firefox grows, taking over all resources

Collier-Brown, David (LNG-CAN) David.Collier-Brown-ghy6y1RO5ssFyWsGDH9TEg at public.gmane.org
Fri Oct 1 15:22:46 UTC 2010


I use the "net" tab of Firebug to look at the over-the-wire behavior of
individual pages, and see amazing masses of dreck...

Things found by tcpdump and not shown by firebug for a given period
would definitely be suspicious.

--dave

-----Original Message-----
From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of D. Hugh
Redelmeier
Sent: Friday, October 01, 2010 10:43 AM
To: tlug-lxSQFCZeNF4 at public.gmane.org
Subject: Re: [TLUG]: firefox grows, taking over all resources

| From: JOSE <jtc-vS8X3Ji+8Wg6e3DpGhMbh2oLBQzVVOGK at public.gmane.org>

| I have found that even without flash, FF would take resources, mainly
to some
| page having a loop script trying to load its content on the page.

Interesting hint.

(I don't run flash.)

While the browser was running, but I was not browsing, I ran
	/usr/sbin/tcpdump -i eth0 port 
for a minute and got
	7454 packets captured
	7535 packets received by filter
	81 packets dropped by kernel
Yikes!  So fast that the kernel is dropping them!  More than 100 per
second!

30 "different" sites, not all discernable via their reverse lookup,
but many are related.

Have I got an infection?  If I do, it is running in FF since there is
no port 80 traffic when I shut it down.

The the most packets to or from a single destination is 707 to and 643
back from mpr1.ngd.vip.ac4.yahoo.com.

Number two is 216.154.11.41 (659 to and 330 back).  It doesn't resolve
but is in a range assigned to look.ca.  Look.ca was my former ISP and
even though the ADSL business was sold to Telnet Communications, my
gateway's IP address is still assigned to Look Communications.  I
don't know if that is relevant.

Here are the different sites, in alphabetic order so that groups can
be inferred.  Each is prefixed by the count of packets transferred.
For each IP address that could not be reversed, I've added the name
whois says is assigned that address.

  Count Site [Organization Name]
     90 128.242.250.155 [NTT America Enterprise Hosting - San Jose]
    191 208.68.159.63 [Alurium Hosting]
    154 216.154.11.40 [Look Communications Inc.]
    989 216.154.11.41 [Look Communications Inc.]
    106 216.154.11.42 [Look Communications Inc.]
    596 66.151.61.142 [the Rubicon project]
    112 70.33.205.133 [Eye Return PEER1-EYERETURN-02]
     43 70.33.205.136 [Eye Return PEER1-EYERETURN-02]
     11 72.21.91.19 [EdgeCast Networks, Inc.]
     20 76.74.140.165 [Eye Return PEER1-EYERETURN-02]
     52 8.17.87.173 [Joyent, Inc.]
    103 a173-222-184-74.deploy.akamaitechnologies.com
    176 cookex1.cl1.ads.adx.vip.ac4.yahoo.com
    407 cookex1.cl2.ads.adx.vip.ac4.yahoo.com
    194 ec2-75-101-227-132.compute-1.amazonaws.com
      3 mojofarm.mediaplex.com
    319 mpr1.2ngd.vip.ac4.yahoo.com
   1350 mpr1.ngd.vip.ac4.yahoo.com
    791 mpr5.ngd.vip.ac4.yahoo.com
     32 mpr8.ngd.vip.ac4.yahoo.com
    661 pixel.quantserve.com
      3 pz-in-f139.1e100.net
     20 tlvmedia.com
     13 vip1.G-anycast1.cachefly.net
    179 www.globeandmail.com
     24 yyz06s05-in-f100.1e100.net
     28 yyz06s05-in-f104.1e100.net
    351 yyz06s05-in-f148.1e100.net
    397 yyz06s05-in-f154.1e100.net
     39 yyz06s05-in-f164.1e100.net

There are so many different sites that I suspect that the traffic is
due to several tabs that I have open.

I sure wish that I could easily ascribe traffic to a tab.  Is there
any tool to do that?

I guess I can capture the packets and see what they are actually
saying.

Think of the wasted bandwidth!  I say "wasted" because it isn't doing
anything I want done (I wasn't actually using the browser).  I guess,
in some sense, I've been infected: sites I visit are using my
resources without my intent or knowledge.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list