Discussion:
Download Speed Miserable, then A-OK following PC reboot?
(too old to reply)
(PeteCresswell)
2018-06-01 20:47:01 UTC
Permalink
Raw Message
This has been going on for several weeks: download speed on my mail client
and everything else I try is terrible - as in glacially slow.

Then I reboot the PC - just the PC, nothing else - and speeds return to
normal.

The weird part is that SpeedTest.net's numbers are about the same both before
and after.

So it's got to be something going South in my OS, right?

But what?
--
Pete Cresswell
VanguardLH
2018-06-02 01:16:11 UTC
Permalink
Raw Message
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail
client and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return
to normal. The weird part is that SpeedTest.net's numbers are about
the same both before and after. So it's got to be something going
South in my OS, right? But what?
Disable your anti-virus and retest.

Many AVs include e-mail interrogation which generates delays to inspect
the e-mail traffic. In fact, if their transparent proxy becomes
unresponsive, e-mail traffic goes dead. E-mail interrogation is
superfluous. The added delay for interrogation can cause timeouts by
the client (waiting for traffic from the server since it is first told
of the new message, asks to retrieve it, but then has to wait longer) or
by the server (client tells server about a new message, the server
readies, but has to wait longer). It affords no more protection or
malware detection coverage than does the on-access (real-time) scanner.
In fact, the same scanner is used for on-access protection and to
interrogate e-mail traffic.

Attachments are not floating separate of an e-mail. They are long
encoded *text* strings in MIME sections within the body of the e-mail.
As text strings, they pose no threat to your computer. Only when they
are extracted from the e-mail to put into a file, and if a correct
filetype (e.g., .exe), may the malware then be in an executable form to
cause harm. On extraction, a new file gets created which triggers the
AV's on-access scanner to check the newly created file.

E-mail scanning is superfluous. It is used to bloat the feature set.
Marketing loves this kind of bloat. Disable e-mail scanning in the AV
program or uninstall that module in the AV product.

Since the AV's e-mail scan module is not interrogating the Speedtest
traffic (it isn't e-mail traffic), there is no impact by the AV on
Speedtest's transfer to measure network speed.

You never mentioned WHAT e-mail client you use. Could be a setting has
changed which affects transfer speed of messages. For example, an AV
might install an add-on or the e-mail can be configured to pass newly
retrieved messages to an AV program that then has to interrogate that
e-mail traffic and inspect its content to suspicious content - something
the AV's on-access scanner already does *if* and when the user decides
to extract an attachment from an e-mail.

If disabling e-mail scanning in the AV program doesn't help, see if
[temporarily] disabling the entire AV program helps. If that doesn't
work then use msconfig.exe or SysInternals' AutoRuns to disable all
startup programs, reboot Windows, and test again to see if a startup
program is interfering with e-mail traffic.
J. P. Gilliver (John)
2018-06-02 06:38:32 UTC
Permalink
Raw Message
Post by VanguardLH
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail
client and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return
to normal. The weird part is that SpeedTest.net's numbers are about
the same both before and after. So it's got to be something going
South in my OS, right? But what?
Disable your anti-virus and retest.
Many AVs include e-mail interrogation which generates delays to inspect
[long rant about email AV scanning deleted]
Post by VanguardLH
startup programs, reboot Windows, and test again to see if a startup
program is interfering with e-mail traffic.
I think you saw Pete's mention of email, and this triggered your red
mist ...

Though I tend to agree with you that AV scanning of emails is largely
unnecessary, you missed his words "and everything else" - and, you
haven't explained how, if that _were_ the cause, a reboot would make it
return to normal for a while.

Not, I'm afraid, that I have a solution to the problem - I just don't
think that AV scanning of emails is the cause.

I have BitMeter2 (http://codebox.org.uk/pages/bitmeter2), with the audio
turned on, and set to 100 kB (which IIRR is the default). I find this a
useful way of monitoring what's going on - it won't solve any problems,
of course, but I find it useful as a monitor (that I don't have to
watch). [I'm sure other similar utilities are available.]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

If you want to make people angry, lie to them. If you want to make them
absolutely livid, then tell 'em the truth.
VanguardLH
2018-06-02 07:32:02 UTC
Permalink
Raw Message
Post by J. P. Gilliver (John)
Post by VanguardLH
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail
client and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return
to normal. The weird part is that SpeedTest.net's numbers are about
the same both before and after. So it's got to be something going
South in my OS, right? But what?
Disable your anti-virus and retest.
I think you saw Pete's mention of email, and this triggered your red
mist ...
Yep, it was the ONLY network traffic that Pete reported as being
glacially slow. "Everything else" gives almost nothing to work on.
Post by J. P. Gilliver (John)
Though I tend to agree with you that AV scanning of emails is largely
unnecessary, you missed his words "and everything else" - and, you
haven't explained how, if that _were_ the cause, a reboot would make it
return to normal for a while.
Disable the anti-virus and retest.

E-mail interrogation is just one function in many AVs. "Everything
else" isn't specific. AVs also interrogate HTTP traffic. Some can even
interrogate HTTPS traffic if you let them install their root cert in
your local cert store or in the web browser's cert store (in the case of
Firefox which uses its own private cert store instead of the global one
handled by the OS). If the other protocols use standard port numbers
then many AVs can also interrogate traffic using other protocols on
those common ports.

The AV may not affect all sites, so Speedtest might slip past; however,
since Pete said e-mail was glacially slow and so was "everything else"
which often points to web traffic and yet web traffic was not slow for
the Speedtest site. All we have is e-mail (but not client nor protocol)
and "something" else which is unidentified for network traffic.

"e-mail and everything else" is like when someone says, "it's <this> or
something". Well, the "or something" covers everything else, the
statement becomes global to everything and anything (if not feasible),
so all they've said is "it's something". Well, duh. Hardly narrows
down what you actually observed or experienced. Does "everything else"
include FTP[S], telnet, XMPP chat, VOIP, HTTP only or HTTPS only or
both, NNTP, SCP, NTP, DNS, BitTorrent, Finger, SSH, or ... what
specifically? Does "e-mail" mean POP, IMAP, SMTP, Exchange, WebDAV
(some e-mail sites still support it), or some other e-mail protocol that
I'm not including right now? Impossible for others to know just what
"everything else" is without knowing in which apps the OP is
experiencing glacial network response.

I picked e-mail (which could be POP, IMAP, SMTP, WebDAV, Exchange).
Neither the e-mail client nor the account access protocol were
mentioned. "E-mail" (and only that protocol group) seemed as good a
choice as any other on which to focus, especially since that was the
only one mentioned. I don't know how to troubleshoot "everything else"
other than to give generic help as in "Disable anti-virus and retest"
and "Disable all startup programs and retest" (although "reboot Windows
into its safe mode w/networking and retest" might be a bit easier).
(PeteCresswell)
2018-06-05 14:39:15 UTC
Permalink
Raw Message
Post by VanguardLH
"e-mail and everything else" is like when someone says, "it's <this> or
something". Well, the "or something" covers everything else, the
statement becomes global to everything and anything (if not feasible),
so all they've said is "it's something".
My Bad.... and it drives *me* nuts when people come to me with vague
generalities....

In my little world, "Everything Else" is the load time for web pages.

Going to install BItMeter II, wait for a recurrence of the problem; and then,
instead of re-booting, try disabling Avast's mail scanner (although that
would seem tb moot in light of the web page load time thing... but I might be
wrong about the web pages and some coincident situation may have been
present)
--
Pete Cresswell
Wolf K
2018-06-05 14:52:10 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
"e-mail and everything else" is like when someone says, "it's <this> or
something". Well, the "or something" covers everything else, the
statement becomes global to everything and anything (if not feasible),
so all they've said is "it's something".
My Bad.... and it drives *me* nuts when people come to me with vague
generalities....
In my little world, "Everything Else" is the load time for web pages. [...]
Sounds like a load of background stuff being loaded, eg page components
and 3rd-party snoop-links. You won't see those links, but they will be
there doing their stuff.

FWIW, I use Extended Status Bar 2.0,.5, it shows what's being loaded,
net speed, percentage of page completed, etc. Even with AdBlock, a hell
of a lot of stuff is downloaded, even with "simple" pages.
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
Char Jackson
2018-06-05 15:17:13 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
"e-mail and everything else" is like when someone says, "it's <this> or
something". Well, the "or something" covers everything else, the
statement becomes global to everything and anything (if not feasible),
so all they've said is "it's something".
My Bad.... and it drives *me* nuts when people come to me with vague
generalities....
In my little world, "Everything Else" is the load time for web pages.
Going to install BItMeter II, wait for a recurrence of the problem; and then,
instead of re-booting, try disabling Avast's mail scanner (although that
would seem tb moot in light of the web page load time thing... but I might be
wrong about the web pages and some coincident situation may have been
present)
You might also take a look at a program called LAN Speed Test, available
here: https://totusoft.com/lanspeed

They have a free and a paid version, but it seems to be all in a single
download. It's been a while since I installed it and I don't remember
clearly, but the website says this:

"After installing LAN Speed Test v4, it begins in (Lite) mode. LAN Speed
Test (Lite) is fully functional with no time limits, etc. - only some of
the more advanced features are disabled."

You don't need the advanced features for a simple test. Anyway, the idea
is to test the speed of your LAN (you'll need a second PC) so that you
can rule out your local PC. When email and web get slow, test your speed
to another PC on your LAN. If it's as fast as it normally is, the
problem isn't your PC. If it's slower than normal, it could be your PC.
Test the Internet stuff from your second PC.
--
Char Jackson
VanguardLH
2018-06-06 03:09:53 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
"e-mail and everything else" is like when someone says, "it's <this> or
something". Well, the "or something" covers everything else, the
statement becomes global to everything and anything (if not feasible),
so all they've said is "it's something".
My Bad.... and it drives *me* nuts when people come to me with vague
generalities....
In my little world, "Everything Else" is the load time for web pages.
Going to install BItMeter II, wait for a recurrence of the problem; and then,
instead of re-booting, try disabling Avast's mail scanner (although that
would seem tb moot in light of the web page load time thing... but I might be
wrong about the web pages and some coincident situation may have been
present)
Disabling/removing/uninstalling the e-mail scanner in Avast was a
suggestion to get rid of superfluous bloat in the program.

Disabling ALL of Avast (you can disable permanently, for 10 minutes, or
until the next Windows reboot) is what I suggested to look at your
sluggish network speed.

If the didn't help, running the web browser in its safe mode would be my
next suggestion. That would eliminate interference by any add-ons you
installed into the web browser. Those could affect bandwidth but not
e-mail unless "e-mail" to you is using the e-mail provider's webmail
client via web browser. You said "mail client" so it appears you are
using a local e-mail client, not a web browser, which means e-mail
traffic (POP, IMAP, SMTP, Exchange) was slow and so was HTTP/S traffic.
The AV could be common to both e-mail and web traffic: if you installed
Avast's Mail Shield then it interrogates your e-mail traffic, and Avast
will monitor your web traffic (but HTTPS can only be monitored if that
option is enabled in Avast).

Do you run any other anti-malware other than Avast? While you can have
multiple AVs installed, only one should be active at a time. You
install one to be the on-access (real-time) scanner and use the others
ONLY for manually-instigated scans.
(PeteCresswell)
2018-06-14 23:45:49 UTC
Permalink
Raw Message
Post by J. P. Gilliver (John)
I have BitMeter2 (http://codebox.org.uk/pages/bitmeter2), with the audio
turned on, and set to 100 kB (which IIRR is the default). I find this a
useful way of monitoring what's going on
Have been watching the BitMeter numbers for a few days now and am puzzled by
the Upload numbers.

Seems tb a constant stream (about 4 gigs/hour) of upload activity.

Or am I not reading it right:
--------------------------------------------
Time Date Downloaded Uploaded Both Directions
17:00-18:00 6/13/2018 4,869,820,558 9,740,277,884 14,610,098,442
16:00-17:00 6/13/2018 26,795,785,316 5,811,039,039 32,606,824,355
15:00-16:00 6/13/2018 27,773,465,836 5,889,576,609 33,663,042,445
14:00-15:00 6/13/2018 51,289,619,672 5,720,544,725 57,010,164,397
13:00-14:00 6/13/2018 29,723,882,897 4,743,159,808 34,467,042,705
12:00-13:00 6/13/2018 46,173,670,023 5,079,576,195 51,253,246,218
11:00-12:00 6/13/2018 27,101,647,399 4,503,602,022 31,605,249,421
10:00-11:00 6/13/2018 27,068,597,293 4,575,853,604 31,644,450,897
09:00-10:00 6/13/2018 26,060,657,588 4,572,366,433 30,633,024,021
08:00-09:00 6/13/2018 34,545,416,596 4,624,677,899 39,170,094,495
07:00-08:00 6/13/2018 35,277,437,209 4,482,902,340 39,760,339,549
06:00-07:00 6/13/2018 26,661,293,052 4,500,661,541 31,161,954,593
05:00-06:00 6/13/2018 29,110,852,533 4,443,190,213 33,554,042,746
04:00-05:00 6/13/2018 30,605,391,246 4,592,592,632 35,197,983,878
03:00-04:00 6/13/2018 32,557,987,426 4,812,075,729 37,370,063,155
02:00-03:00 6/13/2018 31,169,526,473 5,186,570,054 36,356,096,527
01:00-02:00 6/13/2018 30,688,020,806 7,872,368,493 38,560,389,299
00:00-01:00 6/13/2018 32,869,953,380 4,539,795,659 37,409,749,039
23:00-00:00 6/12/2018 34,852,944,906 4,642,765,341 39,495,710,247
22:00-23:00 6/12/2018 30,563,017,612 4,709,557,928 35,272,575,540
21:00-22:00 6/12/2018 30,519,792,213 4,262,828,380 34,782,620,593
20:00-21:00 6/12/2018 26,610,853,481 3,114,759,125 29,725,612,606
19:00-20:00 6/12/2018 30,337,013,503 8,903,623,768 39,240,637,271
18:00-19:00 6/12/2018 53,871,720,485 5,862,303,423 59,734,023,908
17:00-18:00 6/12/2018 41,313,271,665 18,608,665,875 59,921,937,540
16:00-17:00 6/12/2018 53,083,789,280 27,288,721,549 80,372,510,829
15:00-16:00 6/12/2018 28,392,219,850 5,842,216,328 34,234,436,178
14:00-15:00 6/12/2018 31,920,737,876 5,876,768,345 37,797,506,221
13:00-14:00 6/12/2018 28,076,997,805 7,118,159,898 35,195,157,703
12:00-13:00 6/12/2018 28,419,391,797 6,558,277,139 34,977,668,936
11:00-12:00 6/12/2018 28,154,730,241 5,953,469,092 34,108,199,333
10:00-11:00 6/12/2018 27,331,219,052 5,718,509,807 33,049,728,859
09:00-10:00 6/12/2018 26,240,868,675 5,248,320,374 31,489,189,049
08:00-09:00 6/12/2018 34,304,311,024 5,747,460,612 40,051,771,636
07:00-08:00 6/12/2018 35,537,705,478 5,812,964,467 41,350,669,945
06:00-07:00 6/12/2018 26,522,162,836 5,824,744,258 32,346,907,094
05:00-06:00 6/12/2018 27,685,552,396 5,983,519,423 33,669,071,819
04:00-05:00 6/12/2018 30,532,265,779 5,919,154,282 36,451,420,061
03:00-04:00 6/12/2018 31,764,717,931 6,203,738,118 37,968,456,049
02:00-03:00 6/12/2018 31,049,954,889 6,404,692,250 37,454,647,139
01:00-02:00 6/12/2018 30,928,931,100 6,049,601,510 36,978,532,610
00:00-01:00 6/12/2018 32,940,561,309 8,505,139,068 41,445,700,377
23:00-00:00 6/11/2018 35,154,954,480 5,962,429,799 41,117,384,279
22:00-23:00 6/11/2018 31,106,465,232 5,968,135,513 37,074,600,745
21:00-22:00 6/11/2018 30,747,703,943 4,892,555,420 35,640,259,363
20:00-21:00 6/11/2018 31,621,706,489 5,328,784,552 36,950,491,041
19:00-20:00 6/11/2018 30,985,422,620 5,967,181,512 36,952,604,132
18:00-19:00 6/11/2018 35,159,672,573 5,715,406,034 40,875,078,607
17:00-18:00 6/11/2018 26,666,398,462 6,008,878,016 32,675,276,478
16:00-17:00 6/11/2018 26,873,172,902 5,768,784,729 32,641,957,631
15:00-16:00 6/11/2018 27,110,029,199 6,004,525,050 33,114,554,249
14:00-15:00 6/11/2018 34,461,200,183 5,685,351,163 40,146,551,346
13:00-14:00 6/11/2018 26,105,596,331 3,432,786,581 29,538,382,912
12:00-13:00 6/11/2018 26,041,233,509 5,324,126,178 31,365,359,687
11:00-12:00 6/11/2018 27,563,621,653 6,072,760,950 33,636,382,603
10:00-11:00 6/11/2018 26,244,854,398 6,120,726,626 32,365,581,024
09:00-10:00 6/11/2018 26,212,526,229 5,080,872,973 31,293,399,202
08:00-09:00 6/11/2018 33,135,380,769 2,068,330,693 35,203,711,462
07:00-08:00 6/11/2018 35,627,061,352 5,486,461,436 41,113,522,788
06:00-07:00 6/11/2018 27,086,380,545 5,688,869,233 32,775,249,778
05:00-06:00 6/11/2018 28,836,736,809 5,433,465,168 34,270,201,977
04:00-05:00 6/11/2018 31,540,566,024 5,090,993,283 36,631,559,307
03:00-04:00 6/11/2018 32,927,634,816 5,441,779,437 38,369,414,253
02:00-03:00 6/11/2018 33,167,318,217 5,669,602,480 38,836,920,697
01:00-02:00 6/11/2018 30,707,474,985 5,296,709,958 36,004,184,943
00:00-01:00 6/11/2018 32,737,460,329 9,266,888,106 42,004,348,435
23:00-00:00 6/10/2018 31,919,574,642 5,355,309,469 37,274,884,111
22:00-23:00 6/10/2018 31,680,510,208 5,091,875,621 36,772,385,829
21:00-22:00 6/10/2018 31,687,536,318 5,149,156,999 36,836,693,317
20:00-21:00 6/10/2018 29,392,504,291 2,732,379,286 32,124,883,577
19:00-20:00 6/10/2018 38,215,414,181 2,629,098,536 40,844,512,717
18:00-19:00 6/10/2018 33,492,707,602 5,489,755,315 38,982,462,917
17:00-18:00 6/10/2018 31,890,576,103 5,052,860,634 36,943,436,737
16:00-17:00 6/10/2018 29,867,617,774 4,624,070,580 34,491,688,354
15:00-16:00 6/10/2018 29,947,060,185 4,866,484,407 34,813,544,592
14:00-15:00 6/10/2018 30,241,687,961 8,277,745,623 38,519,433,584
13:00-14:00 6/10/2018 30,655,426,686 10,467,270,256 41,122,696,942
12:00-13:00 6/10/2018 30,069,417,522 3,959,409,210 34,028,826,732
11:00-12:00 6/10/2018 35,731,968,195 4,955,768,944 40,687,737,139
10:00-11:00 6/10/2018 36,721,423,025 6,921,979,664 43,643,402,689
09:00-10:00 6/10/2018 40,068,047,790 4,671,569,021 44,739,616,811
08:00-09:00 6/10/2018 26,859,762,774 5,208,989,254 32,068,752,028
07:00-08:00 6/10/2018 26,652,489,103 5,809,073,748 32,461,562,851
06:00-07:00 6/10/2018 29,441,228,939 5,597,752,429 35,038,981,368
05:00-06:00 6/10/2018 29,227,262,029 5,736,512,618 34,963,774,647
04:00-05:00 6/10/2018 31,217,952,001 5,782,814,793 37,000,766,794
03:00-04:00 6/10/2018 32,125,400,330 6,195,225,624 38,320,625,954
02:00-03:00 6/10/2018 31,219,082,381 6,309,864,626 37,528,947,007
01:00-02:00 6/10/2018 30,791,398,838 5,862,182,114 36,653,580,952
00:00-01:00 6/10/2018 30,759,124,698 6,375,503,464 37,134,628,162
23:00-00:00 6/9/2018 31,169,496,212 5,875,544,667 37,045,040,879
22:00-23:00 6/9/2018 35,143,597,910 5,816,278,248 40,959,876,158
21:00-22:00 6/9/2018 35,417,360,264 6,216,591,366 41,633,951,630
20:00-21:00 6/9/2018 27,967,682,776 5,704,476,451 33,672,159,227
19:00-20:00 6/9/2018 26,991,508,403 4,922,038,491 31,913,546,894
18:00-19:00 6/9/2018 28,564,288,507 5,218,466,555 33,782,755,062
17:00-18:00 6/9/2018 28,849,394,243 5,739,819,164 34,589,213,407

--------------------------------------------
--
Pete Cresswell
Wolf K
2018-06-15 00:56:15 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by J. P. Gilliver (John)
I have BitMeter2 (http://codebox.org.uk/pages/bitmeter2), with the audio
turned on, and set to 100 kB (which IIRR is the default). I find this a
useful way of monitoring what's going on
Have been watching the BitMeter numbers for a few days now and am puzzled by
the Upload numbers.
Seems tb a constant stream (about 4 gigs/hour) of upload activity.
--------------------------------------------
Time Date Downloaded Uploaded Both Directions
17:00-18:00 6/13/2018 4,869,820,558 9,740,277,884 14,610,098,442
[...]

Have you used one of the torrent download clients? If so, your machine
is probably now a torrent server.

Or else it's infected with a bot.

Good luck.
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
VanguardLH
2018-06-15 01:55:42 UTC
Permalink
Raw Message
Post by Wolf K
Post by (PeteCresswell)
Have been watching the BitMeter numbers for a few days now and am
puzzled by the Upload numbers. Seems tb a constant stream (about 4
gigs/hour) of upload activity.
Have you used one of the torrent download clients? If so, your machine
is probably now a torrent server.
Or else it's infected with a bot.
Not just torrent. Some of the "free" VPN clients will steal bandwidth
to sell elsewere. If you don't subscribe to the sharing service, they
throttle your downstream bandwidth. Hola was one that sold your
bandwidth for their "free" service. You became a Tor-like exit node for
Hola's paid service customers.

https://www.pcworld.com/article/2928340/ultra-popular-hola-vpn-extension-sold-your-bandwidth-for-use-in-a-botnet-attack.html
https://en.wikipedia.org/wiki/Hola_(VPN)#Criticism

Articles mention that Betternet VPN uses 14 tracking libraries in their
client. Other free VPNs were found to be malicious: VPN Free,
Tigervpns, Rocket VPN, Cyberghost, and EasyOVPN.

https://fossbytes.com/is-free-vpn-safe/

From reading about VPNs, the only secure ones are those you pay for (and
only some of those, not all of them) or the one with a known and single
endpoint, like the one your employer grants a loaner laptop they give
you to work from home (which usually means you connect to a "safe"
subnet in their corporate network which might restrict access to some
hosts - as it did when trying to get through the corporate network to
our alpha lab hosts on a different subnet until they changed host
permissions for that work-at-home laptop). Of the paid VPN services, I
remember reading several security and vulnerability white papers about
them and only a couple were secure. Many article just list their
favorites for VPNs without actually ever probing or testing them.

Android VPN apps generally suck. 84% of them were found to leak the
user's true IP address, especially when it came to using IPv6. Many
were okay (not all) in secreting the user's IPv4 address but couldn't
handle IPv6 so they just passed it onto the target host thus exposing
the user's true IP address. DNS leaks are another test of VPN security:
connect to a VPN server outside your country and use DNS tools (e.g.,
dnsleaktest.com) to see if IP address, location, and other details
matching your ISP get leaked. A secure VPN service must provide their
own encrypted DNS system.

WebRTC (used within web browsers) can leak your intranet IP address
(what you get from your router's DHCP server or the static IP address
you assigned to your host). Many sites and users don't like outsiders
from mapping their internal network. WebRTC gets used in voice and
video chat clients along with P2P filesharing without the need to
install plug-ins into the web browser. The VPN cannot stop that leak
since it is the web browser as client issuing WebRTC API calls to the
server. Disabling WebRTC in the web browser, if an option, plugs that
leak. In Firefox in about:config, "media.peerconnection.enabled" is set
to False (disabled). In Google Chrome, you used to be able to go to
chrome://flags/#disable-webrtc to enable the disable. As typical of
experimental code with Chrome, this one went away. Now you have to
install an extension to disable WebRTC (e.g.,
https://chrome.google.com/webstore/detail/webrtc-control/fjkmabmdepjfammlpliljpnbhleegehm).

Go to ipleak.net. See if its WebRTC reveals your intranet IP address.
With Firefox and media.peerconnection.enabled = False, ipleak.net cannot
discover my intranet IP address. In Google Chrome where there is no
longer a disable WebRTC option (and no add-on installed to disable
WebRTC), yep, ipleak.net uses RTC to get my intranet IP address. With
the WebRTC Control add-on installed in Google Chrome, ipleak.net cannot
use RTC to get my intranet IP address. Lots of features have been added
to web browsers that anti-security to the user just because, gee, sites
like to use the features and the web browser authors are catering to the
sites' desires, not yours.

WebRTC relies on Javascript -- but who wants to disable Javascript in
their web browser which squashes the content at most sites? Besides
using Javascript to make web pages interactive, many sites have gone to
dynamic content which uses Javascript to decide what content you get.
WebRTC is not a VPN security issue. It is a web browser issue that can
remain exposed over a VPN.

Tor might be one reason for the constant upstream traffic. Anything
like Tor, like a VPN usurping a portion of your idle bandwidth, is
another cause. Time the OP kills all startup programs to enable them
one at a time to narrow into which one generates all the traffic ...
assuming SysInternals' TCPview, Wireshark, or another network monitor
doesn't expose the process generating all the upstream traffic. Yep,
malware can steal bandwidth, too, either to steal your files or employ
you as one of their zombies.
Wolf K
2018-06-15 12:55:15 UTC
Permalink
Raw Message
Post by VanguardLH
Post by Wolf K
Post by (PeteCresswell)
Have been watching the BitMeter numbers for a few days now and am
puzzled by the Upload numbers. Seems tb a constant stream (about 4
gigs/hour) of upload activity.
Have you used one of the torrent download clients? If so, your machine
is probably now a torrent server.
Or else it's infected with a bot.
Not just torrent. Some of the "free" VPN clients will steal bandwidth
to sell elsewere. I
[snip useful info, FFR]

Thanks, didn't know that.
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
(PeteCresswell)
2018-06-15 14:04:57 UTC
Permalink
Raw Message
Post by VanguardLH
Go to ipleak.net. See if its WebRTC reveals your intranet IP address.
With Firefox and media.peerconnection.enabled = False, ipleak.net cannot
discover my intranet IP address.
I am using "Private Internet Access" (a paid service) and it *seems* like
ipleak is happy with it.... at least it shows an IP different from my "Real"
IP address.
--
Pete Cresswell
VanguardLH
2018-06-15 22:01:04 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
Go to ipleak.net. See if its WebRTC reveals your intranet IP
address. With Firefox and media.peerconnection.enabled = False,
ipleak.net cannot discover my intranet IP address.
I am using "Private Internet Access" (a paid service) and it *seems*
like ipleak is happy with it.... at least it shows an IP different
from my "Real" IP address.
How about the IP address shown by ipleak.net when they use WebRTC?
That will, if allowed, show the IP address of your host, not the
WAN-side IP address of your router.
(PeteCresswell)
2018-06-17 14:06:37 UTC
Permalink
Raw Message
Post by VanguardLH
How about the IP address shown by ipleak.net when they use WebRTC?
It shows "10.34.106", which is nothing familiar to me.

OTOH, the "Block:" property is 10.0.0/8 and 10.0.0 is my LAN's base address
template. OTOOH, "8" is not the addr of my PC (although it does happen to
be the addr of one of my NAS boxes).

This is all way above my pay grade... Does it still sound like I'm good
privacy-wise?

I can post screen shots of ipleak's output if anybody wants.
--
Pete Cresswell
Char Jackson
2018-06-17 15:18:41 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
How about the IP address shown by ipleak.net when they use WebRTC?
It shows "10.34.106", which is nothing familiar to me.
IPv4 addresses have *4* octets, not just 3, so the address above is
incomplete.
Post by (PeteCresswell)
OTOH, the "Block:" property is 10.0.0/8
That's almost certainly 10.0.0.0/8 <-- note the addition of the 4th
octet.
Post by (PeteCresswell)
and 10.0.0 is my LAN's base address template.
That should be 10.0.0.0.
Post by (PeteCresswell)
OTOOH, "8" is not the addr of my PC (although it does happen to
be the addr of one of my NAS boxes).
The "8" in the example above is your network mask. Note that it's
delimited by the "/" rather than a ".". It tells you that almost
anything with a 10.x.x.x is valid for your LAN, with the obvious
exceptions of 10.0.0.0 (refers to 'this network') and 10.0.0.255
(broadcast address for your subnet), which are reserved in your case.
One additional IP address in that huge range will be used by your
gateway, so everything else is available for you to use.

That address range isn't Internet-routable (RFC1918). Therefore, it's
being NAT'd somewhere, either by you or by your ISP.
Post by (PeteCresswell)
This is all way above my pay grade... Does it still sound like I'm good
privacy-wise?
We see that you're using RFC1918 addresses, so IMHO you're not a good
target for further investigation. You'd be a more exciting target if
your LAN hosts used routable IPs. Bottom line, IMHO, I don't think you
have anything to worry about via WebRTC.
--
Char Jackson
VanguardLH
2018-06-17 18:55:27 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
How about the IP address shown by ipleak.net when they use WebRTC?
It shows "10.34.106", which is nothing familiar to me.
I'll assume you accidentally omitted a period character (".") in that IP
address, probably in the last 3 digits; else, it is not valid.

That is the intranet IP address of your computer assigned by your
router's or cable modem's DHCP server or a static IP address assigned to
the host (in which case, someone had to go into the DNS config to change
to static since dynamic is the default).

That they reported an IP address discovered using WebRTC means there is
a WebRTC leak exposing the IP addresses inside your intranetwork (i.e.,
past any router's firewall or any software firewall you use on your
intranet hosts).

Whatever web browser you used to visit ipleak.net supports WebRTC and,
as a client, is divulging your host's intranet IP address. Whether you
care or not depends on whether or not you want any site you visit from
mapping out your intranet.

3rd party firewalls and some VPNs can block WebRTC traffic. I think
they block traffic on the RDP (5004) and STUN/TURN (3478) ports but that
would seem to affect intranet and Internet traffic. In a firewall in
the router or a gateway, they could block only the traffic that crosses
the router or gateway and not for intranet traffic that should merely go
through the router's/gateway's switching function (to route traffic
between intranet hosts).

https://tools.ietf.org/id/draft-jennings-behave-rtcweb-firewall-01.html
"In general WebRTC media can be sent on a wide range of UDP ports but
the two ports that are commonly used are the the RTP port (5004) and
TURN port (3478). Some firewalls MAY choose to only allow flows where
the destination port on the outside of the firewall is one of these."

However, blocking the RTP port seems it would have wider ranging affect
than just blocking WebRTC.

https://en.wikipedia.org/wiki/Real-time_Transport_Protocol

Any port could be used. WebSockets would use port 80 (which HTTP uses).
The IETF article mentions, "STUN messages all have a magic cookie value
of 0x2112A442 in the 4th to 8th byte." Since firewalls inspect the
packets, maybe that's how they snag the WebRTC traffic. The following
article mentions the protocols involved with WebRTC:

https://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

The firewall in my router is basic: it's just a consumer-grade router
with a stateful firewall to block unsolicited inbound connection
requests (with a few options for user configuration). I don't bother
operating a gateway host or a firewall appliance before the router or
between the router and cable modem to run an enterprise-grade firewall.
I don't bother with 3rd party firewalls on my home PCs. I just disable
WebRTC in my web browsers since that's the only intrusion vector on my
computers than can use WebRTC.
(PeteCresswell)
2018-06-15 13:58:47 UTC
Permalink
Raw Message
Post by Wolf K
Have you used one of the torrent download clients? If so, your machine
is probably now a torrent server.
Yes - BitTorrent.

Do you mean even without anything explicitly running?

That would seem to expose people who turn their VPN services on and off.

Just uninstalled it on GPs....
--
Pete Cresswell
Wolf K
2018-06-15 14:14:08 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by Wolf K
Have you used one of the torrent download clients? If so, your machine
is probably now a torrent server.
Yes - BitTorrent.
Do you mean even without anything explicitly running?
AIUI, the torrent clients work by using their users' machines. Once
you've d/l a file, it's available to other users (some clients did ask
for permission, back when I tried them). The torrent works by scavenging
and combining pieces of the file from many different sources. From the
users POV this has several advantages: it usually speeds up d/l compared
to a single source (server); it bypasses legitimate sources, which may
charge for the content; it tends to hide the user's identity.

The main disadvantage, apart from the background hogging of the 'net
connection, is that one of the sources may be infected. From my POV
that's a deal-breaker. I haven't used a torrent client in years.

AFAIK, the default or torrent clients is to run in the background.

[...]
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
The Real GLOBALIST
2018-06-15 15:50:59 UTC
Permalink
Raw Message
Post by Wolf K
The main disadvantage, apart from the background hogging of the 'net
connection, is that one of the sources may be infected. From my POV
that's a deal-breaker. I haven't used a torrent client in years.
I've been using torrents for over a decade. Not one single malware. I
think the "you'll get infected" crap is from the good folks in the
entertainment industry. Also, if you use Bit Torrent or Deluge, you will
not automatically become a seeder except for what you're downloading.
Once done, you can re3move the torrent and you are no longer seeding.
Char Jackson
2018-06-15 16:29:19 UTC
Permalink
Raw Message
Post by Wolf K
AIUI, the torrent clients work by using their users' machines. Once
you've d/l a file, it's available to other users (some clients did ask
for permission, back when I tried them).
Not necessarily limited to after a file has been fully downloaded. In my
experience, any file *segment* that has been successfully downloaded can
be made available to others who are seeking that segment. Seeding starts
as soon as you've successfully downloaded the first segment. That's
probably configurable.
Post by Wolf K
The torrent works by scavenging
and combining pieces of the file from many different sources. From the
users POV this has several advantages: it usually speeds up d/l compared
to a single source (server); it bypasses legitimate sources, which may
charge for the content; it tends to hide the user's identity.
Agreed, except for that last item. I would have said that BT tends to
*reveal* your identity rather than hide it, where identity refers to
your IP address, to multiple strangers, just as it reveals their
identity to you. Everyone who downloads segments of files can see the IP
address of everyone else who is also downloading segments of that file.
That's one of the reasons why people use a VPN when downloading via BT.
Post by Wolf K
The main disadvantage, apart from the background hogging of the 'net
connection, is that one of the sources may be infected. From my POV
that's a deal-breaker. I haven't used a torrent client in years.
The entire file could be infected with malware, although that is
extremely rare, but I don't think it's possible that someone is likely
to figure out a way to infect a single segment. Every segment has to
pass sanity checks after being downloaded and prior to being added to
what has already been downloaded and verified. If someone were to mess
with a segment, it would be discarded as a result of those sanity
checks.

Back in the day, I used to hear of instances where someone, possibly the
RIAA or a major record company, was seeding music files that were
actually just white noise, or sometimes repeated recordings of 'don't
steal this music", but I haven't heard of examples of that in about
10-15 years.
Post by Wolf K
AFAIK, the default or torrent clients is to run in the background.
I've only tried a few over the years, and they all ran in the foreground
by default, although each could be minimized to the tray, if desired.
--
Char Jackson
VanguardLH
2018-06-15 22:10:38 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by Wolf K
Have you used one of the torrent download clients? If so, your
machine is probably now a torrent server.
Yes - BitTorrent.
Do you mean even without anything explicitly running? That would seem
to expose people who turn their VPN services on and off.
Bittorrent is a P2P (peer to peer) file sharing service to distribute
data and files across the Internet. When you participate, you become
part of their *shared* network. It also means a portion or all of
file(s) are stored on your host to deliver to other Bittorrent users.
Files are distributed across all the Tor clients. That way, retrieving
a file has it come from one, or more, other clients. That means there
could be illegal content on your host, like kiddie porn. You don't just
get to pull with Bittorrent. You've also agreed to push using
Bittorrent. It's not just what you want. It's what all those users
want. You don't get to be just a leech. You join the swarm.

https://en.wikipedia.org/wiki/BitTorrent
Post by (PeteCresswell)
Just uninstalled it on GPs....
GPs?

https://www.acronymfinder.com/Gp.html
J. P. Gilliver (John)
2018-06-16 01:42:58 UTC
Permalink
Raw Message
In message <***@v.nguard.lh>, VanguardLH <***@nguard.LH>
writes:
[]
Post by VanguardLH
Bittorrent is a P2P (peer to peer) file sharing service to distribute
data and files across the Internet. When you participate, you become
part of their *shared* network. It also means a portion or all of
file(s) are stored on your host to deliver to other Bittorrent users.
Files are distributed across all the Tor clients. That way, retrieving
a file has it come from one, or more, other clients. That means there
could be illegal content on your host, like kiddie porn. You don't just
get to pull with Bittorrent. You've also agreed to push using
Bittorrent. It's not just what you want. It's what all those users
want. You don't get to be just a leech. You join the swarm.
https://en.wikipedia.org/wiki/BitTorrent
Is that _always_ the case, that you're hosting _unknown_ content, or do
some of the Torrent (networks? I don't know the correct term, never
having participated) only make you pass on the content you wanted - sort
of a "you can have it, as long as you in turn pass it on to others" idea
Post by VanguardLH
Post by (PeteCresswell)
Just uninstalled it on GPs....
GPs?
https://www.acronymfinder.com/Gp.html
General Practitioner, General Purpose, Global Positioning satellite, (-:
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Enjoy life now - it has an expiration date
VanguardLH
2018-06-16 03:53:20 UTC
Permalink
Raw Message
Post by J. P. Gilliver (John)
Is that _always_ the case, that you're hosting _unknown_ content, or do
some of the Torrent (networks? I don't know the correct term, never
having participated) only make you pass on the content you wanted - sort
of a "you can have it, as long as you in turn pass it on to others" idea
Well, just how did YOU get it? From someone else. You're one of the
someone else's in the swarm.
J. P. Gilliver (John)
2018-06-16 11:13:53 UTC
Permalink
Raw Message
Post by VanguardLH
Post by J. P. Gilliver (John)
Is that _always_ the case, that you're hosting _unknown_ content, or do
some of the Torrent (networks? I don't know the correct term, never
having participated) only make you pass on the content you wanted - sort
of a "you can have it, as long as you in turn pass it on to others" idea
Well, just how did YOU get it? From someone else. You're one of the
someone else's in the swarm.
I'm not saying you wouldn't be passing on to unknown persons; I was just
asking whether it is always the case (as was implied by the previous
posters) that you are also passing on (and thus storing) unknown
material, rather than just the material _you_ actively downloaded. I've
never used torrenting, but I always understood that it was a
collaborative arrangement - you can download from other torrenters, on
condition that you then let yet other torrenters download from you what
you have downloaded - not _extra_ material you don't know about.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

And if you kill Judi Dench, you can't go back home. - Bill Nighy (on learning
to ride a motorbike [on which she would be side-saddle] for "The Best Exotic
Marigold Hotel"), quoted in Radio Times 18-24 February 2012.
VanguardLH
2018-06-16 13:10:48 UTC
Permalink
Raw Message
Post by J. P. Gilliver (John)
I'm not saying you wouldn't be passing on to unknown persons; I was just
asking whether it is always the case (as was implied by the previous
posters) that you are also passing on (and thus storing) unknown
material, rather than just the material _you_ actively downloaded. I've
never used torrenting, but I always understood that it was a
collaborative arrangement - you can download from other torrenters, on
condition that you then let yet other torrenters download from you what
you have downloaded - not _extra_ material you don't know about.
Torrents can work like you describe. As a leech, a file that you
retrieve from one, or more, seeders will also be available with you as a
seeder to other leechers. A central server would probably have a lot
higher upstream bandwidth for you to download the file from them. All
those torrent hosts are home PCs with dismal upstream bandwidth, so
slicing up a file across multiple seeder hosts parallels the file
transfer to effect a higher upstream bandwidth across all those seeder
hosts and you get a higher downstream bandwidth for the file transfer.

I thought there was an option to also employ other torrent hosts through
which the file transfer can happen. That is, instead of a direct
connection from your torrenting host to another torrenting host, a mesh
network of other torrent-capable hosts could be employed for redundancy
or failure recovery. Maybe not. If a seeder host goes down or becomes
unreachable to which you are connected as a leech host then maybe the
torrent client discards that portion of the torrent you captured already
and goes find another seeder host to start all over on getting that
slice of the file. That is, maybe torrents have no resume function with
a prior seeder host from which you were retrieving a file piece.

Could be what I'm thinking about are the VPN providers that punish you
for not allowing traffic from others to use your host's idle bandwidth.
That is, you get slower effective bandwidth through the VPN network if
you don't share your bandwidth with others (which has then passing
anything they want through your host). Another possibility is I'm
mixing up Microsoft's scheme in Windows 10 for deploying updates by
distributing them on their customers' hosts (aka peer-to-peer updating),
so that might be another cause of Pete's mysterious upstream traffic (if
he left that option enabled).

https://www.pcworld.com/article/2955491/windows/how-to-stop-windows-10-from-using-your-pcs-bandwidth-to-update-strangers-systems.html

https://www.howtogeek.com/141257/htg-explains-how-does-bittorrent-work/
mentions using trackerless torrents. That means a node in the swarm has
to contact other nodes in the swarm instead of a central server
proffering the tracker data. That would not mean you get any files on
your host that you didn't ask for; however, it does mean your host is
involved in searches by other nodes in the swarm looking for a file.
That means your torrent client has to generate traffic to talk with all
the other "nearby" nodes in the swarm. The article didn't define what
"nearby" means.

You might be correct that you don't host any files that you never
requested, or it is something client-side configurable in the mesh
network that the swarm uses to decentralize the location of the file.
There is a lot of voodoo-speak about torrents, so it's tough to pin down
just how it works unless you get into the client code of which I have no
interest. Because of the similar naming, Tor can be confused with
torrenting (P2P file sharing protocol) over the Tor mesh network.
However, the more I read about torrenting the less it seems to be about
privacy since the seeder and leech clients have to communicate and dole
out their IP addresses to each other -- and anyone can operate a torrent
node, including the gov't (just like anyone, including the gov't can
operate entrance and exit TOR nodes). The seeder site has to know where
to deliver the file requested by the leech node. Tor means having to
trust whoever operates an entrance and exit node aren't the same
operator. Tor does get mapped; for example, see:

https://www.wired.com/2015/09/mapping-tors-anonymity-network-spread-around-world/

Knowing who runs a Tor node and where they are doesn't mean your traffic
is subourned. You are trusting an unknown (to you) Tor node operator
with your traffic. The bulk of funding for development of Tor comes
from the US gov't (https://pando.com/2014/07/16/tor-spooks/). I can see
how entrance and exit nodes get mapped, and anyone can operate one.

https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Weaknesses

Since traffic through the Tor network isn't secure unless encrypted,
then what's the difference from using HTTPS, FTPS, or other encrypted
protocol? Oh, that the endpoints are hidden (but only if you trust the
Tor nodes to not exploit weaknesses in Tor), like your ISP cannot see to
target site, which is what VPNs do, too.

Sometimes it's hard to keep separate Tor from the tor-named protocols
(e.g., torrent) that run on the Tor network. Tor this, tor that.
Char Jackson
2018-06-16 15:50:28 UTC
Permalink
Raw Message
Post by VanguardLH
Sometimes it's hard to keep separate Tor from the tor-named protocols
(e.g., torrent) that run on the Tor network. Tor this, tor that.
There's no relationship between Tor (The Onion Router project) and
Bittorrent (decentralized distributed file transfer). Like java versus
javascript, they just share similar names.
--
Char Jackson
VanguardLH
2018-06-16 22:02:25 UTC
Permalink
Raw Message
Post by Char Jackson
Post by VanguardLH
Sometimes it's hard to keep separate Tor from the tor-named protocols
(e.g., torrent) that run on the Tor network. Tor this, tor that.
There's no relationship between Tor (The Onion Router project) and
Bittorrent (decentralized distributed file transfer). Like java versus
javascript, they just share similar names.
You're probably right. Bad naming convention, similar to how Microsoft
confuses products with similar or reused names.
J. P. Gilliver (John)
2018-06-17 03:33:00 UTC
Permalink
Raw Message
Post by Char Jackson
Post by VanguardLH
Sometimes it's hard to keep separate Tor from the tor-named protocols
(e.g., torrent) that run on the Tor network. Tor this, tor that.
There's no relationship between Tor (The Onion Router project) and
Bittorrent (decentralized distributed file transfer). Like java versus
javascript, they just share similar names.
So, does _either_ of them involve you passing on (and thus storing, at
least temporarily) material of which you know nothing?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

And if you kill Judi Dench, you can't go back home. - Bill Nighy (on learning
to ride a motorbike [on which she would be side-saddle] for "The Best Exotic
Marigold Hotel"), quoted in Radio Times 18-24 February 2012.
Char Jackson
2018-06-17 05:08:49 UTC
Permalink
Raw Message
On Sun, 17 Jun 2018 04:33:00 +0100, "J. P. Gilliver (John)"
Post by J. P. Gilliver (John)
Post by Char Jackson
Post by VanguardLH
Sometimes it's hard to keep separate Tor from the tor-named protocols
(e.g., torrent) that run on the Tor network. Tor this, tor that.
There's no relationship between Tor (The Onion Router project) and
Bittorrent (decentralized distributed file transfer). Like java versus
javascript, they just share similar names.
So, does _either_ of them involve you passing on (and thus storing, at
least temporarily) material of which you know nothing?
Not that I'm aware of, but I've never used Tor (only read about it) and
I rarely use BT, so I may have missed something regarding that aspect.
There used to be a concept of a BT Supernode, so in that case I assume
the answer could be yes, but I don't know if that's still a thing. I
don't believe it's a default, assuming it does still exist.
--
Char Jackson
(PeteCresswell)
2018-06-17 14:17:25 UTC
Permalink
Raw Message
Post by VanguardLH
that might be another cause of Pete's mysterious upstream traffic
I found the cause of the mysterious upstream traffic: a Tivo-on-steroids app
called "SageTV". It runs on the affected PC and talks with little black
boxes (Unix PC's/"Media Extenders") under each television set.

Kill the SageTV service and the traffic stops. Restart said service and the
traffic resumes.

AFIK, there is no traffic outside of my LAN - so I was just *assuming* that
BitMeter's numbers applied to only WAN traffic.
--
Pete Cresswell
J. P. Gilliver (John)
2018-06-17 17:35:09 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
that might be another cause of Pete's mysterious upstream traffic
I found the cause of the mysterious upstream traffic: a Tivo-on-steroids app
called "SageTV". It runs on the affected PC and talks with little black
boxes (Unix PC's/"Media Extenders") under each television set.
Kill the SageTV service and the traffic stops. Restart said service and the
traffic resumes.
AFIK, there is no traffic outside of my LAN - so I was just *assuming* that
BitMeter's numbers applied to only WAN traffic.
No, BitMeter2 is a fairly simple application - it just monitors the
total traffic leaving and entering the computer it is running on,
regardless of where it's going to/coming from. I find it (especially its
audio option) a useful indication of when something suddenly starts to
use the network unexpectedly (or when a download suddenly stops or slows
down) - but it would be less so if I had much "local" traffic. (_Maybe_
something in one of the NirSoft or SysInternals suites can select only
certain traffic?)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Never make the same mistake twice...there are so many new ones to make!
VanguardLH
2018-06-17 19:32:05 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by VanguardLH
that might be another cause of Pete's mysterious upstream traffic
I found the cause of the mysterious upstream traffic: a Tivo-on-steroids app
called "SageTV". It runs on the affected PC and talks with little black
boxes (Unix PC's/"Media Extenders") under each television set.
Kill the SageTV service and the traffic stops. Restart said service and the
traffic resumes.
AFIK, there is no traffic outside of my LAN - so I was just *assuming* that
BitMeter's numbers applied to only WAN traffic.
Never much got into that stuff. My guess is the SageTV (e.g., HD
HomeRun) client is retrieving programming information or it's
communication between it and the server box (little box at the TV).
Long ago, it used to require the PC have a TV tuner card but that's
changed to having clients on the PCs communicate over the network to a
server host (little black box). For a while, I got interested in
SlingTV and using a wifi Roku HDMI dongle (so didn't need to run Cat5
cables) on all my TVs (all mine have 3 HDMI inputs) for streamed media
instead of paying Comcast for their TV programming. Since no one else
in the household wanted to abandon Comcast TV despite a big savings
going with Sling TV blue+orange channel lineups, and I wasn't going to
pay for just myself, that plan got scuttled. I also wanted to get rid
of Comcast Voice (drop their cable TV and voice services to just have
their Internet service, or Internet + basic TV since together the
discounted Internet might pay for basic TV) and go with Obitalk with
Google Voice for free VOIP (other than the initial $50 to get Obitalk).
Technology is not a forte in the rest of my family.

The server box might be a PVR. You sure you haven't programmed some
shows to watch at times other than when scheduled? If you're watching
that streamed media then there's network traffic to get that content.
Are you the only one in your household or are there others watching the
TV and getting the streamed media? I suspect that just because you and
no one else there has a TV turned on doesn't stop the little box from
continuing to retrieve streamed media for the last channel to which it
was tuned. Whatever you use for the media source (OTA, cable,
streaming) remains active regardless of the state of your TVs.

I didn't want a solution that ran through my PCs, so no installing a
client program on PCs (that would have to remain powered) to communicate
with a server box (perhaps the network traffic you see) at the TV. I'd
use an HDMI port on the TV to use Roku's own controls to decide what to
watch. That is, I'd use a solution that was local to the TV. Of
course, if you want to watch the shows on your computers then you
probably need their client installed on those computers. I spend way
too much time at my computers, so having TV somewhere else gets me away
from my computers although obviously I'm still sitting on my butt
("sitting is the new cancer"), more of a problem during winter months.
Char Jackson
2018-06-16 15:54:18 UTC
Permalink
Raw Message
On Sat, 16 Jun 2018 02:42:58 +0100, "J. P. Gilliver (John)"
Post by J. P. Gilliver (John)
[]
Post by VanguardLH
Bittorrent is a P2P (peer to peer) file sharing service to distribute
data and files across the Internet. When you participate, you become
part of their *shared* network. It also means a portion or all of
file(s) are stored on your host to deliver to other Bittorrent users.
Files are distributed across all the Tor clients. That way, retrieving
a file has it come from one, or more, other clients. That means there
could be illegal content on your host, like kiddie porn. You don't just
get to pull with Bittorrent. You've also agreed to push using
Bittorrent. It's not just what you want. It's what all those users
want. You don't get to be just a leech. You join the swarm.
https://en.wikipedia.org/wiki/BitTorrent
Is that _always_ the case, that you're hosting _unknown_ content, or do
some of the Torrent (networks? I don't know the correct term, never
having participated) only make you pass on the content you wanted - sort
of a "you can have it, as long as you in turn pass it on to others" idea
No, it is not always the case.
Post by J. P. Gilliver (John)
Post by VanguardLH
Post by (PeteCresswell)
Just uninstalled it on GPs....
GPs?
https://www.acronymfinder.com/Gp.html
General Principles. Very common phrase on this side of the pond.
https://idioms.thefreedictionary.com/on+general+principle
--
Char Jackson
VanguardLH
2018-06-16 22:08:10 UTC
Permalink
Raw Message
Post by Char Jackson
On Sat, 16 Jun 2018 02:42:58 +0100, "J. P. Gilliver (John)"
Post by J. P. Gilliver (John)
[]
Post by VanguardLH
Bittorrent is a P2P (peer to peer) file sharing service to distribute
data and files across the Internet. When you participate, you become
part of their *shared* network. It also means a portion or all of
file(s) are stored on your host to deliver to other Bittorrent users.
Files are distributed across all the Tor clients. That way, retrieving
a file has it come from one, or more, other clients. That means there
could be illegal content on your host, like kiddie porn. You don't just
get to pull with Bittorrent. You've also agreed to push using
Bittorrent. It's not just what you want. It's what all those users
want. You don't get to be just a leech. You join the swarm.
https://en.wikipedia.org/wiki/BitTorrent
Is that _always_ the case, that you're hosting _unknown_ content, or do
some of the Torrent (networks? I don't know the correct term, never
having participated) only make you pass on the content you wanted - sort
of a "you can have it, as long as you in turn pass it on to others" idea
No, it is not always the case.
Post by J. P. Gilliver (John)
Post by VanguardLH
Post by (PeteCresswell)
Just uninstalled it on GPs....
GPs?
https://www.acronymfinder.com/Gp.html
General Principles. Very common phrase on this side of the pond.
https://idioms.thefreedictionary.com/on+general+principle
Easy to discuss once the acronym becomes known. That's why I asked.
Until now, I've never seen "GP" used as an acronym for "General
Principle". However, I don't read everything. There are tons of
acronyms used in texting of which I would be unaware because I only text
when forced, not because I have to spew a chunk every few minutes.
(PeteCresswell)
2018-06-17 14:10:33 UTC
Permalink
Raw Message
GPs?
General Principles.

I don't know enough to understand all the posts here, but being able to
download torrented files is not exactly a religious issue with me - so "When
in doubt, pull it out.".
--
Pete Cresswell
VanguardLH
2018-06-15 01:56:00 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Have been watching the BitMeter numbers for a few days now and am puzzled by
the Upload numbers.
Seems tb a constant stream (about 4 gigs/hour) of upload activity.
Tried using a network monitor, like SysInternals' TCPview, to see what
process is generating all the upstream traffic?
(PeteCresswell)
2018-06-15 14:21:27 UTC
Permalink
Raw Message
Per VanguardLH:
gigs/hour) of upload activity.
Post by VanguardLH
Tried using a network monitor, like SysInternals' TCPview, to see what
process is generating all the upstream traffic?
Thanks!...

Just installed TCPview and it is looking like my Tivo-On-Steroids DVR app and
a little black box underneath my TV are the source of the "Upload" traffic.

Quotes, because it is strictly over the LAN, not WAN (at least I *think* it
is....) and I had not thought of "Upload" as applying to local LAN traffic.

Also many of the UL speeds were far in excess of what my FIOS service allows.

But killed the SageTV service, watched BitMeter for five minutes and the UL
speed quiesced to a steady 1-1.1.... then I re-started the SageTV service,
bounced the little black box, and it was back to high UL speeds.... so I
guess that's the way it is.
--
Pete Cresswell
Wolf K
2018-06-15 15:37:17 UTC
Permalink
Raw Message
Post by (PeteCresswell)
gigs/hour) of upload activity.
Post by VanguardLH
Tried using a network monitor, like SysInternals' TCPview, to see what
process is generating all the upstream traffic?
Thanks!...
Just installed TCPview and it is looking like my Tivo-On-Steroids DVR app and
a little black box underneath my TV are the source of the "Upload" traffic.
Quotes, because it is strictly over the LAN, not WAN (at least I *think* it
is....) and I had not thought of "Upload" as applying to local LAN traffic.
Also many of the UL speeds were far in excess of what my FIOS service allows.
But killed the SageTV service, watched BitMeter for five minutes and the UL
speed quiesced to a steady 1-1.1.... then I re-started the SageTV service,
bounced the little black box, and it was back to high UL speeds.... so I
guess that's the way it is.
Interesting. Looks like SageTV is streaming from your PC even when the
other end isn't displaying anything.

Anyhow, added "LAN media streaming" to my list of network hogs. :-)

So thanks for this.
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
Paul
2018-06-15 15:52:45 UTC
Permalink
Raw Message
Post by (PeteCresswell)
gigs/hour) of upload activity.
Post by VanguardLH
Tried using a network monitor, like SysInternals' TCPview, to see what
process is generating all the upstream traffic?
Thanks!...
Just installed TCPview and it is looking like my Tivo-On-Steroids DVR app and
a little black box underneath my TV are the source of the "Upload" traffic.
Quotes, because it is strictly over the LAN, not WAN (at least I *think* it
is....) and I had not thought of "Upload" as applying to local LAN traffic.
Also many of the UL speeds were far in excess of what my FIOS service allows.
But killed the SageTV service, watched BitMeter for five minutes and the UL
speed quiesced to a steady 1-1.1.... then I re-started the SageTV service,
bounced the little black box, and it was back to high UL speeds.... so I
guess that's the way it is.
A digital TV tuner here, produces about 7GB per hour.
Which I guess would be 2MB/sec or so. (This could vary
with SD or HD or higher formats perhaps.)

Is the SageTV upload a lot more than that ?

To see whether the upload is reasonable, you'd have
to compare it to the proposed content.

Paul
Char Jackson
2018-06-15 16:31:55 UTC
Permalink
Raw Message
Post by (PeteCresswell)
gigs/hour) of upload activity.
Post by VanguardLH
Tried using a network monitor, like SysInternals' TCPview, to see what
process is generating all the upstream traffic?
Thanks!...
Just installed TCPview and it is looking like my Tivo-On-Steroids DVR app and
a little black box underneath my TV are the source of the "Upload" traffic.
Quotes, because it is strictly over the LAN, not WAN (at least I *think* it
is....) and I had not thought of "Upload" as applying to local LAN traffic.
Also many of the UL speeds were far in excess of what my FIOS service allows.
But killed the SageTV service, watched BitMeter for five minutes and the UL
speed quiesced to a steady 1-1.1.... then I re-started the SageTV service,
bounced the little black box, and it was back to high UL speeds.... so I
guess that's the way it is.
If that amount of network traffic causes you any issues with the rest of
your LAN or your Internet access, consider isolating it to its own LAN.
--
Char Jackson
croy
2018-06-15 20:53:52 UTC
Permalink
Raw Message
Post by (PeteCresswell)
But killed the SageTV service, watched BitMeter for five minutes and the UL
speed quiesced to a steady 1-1.1.... then I re-started the SageTV service,
bounced the little black box, and it was back to high UL speeds.... so I
guess that's the way it is.
Probably old news, but....

http://sagetv.com/:

"We’re thrilled to announce that SageTV has been acquired by Google."
--
croy
(PeteCresswell)
2018-06-17 14:22:46 UTC
Permalink
Raw Message
Post by croy
Probably old news, but....
"We’re thrilled to announce that SageTV has been acquired by Google."
The Bad News: A lot of SageTV users were not quite as thrilled.

The Good News: Google relented and released SageTV into the public domain
where it is being maintained/improved by dedicated enthusiasts.

I ran the paid version until Google bought them out some years ago.

Am now running the latest-and-greatest public domain version and it's still
the greatest thing since cheesecake: twenty bucks a year a TV program
schedule service, and that's it...otherwise a total freebie that *works*.
--
Pete Cresswell
Char Jackson
2018-06-17 15:00:54 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by croy
Probably old news, but....
"We’re thrilled to announce that SageTV has been acquired by Google."
The Bad News: A lot of SageTV users were not quite as thrilled.
The Good News: Google relented and released SageTV into the public domain
where it is being maintained/improved by dedicated enthusiasts.
I ran the paid version until Google bought them out some years ago.
Am now running the latest-and-greatest public domain version and it's still
the greatest thing since cheesecake: twenty bucks a year a TV program
schedule service, and that's it...otherwise a total freebie that *works*.
Pete, what kind of tuners are you using, and what video format do they
record in?

I still have a pair of HDHomerun tuners around here, but I haven't used
them in a while. They record in MPEG2, so about 6GB/hr. That adds up
pretty quickly.
--
Char Jackson
(PeteCresswell)
2018-06-17 15:25:54 UTC
Permalink
Raw Message
Post by Char Jackson
Pete, what kind of tuners are you using, and what video format do they
record in?
HD HomeRun: one old ("Dual ATSC Tuner"/Model HDHR-US) and one newer ("HD
HomeRun EXTEND.FREE broadcast HDTV (2-Tuner)").

They put out .MPG, which SageTV takes as-is and records.

The newer one allows direct connections to it from Android devices.

Sounded really cool on paper, but I almost never use it since the Sage public
domain developers came out with a version of SageTV that runs under Android -
which, come to think of it, I also almost never use.... -)
--
Pete Cresswell
Char Jackson
2018-06-17 16:53:09 UTC
Permalink
Raw Message
Post by (PeteCresswell)
Post by Char Jackson
Pete, what kind of tuners are you using, and what video format do they
record in?
HD HomeRun: one old ("Dual ATSC Tuner"/Model HDHR-US) and one newer ("HD
HomeRun EXTEND.FREE broadcast HDTV (2-Tuner)").
They put out .MPG, which SageTV takes as-is and records.
The newer one allows direct connections to it from Android devices.
Sounded really cool on paper, but I almost never use it since the Sage public
domain developers came out with a version of SageTV that runs under Android -
which, come to think of it, I also almost never use.... -)
Very cool, thanks. I should probably set it all up again one of these
days, especially since SageTV is still being developed.
--
Char Jackson
(PeteCresswell)
2018-06-19 00:25:44 UTC
Permalink
Raw Message
Post by Char Jackson
Very cool, thanks. I should probably set it all up again one of these
days, especially since SageTV is still being developed.
SageTV is, IMHO, the best thing since cheesecake.

Certainly TIVO is a lot slicker UI-wise - really an appliance - but they want
an arm and a log for the TV Guide service and last time I tried one there was
no convenient way to get, say, 6TB of storage connected.

It's probably a matter of taste, but with just OTA TV and NetFlix, I've got
more interesting, entertaining, relevant program material on hand than I can
possibly watch.

Maybe if I became bedridden or something I'd want more - but as it is I'm
chronically 5-6 weeks behind on my news magazine reading and only watch 10%
max of the recorded TV.
--
Pete Cresswell
VanguardLH
2018-06-19 00:54:00 UTC
Permalink
Raw Message
Post by (PeteCresswell)
It's probably a matter of taste, but with just OTA TV and NetFlix, I've got
more interesting, entertaining, relevant program material on hand than I can
possibly watch.
Maybe if I became bedridden or something I'd want more - but as it is I'm
chronically 5-6 weeks behind on my news magazine reading and only watch 10%
max of the recorded TV.
Reminded me of a guy at an old workplace that collected tons of
magazines, including those that we cleared out of several departments at
work. Some were very focused on a particular technology or science. I
asked why he had such a huge stockpile which was something like a dozen
stacks that each reached higher than the height of his cubicle. He said
he was going to read them. Geez, he couldn't get those read in 20 years
if retired at that time (he wasn't that far from retirement age).

One day I and some others heard a crash and started looking around.
Yep, we found a river of magazines flowing out his cubicle and found
this guy buried under all those magazines that had toppled over. Most
had shiny covers and putting them all in the same direction meant the
stapled side was thicker and tilted the piles. He was okay but we got a
good laugh as we pushed the magazines aside and pulled him up. Yep, all
those precious magazines had collapsed on him. Guess they demanded to
be read and took action to get attention. "We're right here!"

I get ticked when I spend more than a week after Scientific American
arrives to get through it cover to cover. Even if I don't understand
the technology or science being discussed in an article, I keep going
through it until I learn something. Sometimes I spend an entire flight
rereading just one article while frustrated that I don't have the
Internet to look up stuff to research the article.

Paul
2018-06-02 07:23:17 UTC
Permalink
Raw Message
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail client
and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return to
normal.
The weird part is that SpeedTest.net's numbers are about the same both before
and after.
So it's got to be something going South in my OS, right?
But what?
Something to do with your router ?

*******

https://support.speedtest.net/hc/en-us/articles/203845400-How-does-the-test-itself-work-How-is-the-result-calculated-

"The client establishes multiple connections with
the server over port: 8080
"

So then, there are several things special about speedtest.net

1) Probably doesn't go looking for a web proxy ?
Is the usage of web proxy servers port number sensitive ?

2) Uses port 8080 on outgoing connection to Speedtest server.

3) Uses Adobe Flash for the interface.

4) Uses a web browser to conduct the test.

*******

You could also try some tests with:

1) A second computer.

2) Your current computer, only running a Linux LiveCD
(to see if a different network stack helps).

Paul
VanguardLH
2018-06-06 03:21:24 UTC
Permalink
Raw Message
Post by Paul
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail client
and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return to
normal.
The weird part is that SpeedTest.net's numbers are about the same both before
and after.
So it's got to be something going South in my OS, right?
But what?
Something to do with your router ?
*******
https://support.speedtest.net/hc/en-us/articles/203845400-How-does-the-test-itself-work-How-is-the-result-calculated-
"The client establishes multiple connections with
the server over port: 8080
"
So then, there are several things special about speedtest.net
1) Probably doesn't go looking for a web proxy ?
Is the usage of web proxy servers port number sensitive ?
2) Uses port 8080 on outgoing connection to Speedtest server.
3) Uses Adobe Flash for the interface.
4) Uses a web browser to conduct the test.
*******
1) A second computer.
2) Your current computer, only running a Linux LiveCD
(to see if a different network stack helps).
Paul
Interesting idea. I've had routers start to go flaky, slowdown, and
eventually die. Most consumer-grade routers rely solely on convection
for cooling, no fans.

However, I cannot get how the router could be the problem. The OP said
network bandwidth was okay when he rebooted his PC and gradually got
slower. How would a router even know a host got rebooted? Even if QoS
(Quality of Service) were configured in the router to give some host
higher priority for traffic rate, that would constantly throttle the
non-QoS hosts, not boost them (after a reboot of which the router would
be unaware) and then degrade their bandwidth (well, short of traffic
shaping which I sincerely doubt the OP has one of those switches).

Seems like the OP is doing something after the PC boots that continues
to increasingly suck up bandwidth, like maybe keep opening more and more
tabs in the web browser, especially to web pages with dynamic content
that keep updating themselves even when the tab is in the background in
the web browser. The CPU still gets involved with network traffic so a
weak or overly busy CPU will result in a slow network. The OP didn't
mention what is the CPU usage when he notices the slowdown that
eventually gets slow enough for when he notices it. However, the OP
says speed is glacial and then okay after a reboot. He never really
does not say that during a Windows session if network speed gradually
gets slow, suddenly gets slow, is slow for the entire Windows session
and he gets lucky with a reboot where the next entire Windows session is
okay for network speed.

Startup programs get loaded within about 5 minutes after the Windows
kernel loads, so those shouldn't be impacting a gradual increase in
network slowdown (just for loading them but don't know what they all do
after loaded).
Paul
2018-06-06 04:55:40 UTC
Permalink
Raw Message
Post by VanguardLH
Post by Paul
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail client
and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return to
normal.
The weird part is that SpeedTest.net's numbers are about the same both before
and after.
So it's got to be something going South in my OS, right?
But what?
Something to do with your router ?
*******
https://support.speedtest.net/hc/en-us/articles/203845400-How-does-the-test-itself-work-How-is-the-result-calculated-
"The client establishes multiple connections with
the server over port: 8080
"
So then, there are several things special about speedtest.net
1) Probably doesn't go looking for a web proxy ?
Is the usage of web proxy servers port number sensitive ?
2) Uses port 8080 on outgoing connection to Speedtest server.
3) Uses Adobe Flash for the interface.
4) Uses a web browser to conduct the test.
*******
1) A second computer.
2) Your current computer, only running a Linux LiveCD
(to see if a different network stack helps).
Paul
Interesting idea. I've had routers start to go flaky, slowdown, and
eventually die. Most consumer-grade routers rely solely on convection
for cooling, no fans.
However, I cannot get how the router could be the problem. The OP said
network bandwidth was okay when he rebooted his PC and gradually got
slower. How would a router even know a host got rebooted? Even if QoS
(Quality of Service) were configured in the router to give some host
higher priority for traffic rate, that would constantly throttle the
non-QoS hosts, not boost them (after a reboot of which the router would
be unaware) and then degrade their bandwidth (well, short of traffic
shaping which I sincerely doubt the OP has one of those switches).
Seems like the OP is doing something after the PC boots that continues
to increasingly suck up bandwidth, like maybe keep opening more and more
tabs in the web browser, especially to web pages with dynamic content
that keep updating themselves even when the tab is in the background in
the web browser. The CPU still gets involved with network traffic so a
weak or overly busy CPU will result in a slow network. The OP didn't
mention what is the CPU usage when he notices the slowdown that
eventually gets slow enough for when he notices it. However, the OP
says speed is glacial and then okay after a reboot. He never really
does not say that during a Windows session if network speed gradually
gets slow, suddenly gets slow, is slow for the entire Windows session
and he gets lucky with a reboot where the next entire Windows session is
okay for network speed.
Startup programs get loaded within about 5 minutes after the Windows
kernel loads, so those shouldn't be impacting a gradual increase in
network slowdown (just for loading them but don't know what they all do
after loaded).
An example of a router problem, is when a router has actually
been exploited by an external attack.

After that, who knows what symptoms it might display.

There was a recent warning from the FBI, that around 100,000
home routers needed to be rebooted (when one tech site claimed
the instruction probably should have read "press the reset button
and re-enter settings"). It's pretty hard for anyone at home,
to keep track of the status of their hardware with stuff like
that going on.

Paul
croy
2018-06-05 16:24:53 UTC
Permalink
Raw Message
Post by (PeteCresswell)
This has been going on for several weeks: download speed on my mail client
and everything else I try is terrible - as in glacially slow.
Then I reboot the PC - just the PC, nothing else - and speeds return to
normal.
The weird part is that SpeedTest.net's numbers are about the same both before
and after.
So it's got to be something going South in my OS, right?
But what?
It might be useful to analyze with something like CCleaner, if only to see what it shows.

Of course, that comes after what all the smarter-than-I folks have posted here.
--
croy
Loading...