i have been noticing a short connection burst in system monitor every time i connect to internet.
i got curious and decided to run wireshark to see what was happening.
seems that i am connecting to 96.195.141.178 with destination of "PartedMagic".
this seemed strange because i do not have PartedMagic installed, so i ran a 'whois' check.
this is what it showed:
IP Location United States United States Pittsburgh Comcast Cable Communications Llc ASN United States AS7922 COMCAST-7922 - Comcast Cable Communications, Inc.,US (registered Feb 14, 1997) Resolve Host m001dd684d074.pitt1.pa.comcast.net Whois Server whois.arin.net IP Address 96.195.141.178 NetRange: 96.192.0.0 - 96.223.255.255 CIDR: 96.192.0.0/11 NetName: COMCAST-VOIP-4 NetHandle: NET-96-192-0-0-1 Parent: NET96 (NET-96-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Comcast Cable Communications, LLC (CCCS)
is this something for concern?
if so, what is/are best way/s to track this down?
any and all help / suggestions are much needed and appreciated.
thank you.
On Wed, Dec 3, 2014 at 5:49 AM, g geleem@bellsouth.net wrote:
i have been noticing a short connection burst in system monitor every time i connect to internet.
i got curious and decided to run wireshark to see what was happening.
seems that i am connecting to 96.195.141.178 with destination of "PartedMagic".
this seemed strange because i do not have PartedMagic installed, so i ran a 'whois' check.
this is what it showed:
IP Location United States United States Pittsburgh Comcast Cable Communications Llc ASN United States AS7922 COMCAST-7922 - Comcast Cable Communications, Inc.,US (registered Feb 14, 1997) Resolve Host m001dd684d074.pitt1.pa.comcast.net Whois Server whois.arin.net IP Address 96.195.141.178 NetRange: 96.192.0.0 - 96.223.255.255 CIDR: 96.192.0.0/11 NetName: COMCAST-VOIP-4 NetHandle: NET-96-192-0-0-1 Parent: NET96 (NET-96-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Comcast Cable Communications, LLC (CCCS)
is this something for concern?
Maybe. A bit odd since that's assigned as Comcast VOIP and not a static customer block.
if so, what is/are best way/s to track this down?
I'd dump the traffic with tcpdump or wireshark and analyze it. What type of traffic is it? (transport layer protocol, as well as application protocol -- ex: HTTP is TCP port 80)
Are there any DNS queries that happen prior to the spike? Use wireshark to capture them and that might give a clue.
You could also use nethogs to diagnose and determine what program is causing the spike. http://nethogs.sourceforge.net/
On 12/03/2014 11:12 AM, SilverTip257 wrote: <>
Maybe. A bit odd since that's assigned as Comcast VOIP and not a static customer block.
this is true.
I'd dump the traffic with tcpdump or wireshark and analyze it.
i have a text file saved. see below
which "save as" form should be used to reload into wireshark without loss of information?
What type of traffic is it? (transport layer protocol, as well as application protocol -- ex: HTTP is TCP port 80)
see below.
Are there any DNS queries that happen prior to the spike? Use wireshark to capture them and that might give a clue.
see below.
You could also use nethogs to diagnose and determine what program is causing the spike. http://nethogs.sourceforge.net/
will have to install.
*BELOW*
i should have done this before posting. :-( i loaded wireshark text file to:
On 12/03/2014 04:49 AM, g wrote: <>
my bad. :-(
to SilverT257 and Mark Mihollan,
thank you for responding. my "chemo brain" gets forgetful.
i am taking system offline after sending this and will run wireshark again to see if there is anything different.
thanks again.
new paste at;
hopeful this will give better info and answers.
thanks again to respondents.
On 12/3/2014 1:53 PM, g wrote:
new paste at;
hopeful this will give better info and answers.
thanks again to respondents.
again, wireshark is, for some unknown reason, calling that 00:0f:fe:8f:8f:23 MAC address "PartedMagic", this MAC is associated with the IP 192.168.1.144
other than wireshark's odd name for this host, I see nothing wrong here. Does in fact the system with that IP have that MAC ? if so, everything is normal, that system is apparently connecting to https://secure.informaction.com
-
g -
John R Pierce -
SilverTip257