Ask Your Question
0

number of packets jumped rapidly, why ?

asked 2022-02-19 17:48:41 +0000

laurentz1241 gravatar image

updated 2022-02-19 19:51:17 +0000

I was sitting in an internet cafe shop in Thailand (I'm not Thai). All I did on the computer were opening Duckduckgo.com to search for Wireshark, OBS Studio and installing them. After running Wireshark, I saw the number of packets increased very fast.

There was no program running, but the number of packets jumped rapidly (video https://www.youtube.com/watch?v=2xoBF...) and then Wireshark got malfunctioned. Could somebody explain what's going on ?

edit retag flag offensive close merge delete

Comments

In the video the Task Manager shows a lot of network activity in the "Ethernet" graph (several Mbps). So it makes sense that Wireshark will show "increasing very fast" packet rate as well.

You were also coping something to the F: drive. Is this a NAS or file share? Or was OBS writing to a network drive? According to iana port 3260 is used by the iSCSI protocol (disk IO over network)

So you had three programs running using a lot of resources; Explorer, Wireshark and OBS. When the packet rate is very high and with "update list of packets in real-time" option enabled the GUI part of Wireshark may temporary become unresponsive. Is that what you mean by "got malfunctioned"?

André gravatar imageAndré ( 2022-02-20 10:59:02 +0000 )edit

@André The large number of packets per second isn't from copying a file to F drive. The file is pcap file saved from previous section. It can be seen in my #1 video https://www.youtube.com/watch?v=a9hmz... in which no file was being copied, but the number of packets still jumped rapidly.

laurentz1241 gravatar imagelaurentz1241 ( 2022-02-20 12:47:46 +0000 )edit

Maybe examining the traffic in capture file would show what happened.

grahamb gravatar imagegrahamb ( 2022-02-20 14:11:51 +0000 )edit

@grahamb I already checked the captured files (links in the video), but they don't show much information because they only show that 95% of the captured packets happened between my client computer and the managing computer of the shop owner. But the shop owner was sleeping on his chair, he must not have done something causing this rapid increase in captured packets.

laurentz1241 gravatar imagelaurentz1241 ( 2022-02-20 17:04:40 +0000 )edit

A video is pretty much useless for analysis, you'll need to provide the capture file. You can upload it to a public file share and post a link to it back here. You may want to anonymise the file first e.g. using TraceWrangler.

grahamb gravatar imagegrahamb ( 2022-02-20 20:13:34 +0000 )edit
see more comments

1 Answer

Sort by » oldest newest most voted
0

answered 2022-02-21 11:41:33 +0000

SYN-bit gravatar image

@laurentz1241 The 95% traffic between your computer and the managing computer of the shop owner is iSCSi traffic. Which means the increase in traffic that you see is somehow storage traffic between these two systems. You need to find out why you have iSCSi traffic between your system and the managing computer. Did you mount a drive? Was there software installed on your system by the shop owner? What is the purpose of this software?

During the high packet rate, you can lookup the port in the output of netstat -anp tcp -o and then look up the cooresponding process ID (pid) with task manager (use the 'details' tab) to see which program is using the TCP connection.

edit flag offensive delete link more

Comments

@SYN-bit thanks for your answer and suggestions. There's only a USB flash drive (F drive) plugged in to copy saved .pcap files from the computer to the USB, but prior to plugging in the USB, the number of capture packets already increased rapidly. Additionally, there wasn't any software being installed on my computer by the shop owner at all because prior to my arrival in the internet shop he was sleeping, and after turning my computer on, he continued to sleep. It's worth stressing that this internet shop is not the only place where I encounter this issue. In other internet shops that I've never been to, I also encounter this issue, such as this https://www.youtube.com/watch?v=-clAs... and this https://www.youtube.com/watch?v=LKtxN... . These videos are long, so to save time for watching, you can click on timepoints ...(more)

laurentz1241 gravatar imagelaurentz1241 ( 2022-02-21 16:50:04 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-02-19 17:48:41 +0000

Seen: 534 times

Last updated: Feb 21 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2