Saturday, August 17, 2013

Finding The Culprit Of High Bandwidth Use

On Wednesday I was visiting my parents and Dad mentioned that over the last 2 months he'd been seeing some high bandwidth use on his home DSL. Typically in the past they'd never used more than 10-15GB/month because they don't use streaming video and the biggest bandwidth hog is probably uploading photos to Facebook. Lately it has had occasional days where the use has gone up to 5-7 GB in a day.

He had it narrowed down to one laptop because one of those days happened when they were not even home, but that laptop was still on.

Dad is a pretty techie guy, he worked for Honeywell computers out of college and then Bell Canada for a very long career specializing in large business PBX and 911 systems. He's never been afraid of computers. I think he'd rank highly on the MIT hacker test because he actually has programmed with punch cards.



Anyway, given that background this is what I've suggested to him:

Download and install Wireshark from http://www.wireshark.org/download.html
Once it is installed, open a CMD DOS prompt and change directory to C:\Program Files\Wireshark>

Run this command, and leave it running all day. It will record what servers on the internet (by IP addresses) you connected to and how much traffic was sent. This command also tells it to ignore traffic that is between two addresses that both start with 192.168...  thus ignoring anything that is local to your house.

tshark.exe -i Wi-Fi -z conv,ip,ip dst net 192.168 and src net not 192.168 or ip dst net not 192.168 and src net 192.168 > C:\users\public\tshark.txt

Note: you may need to change the "-i Wi-Fi" part to "-i Local Area Connection*" or something else.
Use "tshark -D" to find the list of network interfaces on your computer.

It should print "Capturing on 'Wi-Fi'" then a counter. Meanwhile in the file C:\users\public\tshark.txt it is recording what servers you connect to, if you use CTRL-C to stop it, or just close the CMD window, it will end the file with a chart of what connections it saw and how many bytes were transferred.

example output:
  3.708876 192.168.2.206 -> 65.54.81.79  TCP 74 [TCP Dup ACK 2393#21] 16378 > http [ACK] Seq=1 Ack=2076733 Win=1327 Len=0 SLE=2095609 SRE=2111581 SLE=2078185 SRE=2094157
  3.709305 192.168.2.206 -> 65.54.81.79  TCP 74 [TCP Dup ACK 2393#22] 16378 > http [ACK] Seq=1 Ack=2076733 Win=1327 Len=0 SLE=2095609 SRE=2113033 SLE=2078185 SRE=2094157
  3.710766 192.168.2.206 -> 65.54.81.79  TCP 54 16312 > http [ACK] Seq=1 Ack=1854205 Win=969 Len=0
  3.712005 192.168.2.206 -> 65.54.81.79  TCP 54 16312 > http [ACK] Seq=1 Ack=1857109 Win=964 Len=0
  3.712776 192.168.2.206 -> 65.54.81.79  TCP 74 [TCP Dup ACK 2393#23] 16378 > http [ACK] Seq=1 Ack=2076733 Win=1327 Len=0 SLE=2095609 SRE=2114485 SLE=2078185 SRE=2094157
================================================================================
IPv4 Conversations
Filter:ip
                                               |       <- -="" nbsp="">      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.2.206        <-> 65.54.81.79                0         0    2419    138406    2419    138406     0.000000000         3.7128
================================================================================


Edit: Included a screen capture because Blogger doesn't seem to have any fixed-width fonts.