Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

the only application that was open on my laptop was wireshark

No Web browsers? Note that "open" means "running", not "displaying its window in the front on the screen" - if a window is in the background behind the Wireshark window, or has been minimized (this being Ubuntu, I'm not sure what GUI you're using, but, with GNOME, you minimize by clicking the "-" button in the upper-right corner, and it goes to the sidebar, with the icon for the app showing an orange dot to its left, by default), it is open, in that it's running, and possibly doing stuff on the network.

Note also that not everything that interacts with sites on the Internet is an application that shows up on your screen; it could also be a background process. Not even everything that ''uses http or https to interact with sites on the Internet'' is an application that shows up on your screen.

Statistics > Protocol Hierarchy shows that the majority of the packets are TCP packets, and about 3/4 of them are not using TLS.

Statistics > Conversations shows most of the TCP packets being port-443 (https) packets between Adrien-Aspire-A515-51G.local and, with most of the data being from GitHub to your machine. Is there any GitHub project from which you might, for example, be doing a git clone, or other data fetch?

There are also some Boring Old HTTP Without TLS sessions going to; that's something Ubuntu does by default. A Web search for "" found, for example, Ubuntu's documentation on the connectivity check and an article on how to disable connectivity checking.

The same is true for traffic between your machine and "", using the Online Certificate Status Protocol. A search for "" found this discussion of traffic between Windows and that site, but it probably applies to other OSes as well - "You have something installed that has Google as their intermediary cert or is using a Google domain for their hosting. LSASS is likely checking the revocation list from Google to make sure the cert is still valid."

I also receive many packets using the SSDP protocol. I'm not sure if this is linked and I'm genuinely surprised there's no trace of it in this capture.

I applied a display filter of "udp" and saw a lot of SSDP traffic. A display filter of "ssd" shows IP multicast traffic from 192.168.1.* devices (although at least some of it appears to be directly sent, at the link layer, to your machine), and some devices with IPv6 addresses; those are probably devices on your network announcing their existence to everything else on your network (NOTIFY), or asking about devices on your network (M-SEARCH). There's also a bunch of other broadcast and multicast stuff, either at the IP or link layers (MDNS, IGMPv2, ARP, ICMPv6 Neighbor Discovery). All of this is network overhead for various sorts of automatic configuration and discovery (even ARP arguably falls into this category - having to explicitly tell the computer about the Ethernet/Wi-Fi/etc. addresses of all the machines on the network would just be too much).

So I don't see any clear sign of a DoS here.