31.112.90 8880
This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.
Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.
answered Apr 4 at 13:38
adrhc
497
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Shortly the answer is:
a javascript application is sending and receiving data to/from 104.31.112.90:8880.
In order to find out that I used with success:
telnet 104.31.112.90 8880
This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.
Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.
answered Apr 4 at 13:38
adrhc
497
Shortly the answer is:
a javascript application is sending and receiving data to/from 104.31.112.90:8880.
In order to find out that I used with success:
telnet 104.31.112.90 8880
This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.
Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.
answered Apr 4 at 13:38
adrhc
497
answered Apr 4 at 13:38
adrhc
497
answered Apr 4 at 13:38
adrhc
497
answered Apr 4 at 13:38
adrhc
497
497
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f434896%2fiftop-and-traffic-on-blocked-port%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
