What is chatting?
June 21, 2011 8:42 PM   Subscribe

How can I figure out what is chatting and/or stealing my home LAN bandwidth?

So sometimes my LAN lags . . I want to know if I have network bottlenecks, if my DSL sucks, if my neighbor is stealing bandwidth . . if something on net is killing the network, etc. . . if AT&T needs to go. .

Here is my home network. For the most part I try and hard wire everything.

Office computer (which I'm typically on a ton as I work from home)
Home computer (which typically the wife uses to surf)
HTPC computer (also serves as the NAS and Squeezecenter server)
Netbook for couch surfing - not typically on
Neighbor's laptop
2 iPhones
1 Android
3 Squeezeboxes and 1 controller
HP attached printer

The only wireless devices are the phones, netbook and 1 squeezebox. Everything else is wired via a gig DLINK switch and a D-link DIR-655.

When I have issues I typically shutdown anything I know may be killing it, Pandora, etc. . I limit backups to NAS and BT until the wee hours.

My suspicions are neighbor streaming netflix or AT&T DSL just plain sucking but I want to confirm.

I've played with Wireshark, and I'm sure it can tell me, but I can't get it to make much sense or give me reports.

I would like to see traffic by client . . internal and outbound. . anything simple out there I have not found?
posted by patrad to Technology (17 answers total) 4 users marked this as a favorite
What firmware are you running on the router?
posted by k8t at 8:47 PM on June 21, 2011

Look for a Linux live cd with iptraf.
posted by qxntpqbbbqxl at 8:51 PM on June 21, 2011

Wireshark won't work, because on modern network gear, each machine is on its own collision domain. Meaning that you will only be able to trace the network packets that go to and from the computer it is running on. Packets going elsewhere aren't on your wire.

The way to do it is to put a machine between the DSL modem and the router, and simply have it pass packets. With wireshark in the middle, listening.

Or use a router running Linux and watch netstat when you have issues.

(The way to do it on a commericial network is to set the switch into promiscuous mode and have it forward ALL packets to a particular port. But you can't do that with anything less that $1000 switches.)
posted by gjc at 8:52 PM on June 21, 2011

DSL is often set with a lot of error correction, which slows things down. This is great if you are doing simple browsing, but less good if you need every packet (streaming video, gaming, etc). I had similar problems with my DSL (not AT&T) until I called tech support and complained about line speed, and they basically just flipped the switch to make it work.
posted by tau_ceti at 8:53 PM on June 21, 2011 [1 favorite]

Perhaps you've already tried this, but on the off chance that you haven't, do you have this problem when you secure the network and require a password for access?
posted by MissySedai at 8:59 PM on June 21, 2011 [1 favorite]

Divide, conquer.

Is the wired desktop computer also slow when the wlan computers are being slow?

If you change the wlan password and only connect up the thing you're on is it still slow?

posted by Threeway Handshake at 9:08 PM on June 21, 2011 [1 favorite]

Response by poster: Yes I've played with the WLAN security to ensure no one is leeching. From what I understand, it would at least take a day for a determined neighbor to re-hack WiFi once I changed the credentials. . . I do watch the DHCP list and nothing there looks suspicious.

Yes, all nodes are slow at the same time, wired and wireless. I have systematically shut devices off one by one, then speedtest.com on one connected directly to the router. . . limited improvement but not enough for me to say AHA! You were being naughty!

Plus I want to be a little bit more scientific. . and be able to really streamline traffic, time of day management, etc.

Firmware: 1.21, 2008/10/09

Based on gjc's comments it would not seem like ANY tool just sitting on a client would work (like iptraf suggested by qxntpqbbbqxl). So who is right?

And gjc, how can Wireshark show me packets that have different source and destination IP's than the client it is sitting on (which it does). . it seems like it is collecting the data I need, am I not understanding something?
posted by patrad at 9:25 PM on June 21, 2011

When you say that your LAN lags, do you mean connections between local nodes lag or they just lag in their connection to the internet via DSL? It appears that you mean the internet connection, but I did want to make sure.

My guess, based on my own experience with AT&T, is that at least the primary offender lies with your DSL. I would follow gjc's path and put a box with two nics between my router and my modem, let wireshark do its thing for a decent period and do some analysis. It's been years since I've done anything like that, so I can't offer much by way of specifics, though.
posted by ndfine at 10:13 PM on June 21, 2011

I say that also assuming you're not running, like, WEP for your wireless security. If you're running more secure than that, I would't worry about the neighbors leeching your bandwidth unless they have entirely too much time on their hands or there's something incredibly valuable on your network.
posted by ndfine at 10:20 PM on June 21, 2011

Is this generally always happening at the same time of day?
posted by bluedaisy at 10:41 PM on June 21, 2011

I had an annoying situation where the wifi would be constantly busy, making all other devices time out and so on. Turns out it was the printer that had crashed pretty majorly (had to pull power cable) but then, the printer is wifi model. Probably not your issue, but it sure was the last thing I expected.
posted by lundman at 10:52 PM on June 21, 2011

Response by poster: If I put something between my router and modem I'm guessing I could not ID the traffic to a specific client as by that point, everything would be NAT'd?

@ndfine, they lag in the connection to DSL
posted by patrad at 5:00 AM on June 22, 2011

I had a wireless phone (landline thingy, not cellular) that uses the same frequency (5.8ghz I believe) and it interfered. Once I set it to use a different channel things cleared up. The interference was intermittent, so it took a while to identify this as the problem.
posted by dgran at 5:47 AM on June 22, 2011

Yes, all nodes are slow at the same time, wired and wireless.

Great! Next steps:

Determine exactly where the "slowness" is, and what it is. What you know at this point: it ain't a problem with your wireless.

Take your wired computer, because wired is better for these things. Open up three command prompts. (I'll assume that your wired work computer is windows.) We're going to see if you're losing packets, or not, and we will use ping to do so. Run the pings like this "ping -n 10000 x.x.x.x" where the x's are the ip address of the target. In the three command prompts, ping each of these:
* the internal IP address of your router
* an external IP, such as www.yahoo.com or your ISP's DNS server (better bet). Note: if you immediately have no responses back, then choose a different one as it is blocked.
* another internal host, such as that HTPC

This will make these get pinged 10,000 times each, which will take a really long time. Let it run for as long as you can stand, and hit control-c to stop. It will give you the results. Look for the # of lost packets. A few is to be expected, if there is a lot to one of those things, then there's where your packet loss lies.

Your slowness might not be because of packet loss, but you should do this first to elminiate this possibility.
posted by Threeway Handshake at 6:04 AM on June 22, 2011

Are you by any chance running a torrent client? I find that a torrent client can cause the internet connection to lag or even fail for any and all other devices on my LAN. The issue is not bandwidth being used, but simply the sheer number of connections is too much for my router.

Limiting the global connection count helps quite a bit, as does lowering the timeout times (if you can, I use a custom firmware so I have access to settings that most do not expose).
posted by utsutsu at 7:35 AM on June 22, 2011

If I put something between my router and modem I'm guessing I could not ID the traffic to a specific client as by that point, everything would be NAT'd?

That's true, I didn't think of that. You would see all the traffic, but not be able to classify it by source.

And gjc, how can Wireshark show me packets that have different source and destination IP's than the client it is sitting on (which it does). . it seems like it is collecting the data I need, am I not understanding something?

If the client is on wireless, you can hear all the traffic on the wireless side of the network. You should not be able to hear the traffic of a wired computer on the wireless or another wired computer. If you really can, then something is wrong.

(Simple background. Ethernet is a shared medium. Started out as a coaxial cable that everyone plugged into. When a computer wants to send a packet, it listens to the wire to see if it is quiet. If it is, it starts sending its packet. If it happens that another computer had decided to send at the same time, you get a collision. They both hear that collision, and they both back off a random amount of time and retry to send their packet. Every machine can hear every packet, and simply ignore the ones not addressed to themselves.

When Ethernet moved to cat5 cable, they made devices called hubs. Those are basically splitters that create a single wire of all the wires that are connected, and the same thing happens.

That causes trouble, because a lot of machines trying to send packets all the time will cause a lot of collisions, and you get really bad performance out of the network. So, they invented switches. These are "smart" devices that know which device is connected to which port, and only send packets down the correct wire for the intended client. This means that two computers can be babbling at each other to their hearts content, and two other computers can communicate freely without having to stay out of the way of the first two.)

So, if you can hear the traffic of two other computers talking, something in your network is acting like a hub and not a switch. Which will be a cause of (some) of your network performance degradation.

You can also hear broadcasts, but those should show up with sources and destinations of and You'll also see ARP requests, which are types of broadcasts that will look like " needs the name of" plus the response.
posted by gjc at 8:15 AM on June 22, 2011

Response by poster: @Threeway, I'll give that a shot

@gjc. I do have a hub for devices near my entertainement center. Slingbox, HTPC, Squeezebox. I also have the GIR-655 router (with switch ports) and the DGS-2208 switch. I would assume that the 2208 and the basic netgear hub are not advanced enough to be doing smart switching and act more as hubs in a SOHO environment. Maybe the 2208 and 655 are?

After checking out Wireshark traffic some more, I do see that it captures packets between other clients only if it's SMNP traffic (makes sense) or DB-LSP protocol traffic. The latter of which is interesting, it's Dropbox traffic local to my LAN to keep Dropbox from Sync'ing over the Internet for my 2 PCs with it installed (I assume).

Sounds like what I really want, is a router or switch that does the promiscuous bit. . Is there a NIC or small device that would act in this manner?
posted by patrad at 10:22 AM on June 22, 2011

« Older Living Trust vs Will   |   In...what...way...? Newer »
This thread is closed to new comments.