FAQ
i have been noticing a short connection burst in system monitor every
time i connect to internet.


i got curious and decided to run wireshark to see what was happening.


seems that i am connecting to 96.195.141.178 with destination of
"PartedMagic".


this seemed strange because i do not have PartedMagic installed, so
i ran a 'whois' check.


this is what it showed:


IP Location United States United States Pittsburgh
                  Comcast Cable Communications Llc
ASN United States AS7922 COMCAST-7922
                - Comcast Cable Communications, Inc.,US
                  (registered Feb 14, 1997)
Resolve Host m001dd684d074.pitt1.pa.comcast.net
Whois Server whois.arin.net
IP Address 96.195.141.178
NetRange: 96.192.0.0 - 96.223.255.255
CIDR: 96.192.0.0/11
NetName: COMCAST-VOIP-4
NetHandle: NET-96-192-0-0-1
Parent: NET96 (NET-96-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Comcast Cable Communications, LLC (CCCS)


is this something for concern?


if so, what is/are best way/s to track this down?


any and all help / suggestions are much needed and appreciated.


thank you.




--


peace out.


in a world with out fences, who needs gates.


tc,hago.


g
.

Search Discussions

  • SilverTip257 at Dec 3, 2014 at 5:12 pm

    On Wed, Dec 3, 2014 at 5:49 AM, g wrote:


    i have been noticing a short connection burst in system monitor every
    time i connect to internet.

    i got curious and decided to run wireshark to see what was happening.

    seems that i am connecting to 96.195.141.178 with destination of
    "PartedMagic".

    this seemed strange because i do not have PartedMagic installed, so
    i ran a 'whois' check.


    this is what it showed:

    IP Location United States United States Pittsburgh
    Comcast Cable Communications Llc
    ASN United States AS7922 COMCAST-7922
    - Comcast Cable Communications, Inc.,US
    (registered Feb 14, 1997)
    Resolve Host m001dd684d074.pitt1.pa.comcast.net
    Whois Server whois.arin.net
    IP Address 96.195.141.178
    NetRange: 96.192.0.0 - 96.223.255.255
    CIDR: 96.192.0.0/11
    NetName: COMCAST-VOIP-4
    NetHandle: NET-96-192-0-0-1
    Parent: NET96 (NET-96-0-0-0-0)
    NetType: Direct Allocation
    OriginAS:
    Organization: Comcast Cable Communications, LLC (CCCS)

    is this something for concern?

    Maybe.
    A bit odd since that's assigned as Comcast VOIP and not a static customer
    block.



    if so, what is/are best way/s to track this down?

    I'd dump the traffic with tcpdump or wireshark and analyze it.
    What type of traffic is it?
    (transport layer protocol, as well as application protocol -- ex: HTTP is
    TCP port 80)


    Are there any DNS queries that happen prior to the spike? Use wireshark to
    capture them and that might give a clue.


    You could also use nethogs to diagnose and determine what program is
    causing the spike.
    http://nethogs.sourceforge.net/




    --
    ---~~.~~---
    Mike
    // SilverTip257 //
  • G at Dec 3, 2014 at 8:45 pm
    On 12/03/2014 11:12 AM, SilverTip257 wrote:
    <>

    Maybe.
    A bit odd since that's assigned as Comcast VOIP and not a
    static customer block.

    this is true.

    I'd dump the traffic with tcpdump or wireshark and analyze it.

    i have a text file saved. see below


    which "save as" form should be used to reload into wireshark without
    loss of information?

    What type of traffic is it?
    (transport layer protocol, as well as application protocol
    -- ex: HTTP is TCP port 80)

    see below.

    Are there any DNS queries that happen prior to the spike?
    Use wireshark to capture them and that might give a clue.

    see below.

    You could also use nethogs to diagnose and determine what program is
    causing the spike.
    http://nethogs.sourceforge.net/

    will have to install.


    *BELOW*


    i should have done this before posting. :-(
    i loaded wireshark text file to:


        http://pastebin.com/rCU0CC10




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • G at Dec 3, 2014 at 8:47 pm
    On 12/03/2014 11:13 AM, Mark Milhollan wrote:
    <>

    Do you mean PartedMagic as the destination port? If so that's just a
    translation from the port number to a name found in your /etc/services
    file. It is often wrong or misleading, and in most cases can be
    ignored.

    i have no PartedMagic in /etc/services

    NetName: COMCAST-VOIP-4
    Given this it seems like you have Comcast phone service and what
    you are seeing is your phone checking-in with their switch.

    my isp service is DSL with bellsouth.net over copper.


    my neighbors to north and south of my home use comcast and they have
    wifi between them. wireless on my router is not enabled.


    wireshark text file loaded at;


        http://pastebin.com/rCU0CC10




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • John R Pierce at Dec 3, 2014 at 9:21 pm

    On 12/3/2014 12:47 PM, g wrote:
    wireshark text file loaded at;

    http://pastebin.com/rCU0CC10

    some device on your network has the MAC address 00:0f:fe:8f:8f:23 which
    Wireshark is calling PartedMagic for unknown reasons. That MAC prefix
    apparently belongs to an obscure Chinese computer maker, G-Pro Computers.
    http://macaddress.webwat.ch/vendor/G-PRO_COMPUTER
    the weblink given for G-Pro is wrong.


    some random google searching suggests that they may be an OEM for
    Lite-On, do you have any network devices from Lite-On (I'm only familiar
    with Lite-On as a CD/DVD burner/reader brand).


    oh. the ARP packet suggests that MAC address is 192.168.1.144




      1.
         No. Time Source Destination Protocol Length
         Info
      2.
                3 1.137831000 PartedMagic Broadcast
         ARP 42 Who has 192.168.1.254? Tell 192.168.1.144
      3.
      4.
         Frame 3: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
         on interface 0
      5.
         Ethernet II, Src: PartedMagic (00:0f:fe:8f:8f:23), Dst: Broadcast
         (ff:ff:ff:ff:ff:ff)
      6.
         Address Resolution Protocol (request)








    --
    john r pierce 37N 122W
    somewhere on the middle of the left coast
  • G at Dec 3, 2014 at 10:05 pm
    John,
    thank you for replying.

    On 12/03/2014 03:21 PM, John R Pierce wrote:
    On 12/3/2014 12:47 PM, g wrote:
    wireshark text file loaded at;

    http://pastebin.com/rCU0CC10
    some device on your network has the MAC address 00:0f:fe:8f:8f:23
    which Wireshark is calling PartedMagic for unknown reasons.

    see my new paste at;


       http://pastebin.com/8vBxnUSf

    That MAC prefix apparently belongs to an obscure Chinese computer
    maker, G-Pro Computers. http://macaddress.webwat.ch/vendor/G-PRO_COMPUTER
    the weblink given for G-Pro is wrong.

    interesting. where does one look to find assignment for MAC addresses?

    some random google searching suggests that they may be an OEM for
    Lite-On, do you have any network devices from Lite-On

    no network devices from Lite-on.


      ~]$ lspci|grep net
      00:19.0 Ethernet controller: Intel Corporation 82566DM-2 Gigabit
      Network Connection (rev 02)
      ~]$

    (I'm only familiar with Lite-On as a CD/DVD burner/reader brand).

    same here.

    oh. the ARP packet suggests that MAC address is 192.168.1.144

    that is how i see it.




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • Zep at Dec 3, 2014 at 10:15 pm

    oh. the ARP packet suggests that MAC address is 192.168.1.144
    that is how i see it.
    is that 1.144 IP address in use by the machine you ran the lspci from?
    I think his original intent was that perhaps it was a separate device
    are you running VMs on this host by chance?


    --
    public gpg key id: AE60F64C
  • G at Dec 3, 2014 at 11:09 pm

    On 12/03/2014 04:15 PM, zep wrote:
    oh. the ARP packet suggests that MAC address is 192.168.1.144
    that is how i see it.
    is that 1.144 IP address in use by the machine you ran the lspci
    from?

    somewhere. but i know not where.


    http://www.whoami.it/home/ shows me to be;
        adsl-184-41-28-86.mem.bellsouth.net
    for the hell of it, i pulled and reconnected DSL line, now, i am
        adsl-184-41-28-44.mem.bellsouth.net


    which is now confusing me more because the 1.144 address is in;


      ~]$ ifconfig
      eth0 Link encap:Ethernet HWaddr 00:0F:FE:8F:8F:23
                inet addr:192.168.1.144 Bcast:192.168.1.255 \
                 Mask:255.255.255.0
                inet6 addr: fe80::20f:feff:fe8f:8f23/64 Scope:Link


      lo Link encap:Local Loopback
                inet addr:127.0.0.1 Mask:255.0.0.0
                inet6 addr: ::1/128 Scope:Host


    virbr0 Link encap:Ethernet HWaddr 52:54:00:B3:A7:95
               inet addr:192.168.122.1 Bcast:192.168.122.255 \
                Mask:255.255.255.0


    [geo at boxen ~]$


    so a question, in checking with a 'whoami' i got;
        adsl-184-41-28-86.mem.bellsouth.net
    where is the 192.168.1.144 being produced when i am not in a VM.


    looking in man ifconfig, nothing is given as to just what is shown.

    I think his original intent was that perhaps it was a separate
    device. are you running VMs on this host by chance?

    no VM. this box connects straight to router, which connects straight
    to DSL/phone filter, which connects directly to drop line.


    something/somebody is 'hiding in the wood pile' and it has me
    scratching my balding head even more bald.




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • Les Mikesell at Dec 3, 2014 at 11:18 pm

    On Wed, Dec 3, 2014 at 5:09 PM, g wrote:
    is that 1.144 IP address in use by the machine you ran the lspci
    from?
    somewhere. but i know not where.

    http://www.whoami.it/home/ shows me to be;
    adsl-184-41-28-86.mem.bellsouth.net
    for the hell of it, i pulled and reconnected DSL line, now, i am
    adsl-184-41-28-44.mem.bellsouth.net

    which is now confusing me more because the 1.144 address is in;

    ~]$ ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0F:FE:8F:8F:23
    inet addr:192.168.1.144 Bcast:192.168.1.255 \
    Mask:255.255.255.0
    inet6 addr: fe80::20f:feff:fe8f:8f23/64 Scope:Link

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host

    virbr0 Link encap:Ethernet HWaddr 52:54:00:B3:A7:95
    inet addr:192.168.122.1 Bcast:192.168.122.255 \
    Mask:255.255.255.0

    [geo at boxen ~]$

    so a question, in checking with a 'whoami' i got;
    adsl-184-41-28-86.mem.bellsouth.net
    where is the 192.168.1.144 being produced when i am not in a VM.

    looking in man ifconfig, nothing is given as to just what is shown.
    I think his original intent was that perhaps it was a separate
    device. are you running VMs on this host by chance?
    no VM. this box connects straight to router, which connects straight
    to DSL/phone filter, which connects directly to drop line.

    something/somebody is 'hiding in the wood pile' and it has me
    scratching my balding head even more bald.

    Sounds like a typical NAT router setup to me. The router would have
    one public IP and uses a private subnet for your LAN side. The other
    end of an outbound connection sees the NATed public address.


    --
        Les Mikesell
          lesmikesell at gmail.com
  • John R Pierce at Dec 3, 2014 at 11:23 pm

    On 12/3/2014 3:09 PM, g wrote:
    On 12/03/2014 04:15 PM, zep wrote:

    oh. the ARP packet suggests that MAC address is 192.168.1.144
    that is how i see it.
    is that 1.144 IP address in use by the machine you ran the lspci
    from?
    somewhere. but i know not where.

    http://www.whoami.it/home/ shows me to be;
    adsl-184-41-28-86.mem.bellsouth.net
    for the hell of it, i pulled and reconnected DSL line, now, i am
    adsl-184-41-28-44.mem.bellsouth.net

    which is now confusing me more because the 1.144 address is in;

    ~]$ ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0F:FE:8F:8F:23
    inet addr:192.168.1.144 Bcast:192.168.1.255 \
    Mask:255.255.255.0
    inet6 addr: fe80::20f:feff:fe8f:8f23/64 Scope:Link

    your ROUTER gets the internet IP on its WAN side (184.41.28.86 or
    whatever), and your LAN uses 192.168.1.xxx, the system you ran ifconfig
    on there has 192.168.1.144. the router 'translates' your private LAN
    addresses to the public internet address, this process is often called
    NAT (Network Address Translation), or Masquerade.


    so. Wireshark, for unknown reasons, thinks your system is
    'PartedMagic'. I have no idea why.


    so... 'PartedMagic' is a red herring. whats the ACTUAL problem here
    we're trying to solve?




    --
    john r pierce 37N 122W
    somewhere on the middle of the left coast
  • Kahlil Hodgson at Dec 3, 2014 at 11:42 pm
    Possibly your system was installed or cloned using PartedMagic, and that
    left an entry in


       /etc/ethers


    mapping your default nic to the name 'PartedMagic'?


    K




    Kahlil (Kal) Hodgson GPG: C9A02289
    Head of Technology (m) +61 (0) 4 2573 0382
    DealMax Pty Ltd


    Suite 1416
    401 Docklands Drive
    Docklands VIC 3008 Australia


    "All parts should go together without forcing. You must remember that
    the parts you are reassembling were disassembled by you. Therefore,
    if you can't get them together again, there must be a reason. By all
    means, do not use a hammer." -- IBM maintenance manual, 1925


    On Thu, Dec 4, 2014 at 10:23 AM, John R Pierce wrote:

    On 12/3/2014 3:09 PM, g wrote:
    On 12/03/2014 04:15 PM, zep wrote:

    oh. the ARP packet suggests that MAC address is 192.168.1.144
    that is how i see it.
    is that 1.144 IP address in use by the machine you ran the lspci
    from?
    somewhere. but i know not where.

    http://www.whoami.it/home/ shows me to be;
    adsl-184-41-28-86.mem.bellsouth.net
    for the hell of it, i pulled and reconnected DSL line, now, i am
    adsl-184-41-28-44.mem.bellsouth.net

    which is now confusing me more because the 1.144 address is in;

    ~]$ ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0F:FE:8F:8F:23
    inet addr:192.168.1.144 Bcast:192.168.1.255 \
    Mask:255.255.255.0
    inet6 addr: fe80::20f:feff:fe8f:8f23/64 Scope:Link
    your ROUTER gets the internet IP on its WAN side (184.41.28.86 or
    whatever), and your LAN uses 192.168.1.xxx, the system you ran ifconfig on
    there has 192.168.1.144. the router 'translates' your private LAN
    addresses to the public internet address, this process is often called NAT
    (Network Address Translation), or Masquerade.

    so. Wireshark, for unknown reasons, thinks your system is 'PartedMagic'.
    I have no idea why.

    so... 'PartedMagic' is a red herring. whats the ACTUAL problem here
    we're trying to solve?


    --
    john r pierce 37N 122W
    somewhere on the middle of the left coast

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Kahlil Hodgson at Dec 3, 2014 at 11:49 pm
    Apologies for the previous top post :-( Forgot to trim the (...)
  • Zep at Dec 3, 2014 at 10:31 pm

    On 12/03/2014 05:05 PM, g wrote:
    John,
    thank you for replying.
    On 12/03/2014 03:21 PM, John R Pierce wrote:
    On 12/3/2014 12:47 PM, g wrote:
    wireshark text file loaded at;

    http://pastebin.com/rCU0CC10
    some device on your network has the MAC address 00:0f:fe:8f:8f:23
    which Wireshark is calling PartedMagic for unknown reasons.
    see my new paste at;

    http://pastebin.com/8vBxnUSf
    since


    [zep at nemesis ~]$ nslookup secure.informaction.com
    Server: 192.168.10.22
    Address: 192.168.10.22#53


    Non-authoritative answer:
    Name: secure.informaction.com
    Address: 82.103.140.42
    Name: secure.informaction.com
    Address: 82.103.140.40
    Name: secure.informaction.com
    Address: 69.195.141.178
    Name: secure.informaction.com
    Address: 69.195.141.179


    and going to www.informaction.com lists off things like noscript and a
    few other browser add on sorts of things, I'd tend to think that you
    [perhaps the plural 'you', meaning possibly some other individual]
    installed one of their extensions [or some other piece of FOSS] and it's
    doing a call home to check for updates or do some sort of comparison,
    like adblock's blacklist.


    no idea where the wonky name comes from.


    --
    public gpg key id: AE60F64C
  • G at Dec 3, 2014 at 8:53 pm
    On 12/03/2014 04:49 AM, g wrote:
    <>


    my bad. :-(


    to SilverT257 and Mark Mihollan,


    thank you for responding. my "chemo brain" gets forgetful.


    i am taking system offline after sending this and will run wireshark
    again to see if there is anything different.


    thanks again.




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • G at Dec 3, 2014 at 9:53 pm
    new paste at;


       http://pastebin.com/rCU0CC10


    hopeful this will give better info and answers.


    thanks again to respondents.




    --


    peace out.


    in a world with out fences, who needs gates.


    tc,hago.


    g
    .
  • John R Pierce at Dec 3, 2014 at 10:37 pm

    On 12/3/2014 1:53 PM, g wrote:
    new paste at;

    http://pastebin.com/rCU0CC10

    hopeful this will give better info and answers.

    thanks again to respondents.

    again, wireshark is, for some unknown reason, calling that
    00:0f:fe:8f:8f:23 MAC address "PartedMagic", this MAC is associated with
    the IP 192.168.1.144


    other than wireshark's odd name for this host, I see nothing wrong
    here. Does in fact the system with that IP have that MAC ? if so,
    everything is normal, that system is apparently connecting to
    https://secure.informaction.com














    --
    john r pierce 37N 122W
    somewhere on the middle of the left coast

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedDec 3, '14 at 10:49a
activeDec 3, '14 at 11:49p
posts16
users6
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase