can someone tell me what is happening! v.netstat stuff

[hookinitup]

recently i've started noticing that websites have been taking a while to load and youtube vids have been taking forever to buffer. i have all the neccessary security tools in place and a scan of my system by MS security essentials doesn't show any virii or anything of that sort.

I check my netstat and find a TON of open connections...most to [74.125.225.xxx] on port 80. when navigating to youtube with firefox the number of connections is insane. I then tried IE and it's less in number. going to google alone just shows one open connection plus 2 or 3 localhost connections. I even blocked the above IP range using my router firewall but i still see established connections from the range on port 80. What gives?

cliffs:
youtube vids and websites in general loading slower than cold molasses. netstat shows a ton of open connections to [74.125.225.xxx], mainly when browsing youtube with firefox. what are they for and what do i do?

the pic:
all the time_wait connections were established connections when i only had 1 youtube page open on firefox. i closed firefox and switched to IE causing them to go into time_wait status. the established connections at the bottom are when only 1 youtube page is open using IE.

 

[lxskllr]

the 74.125 ips belong to Google. I don't know why so many are open though. Maybe it's for contingency purposes to allow faster streaming.

 

[hookinitup]

the 74.125 ips belong to Google. I don't know why so many are open though. Maybe it's for contingency purposes to allow faster streaming.

weird isnt it.

i aslo get a bunch of connections regularly to [184.84.236.X] on port 80. the executable involved is:

a184-84-236-192.deploy.akamaitechnologies.com:http

and also a ton to the following two:

ord08s07-in-f9.1e100.net:http
amazonaws (?)


right now this is what i see while just on this page in IE

 

[Lifted]

You apparently now how to run -b which shows you the processes. Are all of those real media and akamai connections occurring via IE? In the latest screenshot, some of the connections may be from software on your PC checking for updates to Akamai and AWS. Have you checked your IE add-ons to make sure there is nothing installed and enabled which you aren't aware of?

You can also check with the www.arin.net whois (top right - paste the IP) to see who owns the netblock. That in conjuction with netstat -b should give you some idea of what's going on.

 

[Mongrelchops]

If you're worried about current connections - it will drive you insane. I say this because i spent a considerable amount of time doing the same.

As Lifted has said - you can run the -b switch (which is easier than running -ano switch and using ProcessID) to show you what is creating that connection.

I would never bother running this when you have a browser open though.

For websites like Youtube - it would be a nightmare, not only would you have at LEAST 1 ip for Youtube itself, you would be plagued with other IP's which support all the cr@ppy adverts they have, and an IP for the server which deals with the comments, and an IP for the DNS and an IP for Premium Banner Ads, -the list goes on.

Something which may be of help to you is the status

IIRC -
TIME_WAIT is generally expired connections (i.e - whatever started that session is now aiming to close)

ESTABLISHED - Connection Established - transfer request in process, or whatever else is being authenticated (concentrate on these)

CLOSE_WAIT - Server has received finish command from whatever process started the link - this will disappear next time you run a netstat

Do you run any firewall software or Hardware?

 

[hookinitup]

You apparently now how to run -b which shows you the processes. Are all of those real media and akamai connections occurring via IE? In the latest screenshot, some of the connections may be from software on your PC checking for updates to Akamai and AWS. Have you checked your IE add-ons to make sure there is nothing installed and enabled which you aren't aware of?

You can also check with the www.arin.net whois (top right - paste the IP) to see who owns the netblock. That in conjuction with netstat -b should give you some idea of what's going on.

i went through the arin.net website to try to get a grip on the IPs. basically I have short listed two companies' IPs that I dont know about that show up...Akamai technologies and Meebo. Also, amazonaws shows up quite a bit. From a few searches online i came across people saying amazonaws could be bots using the amazon hosting services.

If someone can tell me what the deal is with Akamai, Meebo and Amazonaws, and why they are establishing so many open connections it would help me tremendously. The open connections are being established when i use both firefox and IE, but more so when using firefox.

when i dont have a browser open I have two or three localhost connections, so it's clearly not a program on my comp setting up the connections. If i have FF or IE open on multiple pages and am not actively browsing for 10min or so all the open connections disappear as well.

If you're worried about current connections - it will drive you insane. I say this because i spent a considerable amount of time doing the same.

As Lifted has said - you can run the -b switch (which is easier than running -ano switch and using ProcessID) to show you what is creating that connection.

I would never bother running this when you have a browser open though.

For websites like Youtube - it would be a nightmare, not only would you have at LEAST 1 ip for Youtube itself, you would be plagued with other IP's which support all the cr@ppy adverts they have, and an IP for the server which deals with the comments, and an IP for the DNS and an IP for Premium Banner Ads, -the list goes on.

Something which may be of help to you is the status

IIRC -
TIME_WAIT is generally expired connections (i.e - whatever started that session is now aiming to close)

ESTABLISHED - Connection Established - transfer request in process, or whatever else is being authenticated (concentrate on these)

CLOSE_WAIT - Server has received finish command from whatever process started the link - this will disappear next time you run a netstat

Do you run any firewall software or Hardware?

I know what you are saying about going crazy over netstat data. I have never really been one to obsess over this kind of thing. THis is the first time i'm actually looking at it since initially messing with it many many years ago. LIke i said, browsing has been dog slow lately. My ISP shows good signal levels, my physical network is ok and my comp is running fine other than when i'm browsing, which is what led me to look at netstat...and looking at it definitely shows me stuff that doesnt look normal.


i have more screen shots of netstat results with the browser open to just AT and without the browser open...if anyone wants to see them i'll post them up.

does anyone know if netstat has a switch to show how much data has passed through each connection?

 

[Lifted]

does anyone know if netstat has a switch to show how much data has passed through each connection?

Resource Manager in Win 7 will do that. Go to the Network tab, click on the process you want to monitor, and it will show you the IP and current network activity.

Since you say this happens in firefox, maybe you could list your add-ons here. If you don't have any add-ons, or just very common ones, it could be sites you are visiting. Do you have adblock and no-script installed? If not try them out and see how it goes. Could be javascript or a flash object/ad on a site you frequent that is causing it.

Akamai a large content/file hosting company. Microsoft uses them.

Amazon AWS (amazon web services) is Amazons cloud service. A lot of companies host their sites and services there.

Meebo is used by websites as well for social network integration.

It's all pointing to some site(s) you are visiting.

 

[hookinitup]

Resource Manager in Win 7 will do that. Go to the Network tab, click on the process you want to monitor, and it will show you the IP and current network activity.

Since you say this happens in firefox, maybe you could list your add-ons here. If you don't have any add-ons, or just very common ones, it could be sites you are visiting. Do you have adblock and no-script installed? If not try them out and see how it goes. Could be javascript or a flash object/ad on a site you frequent that is causing it.

Akamai a large content/file hosting company. Microsoft uses them.

Amazon AWS (amazon web services) is Amazons cloud service. A lot of companies host their sites and services there.

Meebo is used by websites as well for social network integration.

It's all pointing to some site(s) you are visiting.

firefox add-ons:
exif viewer
java quick starter 1.0 (i disabled this)
Microsoft .NET Framework Assistant 1.1 (also disabled)

i have MSE and spybot installed for comp security and have a limited user account with which i use the comp. I used to use adblock but switched to spybot when adblock kinda became bloatware. what is no-script?

the websites i visit 99% of the time are email (gmail, hotmail, yahoo), deal sites (fatwallet, slickdeals), big etailers (amazon, newegg, etc), a couple of forums (OT, NN, AT), news (bbc, cnn, etc) and my banking sites. I have been visiting these same sites for atleast the past 5 years now and they are all sufficiently big enough that none of them would ad bomb their user base and all are pretty good about policing spam that may be posted on their sites.

I very rarely use facebook or any type of dedicated social media platforms.

Every now and again i visit sites where u can stream shows n movies...again i have been going to these same sites for years. The problems I have started just over a couple weeks ago.

 

[Lifted]

Every now and again i visit sites where u can stream shows n movies...again i have been going to these same sites for years. The problems I have started just over a couple weeks ago.

They started a couple weeks ago or you noticed this a couple weeks ago?

I am still not convinced this should be considered a problem (at least not a malware problem, unless you consider ads and tracking cookies malware).

Simple solution is to figure out which site is opening these unwated connections to the third party sites by opening 1 website at a time and monitoring the connections being made from firefox via netstat or resource manager, leave it open and browse for a bit, then close the browser when you have the info you need open another site. Make sure to have only 1 browser/tab/site open at time.

How is adblock bloatware? I've never noticed anything bloated about it.

Noscript does exactly what it sounds like. It blocks scripts (basically javascript) from running except for those sites you allow. You can permanently allow scripts for sites you trust and visit on a regular basis, and temporarily allow scripts to run on sites you are just passing through. It does create a bit more work as you often have to allow scripts from several sites through on a single page in order to get the page to display properly or get a video playing (i.e. allow break.com doesn't work alone, you also have to allow breakmedia.com).

If these connections bother you for whatever reason (the sites you mentioned are all legit in my book), then run no-script in firefox and the connections should stop as they are probably being initiated via javascript or flash. It will also show you how many other sites some of the sites/pages you are visiting are often pulling from. Some sites try to load crap (i.e. mostly ads) from up 10 or more 3rd party sites. Just for this reason the speed of loading sites often increases tremendously as the javascript from those sites isn't running and whatever was trying to be loaded into the page and run within the browser is not running.

 

[hookinitup]

They started a couple weeks ago or you noticed this a couple weeks ago?

I am still not convinced this should be considered a problem (at least not a malware problem, unless you consider ads and tracking cookies malware).

Simple solution is to figure out which site is opening these unwated connections to the third party sites by opening 1 website at a time and monitoring the connections being made from firefox via netstat or resource manager, leave it open and browse for a bit, then close the browser when you have the info you need open another site. Make sure to have only 1 browser/tab/site open at time.

How is adblock bloatware? I've never noticed anything bloated about it.

Noscript does exactly what it sounds like. It blocks scripts (basically javascript) from running except for those sites you allow. You can permanently allow scripts for sites you trust and visit on a regular basis, and temporarily allow scripts to run on sites you are just passing through. It does create a bit more work as you often have to allow scripts from several sites through on a single page in order to get the page to display properly or get a video playing (i.e. allow break.com doesn't work alone, you also have to allow breakmedia.com).

If these connections bother you for whatever reason (the sites you mentioned are all legit in my book), then run no-script in firefox and the connections should stop as they are probably being initiated via javascript or flash. It will also show you how many other sites some of the sites/pages you are visiting are often pulling from. Some sites try to load crap (i.e. mostly ads) from up 10 or more 3rd party sites. Just for this reason the speed of loading sites often increases tremendously as the javascript from those sites isn't running and whatever was trying to be loaded into the page and run within the browser is not running.

i noticed it two weeks before that last post...but the problem hadn't started more than 1 or 2 days prior at most.

I think the problem may have actually been with my ISP, despite me calling them a few times and them telling me that everything was fine. The signal levels may or may not have been ok and/or there have been something happening with their servers cuz right now i have double the amount of connections showing established in netstat yet everything is flying zip-de-do.

oh and about adblock...i meant adaware. i can't speak to the specifics of it but the word on the street a couple years ago was that adaware became bloatware.

but thanks for your ideas about this issue dude...i really appreciate it.