Tags:

Was I a zombie?
February 16, 2006 6:11 AM   Subscribe

A rule of thumb for volume of sent / received data during internet surfing?

So, after my computer got back from repairs it was not fully set up for security and I started surfing... after an hour or so, I saw a really high ratio: sent about 16mb, received about 3mb, this with no uploading or anything on my part.

Turned on windows firewall, then saw it drop in next session to about a 1:1 sent / recieved ratio... but this still seems very high, doesn't it? All I should be sending are the requests for pages, some confirmation that it is coming in...

As a general rule, what sort of sent / received ratio would be "normal", if you are ONLY surfing the net? Was I zombified, and contributing to DOS attacks etc during that first session? How worried about this should I be?
posted by Meatbomb to computers & internet (10 answers total)
 
On a connection that has been up a couple of days, during which time it's been used for Web surfing about 5 or 6 hours, my ratio is currently Sent:1,433,054 Received: 11,605,023

Windows XP SP2, Firefox 1.0.7 (mostly)
posted by paulsc at 6:21 AM on February 16, 2006


Follow up question:

Is there some easy way (a log, or something?) to see exactly what traffic I am sending where?
posted by Meatbomb at 6:49 AM on February 16, 2006


Ethereal will capture and let you examine every packet that comes and leaves your PC (and lets you filter and color them to make that a reasonable thing to do).
posted by mendel at 7:21 AM on February 16, 2006


Yes, that seems very high. Have you scanned it for spyware?
posted by bshort at 8:07 AM on February 16, 2006


I agree with paulsc - experience tells me 1:10 is about right
posted by falconred at 8:32 AM on February 16, 2006


You can get a quick idea of what's going on by opening a Command Prompt and running the 'netstat' command. This'll show you your computer's active connections: what IP address you're connected to, and which port.

For instance, I just opened google.co.uk, and running netstat immediately afterwards showed something like: 
Proto Local Address Foreign Address     State
TCP   murray:1100   216.239.59.99:http  ESTABLISHED
This tells me that my computer (called 'murray') is connected to 216.239.59.99 (a Google server) on its http port (the port that's used for connecting to web servers).

netstat has a few other options; run 'netstat -h' to see more info.
posted by chrismear at 11:34 AM on February 16, 2006


An up-to-down ratio of 1:10 (or more) makes sense if you take a minute to think about what kind of data is going in each direction.

Suppose you want to view Metafilter. You tell your web browser to go to "www.metafilter.com." It does a DNS query to get the IP address (very little data, probably 1:1 up/down ratio), then your web browser sends the url "http://www.metafilter.com/" to port 80 at metafilter's IP address. When the web server receives this request, it replies with the entire metafilter front page. This is likely to be far more than 10 times longer than the url. Each time you click on a link, you go through this same process - tiny DNS query followed by sending a short text string to a remote server. The remote server responds with a much large string (the web page) and possibly some images.

The only way you are going to get close to 1:1 is if something is actively pushing data out your internet connection. Things like bittorrent will do this, but they will be limited by the upload speed of your connection. If you have some spyware or a trojan/rootkit/backdoor spewing data back to botnet central control then the sum of that data over the course of a day might be about the same as the few web pages you download each day, giving a ratio of close to 1:1.
posted by b1tr0t at 2:01 PM on February 16, 2006


b1tr0t, his ratio is the other way around: 16:3, not 3:16.
posted by mendel at 6:23 AM on February 17, 2006


b1tr0t, his ratio is the other way around: 16:3, not 3:16.

right - everyone else is saying it should be much less up and more down, unless there is a problem. I'm explaining why.
posted by b1tr0t at 11:42 AM on February 17, 2006


Have you tried Netlimiter Monitor? It'll tell you which application's doing what traffic-wise.
posted by d-no at 4:04 PM on February 17, 2006


« Older hiring a car/limo for my mothe...   |  Does anyone have any tried and... Newer »
This thread is closed to new comments.