0

I'm analyzing the network traffic with iftop an I'm puzzled by this output:

188.25.15.139:11596     => 104.31.112.90:8880       130KB     32KB     19KB
                        <=                          162KB     51KB     30KB

My ip is 188.25.15.139.

The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?)

My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596.

Also I have no process listening on 11596 or 8880; I checked this with: 

sudo ss -lptn 'sport = :11596'  
sudo ss -lptn 'sport = :8880'

Main question: how could one explain the traffic "from me"?

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial 

uname -a

Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

EDIT

iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123"

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[1] 22                         LIMIT IN    Anywhere                  
[2] 80                         ALLOW IN    Anywhere                  
[3] 443                        ALLOW IN    Anywhere
Adrian
  • 659
  • 1
  • 7
  • 29

1 Answers1

0

Shortly the answer is:

a javascript application is sending and receiving data to/from 104.31.112.90:8880.

In order to find out that I used with success:

telnet 104.31.112.90 8880

This means that most probable 8880 is not a random port like when 104.31.112.90 would be initially connected to me; this further means that somehow it was me the one who initiated the connection to 104.31.112.90:8880. After further digging I found that 104.31.112.90 is a cloudflare server; most probable that is a server hosting a web service of some sort which I was consuming.

Considering that I already had the browser opened with many tabs then most probably a javascript application was consuming some web services from 104.31.112.90:8880. Ignoring 53, 80, 123, 443 ports when using iftop ouldn't help with already running javascript in already opened browser tabs.

Adrian
  • 659
  • 1
  • 7
  • 29