I noticed that according to /proc/net/dev I am constantly receiving around 6Kb/s on my wireless usb interface. But I can't account for anything even close to that with the individual connections that I get with iptraf, iftop, and nethogs. Investigations with netstat, lsof, and tcpdump didn't help either.
So, what else could contribute to /proc/net/dev values? I can speculate that, while only IP based traffic is reported by the applications I mentioned, /proc/net/dev probably accounts for other link-layer/internet-layer stuff too (arp? icmp? wireless management stuff?). Or maybe other transport/application protocols. Can anyone confirm this?
How else would you proceed to find out: through what sockets are the 6Kb/s coming through? What processes are receiving the traffic?
[EDIT]
The 2 consistent results across all the tools:
- the totals of Rx are around a few Kb/s
- confirmed with /proc/net/dev, dstat, bmw-ng, cbm, iptraf, ifstat, gnome-system-monitor
- no connection/packet stream justifies that
- confirmed with netstat, tcpdump, iftop, nethogs, iptraf
All of this with a Netgear WDNA 4100 wireless usb adapter using a custom driver from some git (the only way I got it to work). I asked the devs about it here.
This might be malware, but I suspect the driver is simply reporting wrong totals. Nevertheless, I cannot explain what's going on for sure.
Best Answer
When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be
nethogs
.You can use
ip link show
ornetstat -i
to find out your network interface names.My wireless on my Fedora 19 laptop is
wlp3s0
, so we tellnethogs
to watch that:As you let
nethogs
run it will start to show you the applications that are consuming your network bandwidth.