Constant network usage by an unknown process



Gnome system monitor of my archlinux system reports constant network usage about 1~2 KiB/s of receiving and very small usage of sending even when I don't have any running applications. My iptables setting does not allow any listening and allow only connections established by a local process. I didn't enable any daemon which uses the network. I tried to figure out what process uses the network, using nethogs. It reports something like this.

? root   (my static ip address):41764-     0.000   0.023 KB/sec  
? root   (my static ip address):2323-   0.000   0.018 KB/sec
? root   unknown TCP                                         0.000   0.000 KB/sec

The remort addresses change time to time. This kind of network usage also happens when I disable gdm and so no xorg or gnome session is running. I have no clue what makes the network usage. Any idea?


Posted 2017-06-20T12:45:05.927

Reputation: 23

Have you tried to go to

– xenoid – 2017-06-20T13:53:36.683



An nslookup on the first address shows it is a system in China:

$ nslookup

Non-authoritative answer:       name =

Authoritative answers can be found from:


The "cn" at the end of the fully qualified domain name (FQDN) is the country code for China. And the Asia-Pacific Network Information Centre (APNIC), the regional Internet Registry (RIR) for Asia, shows the IP address is in an address range assigned to "Tsqc internet club" in China.

An nslookup on the other address,, shows the FQDN associated with that address is The Shadowserver Foundation is a "volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and computer fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers and the spread of malware." The home page for the organization states:

Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our mission is to understand and help put a stop to high stakes cybercrime in the information age.

As to why you might have seen network transmissions between your system and the ShadowServer system, see the organization's Open Portmapper Scanning Project page.

The other IP address in China might have been an attempt by that system to connect to your system. The Internet Storm Center, which is a program of the SANS Technology Institute that monitors the level of malicious activity on the Internet, reports recent scanning activity from the address.

If you are connected to the Internet, you should expect frequent attempts by systems throughout the world to connect to your system as there are people throughout the world scanning the Internet for systems with vulnerabilities they can exploit; a connection attempt doesn't necessarily mean your system is vulnerable, only that someone is probing your IP address for vulnerabilities.

You could use tcpdump or Wireshark to capture and analyze the data flows to get a better idea of what is happening, i.e., is someone simply scanning your system looking for vulnerabilities or has someone compromised your system. Learning to use those tools effectively may take a fair amount of time, if you aren't familiar with Internet network protocols, but they are invaluable in troubleshooting network problems and analyzing network traffic.


The output you posted from NetHogs showed only the network ports for the other systems, i.e., 24630 for the system in China and 37393 for the Shadowserver system, but not the corresponding ports on your system, but if you want to know what process is listening on a particular port on your system, you can use the lsof command. E.g., if you wanted to know which process was listening on the standard HTTP port, which is well-known port 80, you could issue the command lsof -i TCP:80 (TCP is the protocol for HTTP while some other network protocols use UDP) or, alternatively, you could use the netstat command netstat -nlp | grep :80. Issue the commands from the root account, i.e., either login as root and issue the command or put sudo in front of the command depending on the distribution of Linux you are using. Refer to Finding the PID of the process using a specific port? on the Unix & Linux sister site to this site for other methods and example output.


Posted 2017-06-20T12:45:05.927

Reputation: 4 432

Thank you for the detailed reply. Still I have a quesion. What deamon in my system responds to the scan? I tried "rpcinfo -T udp -p [my ip]" from another machine as explained in the ShadowServer's page. However, nethogs didn't show any network usage related to the machine when I tried it, and the command didn't get a response. Analyzing with tcpdump or Wireshark seem to need some study. Are there any quick method to check what deamon responds to the scan? – lilina – 2017-06-20T15:02:25.170

@lilina, I've updated my response with further information on how you can determine what program is listening on a particular port on a Linux system. – moonpoint – 2017-06-20T17:30:30.333