Skip to main content
Super User

Return to Answer

added 1644 characters in body
Source Link
Ricardo
Ricardo
  • 191
  • 4

UPDATE:

Since nethogs isn't helping you narrow down the cause, I suggest using netstat to view all tcp and udp activity.

Try the following command:

 # netstat -atpn

a = is to display all
t = is to display TCP (you should also try with u to display UDP)
p = to display process name for established and listening connections
n = to prevent name resolution since that slows output down.



# netstat -atpn 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name       
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      20519/httpd         
tcp        0      0 0.0.0.0:19025               0.0.0.0:*                   LISTEN      15810/sendmail              
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1668/sshd                                       
tcp        0      0 23.23.16.41:80              19.15.63.42:60172           TIME_WAIT   -                                      
tcp        0      0 23.23.16.41:22              172.218.220.79:58498        ESTABLISHED 30607/sshd

The output will tell you which services are listening for connections (you should disable the ones you do not want), the established sessions, the ones recently closed..etc.. I suspect you will see many with port 80 or port 25 which means your PC has become a proxy server or spam relay. If you do then disable the httpd and email daemons until you can lock them down.

UPDATE:

Since nethogs isn't helping you narrow down the cause, I suggest using netstat to view all tcp and udp activity.

Try the following command:

 # netstat -atpn

a = is to display all
t = is to display TCP (you should also try with u to display UDP)
p = to display process name for established and listening connections
n = to prevent name resolution since that slows output down.



# netstat -atpn 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name       
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      20519/httpd         
tcp        0      0 0.0.0.0:19025               0.0.0.0:*                   LISTEN      15810/sendmail              
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1668/sshd                                       
tcp        0      0 23.23.16.41:80              19.15.63.42:60172           TIME_WAIT   -                                      
tcp        0      0 23.23.16.41:22              172.218.220.79:58498        ESTABLISHED 30607/sshd

The output will tell you which services are listening for connections (you should disable the ones you do not want), the established sessions, the ones recently closed..etc.. I suspect you will see many with port 80 or port 25 which means your PC has become a proxy server or spam relay. If you do then disable the httpd and email daemons until you can lock them down.

Source Link
Ricardo
Ricardo
  • 191
  • 4

I don't see any ipv6 addresses here. What you have in your question is:

210.77.27.236:473885-70.39.110.14:80

That clearly shows IP address of client is 210.77.27.236 and source port is bizarre because its invalid. (only should go up to 65K).

The server address is 70.39.110.14 and destination port is 80 (www).

It is not clear if your PC is the server or client in this case, but if you feel this is the cause of your increased bandwidth usage you could be hosting a proxy server or you have a rogue program connecting to a remote server for who knows what purpose.