With the newly implemented bandwidth cap policy at Comcast I, like many others, am starting to pay closer attention to my bandwidth usage. During a period of relative inactivity I noticed my monthly usage increasing at a rate that seemed inconsistent with my actual usage. I discovered that there is a constant stream of incoming data 24/7, at a fairly consistent rate of approximately 512 kbit/s (64 KB/s). This stream will chew up 5.5 GB per day, or 165 GB per month!

I have a WRT54GS running Tomato 1.21, and I am using the router's bandwidth monitor. My first attempt was to determine which device in my network was responsible for this traffic, but I found that with hard wired devices disconnected and wireless networking disabled, the incoming traffic continues.

I am a bittorent user, and started to think that what I was seeing might be a stream of incoming connection requests. To test this theory I changed my IP address. Before and after tests with whatsmyip.org confirmed that my IP address was successfully changed, but the traffic persisted.

Finally, I connected one of my machines directly to the cable modem, bypassing the router, and monitored bandwidth using DU Meter. To my surprise, DU Meter showed negligible incoming traffic, which stayed around 5 kbit/s. Now I'm totally confounded. :icon_scra

I am desperate to identify what the source of this traffic is and assess what I can do to eliminate or at least limit it. Any suggestions would be greatly appreciated!

have a look at this

http://greyhat-security.com/index.php?option=com_content&view=article&id=60:very-basic-ip-tracing-by-abishek-datta&catid=40:networking&Itemid=60

reconnect you network and run the netstat command


In my case I found a lot of the traffic the router logged was LAN to LAN

your cap will apply to LAN to WAN and WAN to LAN

basically if netstat is showing a lot of connections to local ips 198.x.x.x its services on the internal newtork chewing the LAN bandwidth (in my case mediaplayer streaming to XBOX)

If it shows a lot of external IP's you could be the victim of a flood attack or a trojan calling home (less likely)- the article above gives you the ports common trojans use

I was about to say the same thing, then I got busy and minimized this post...
When connected to a network via a router you will have a lot of internal traffic, from broadcasts to who knows what (depends on what else is hooked up to your network).

I wouldn't worry about it, if your showing things look OK connected direct to the modem, everything should be fine.

Comcast said they were trying to program (LOL @ Trying) to monitor bandwidth for their cap. Who the heck knows why they haven't already made one, like its that hard. They should have a website to show your traffic, would be easier for them, but what do I know, I'm just a computer tech...

i heard there going to cap all the internet providers like roadrunner time Warner wind strem.. is it true?

Thanks very much for your suggestions, but it really doesn't look like this traffic can be attribted to LAN chatter since the traffic persists even when all devices are disonnected (wireless disabled, no network cables connected except for the WAN uplink.) Also, the bandwidth monitor shows which ports the traffic is flowing across, which is vlan1 (WAN) and eth0 (internal interface between router's CPU and the 6-port switch.) I haven't yet mentioned that this traffic is only incoming. Download is 64 kbps, upload is 0 kbps. I did run netstat on the two PCs in the house, and at idle neither showed any external connections.

I would still say that if directly connected to the modem you are showing negligable traffic, then the traffic you're seeing when behind the router must be LAN.

Only way to verify that would probably be to call comcast and have them monitor your bandwidth through your modem when your connected behind the router, see if they see the same traffic.

Not sure if they can do this, but if they are capping as they said they would, they have to be able to monitor somehow.

Or even unplug from your wan and see if it persists. The router itself is gonna be pinging just to keep tabs on whats where in your lan.