For the last 2 months, Xfinity has claimed that we have exceeded our allotted amount of data, but I disagree with that.

[+BudMan MVC]

On 21/11/2021 at 08:50, jnelsoninjax said:

2601:341:c200:c51:211:32ff:fe95:dd7e

You sure that is not yours.. IPv6 can change all the time, and you can have multiple ones.. I would look on your device(s) say with ipconfig /all

 

That is a comcast/xfinity address for sure..  Since they own

CIDR: 2601::/20

NetName: COMCAST6NET

OriginAS: AS7922

Organization: Comcast Cable Communications, LLC (CCCS)

 

And are you not in the FL area?

CIDR: 2601:340::/26

NetName: JACKSONVILLE-RPD-V6-2

 

Still a lot of data even if local, moved in what sure looks like a really short amount of time.. Couple of hours.. If I am reading that graph correctly.  More like 1 hour or so if reading the scale correctly from 3am to 7am..

 

Can you ping that IP.. And see what sort of response time..  If like 1ms or so its local, if more than that is maybe over wireless or its remote..  Traceroute too it also be a great check to see if local to your network or not.

[jnelsoninjax]

On 21/11/2021 at 10:08, BudMan said:

You sure that is not yours.. IPv6 can change all the time, and you can have multiple ones.. I would look on your device(s) say with ipconfig /all

 

That is a comcast/xfinity address for sure..  Since they own

CIDR: 2601::/20

NetName: COMCAST6NET

OriginAS: AS7922

Organization: Comcast Cable Communications, LLC (CCCS)

 

And are you not in the FL area?

CIDR: 2601:340::/26

NetName: JACKSONVILLE-RPD-V6-2

 

Still a lot of data even if local, moved in what sure looks like a really short amount of time.. Couple of hours.. If I am reading that graph correctly.  More like 1 hour or so if reading the scale correctly from 3am to 7am..

 

Can you ping that IP.. And see what sort of response time..  If like 1ms or so its local, if more than that is maybe over wireless or its remote..  Traceroute too it also be a great check to see if local to your network or not.

<1 ms response via ping, so it must be ours, but when I checked before, it did not show as our IP address, No idea why there would be data moving between those specific times, BackBlaze starts at 0100, and only has ~1000 files or so to backup. The only other thing that it might be is my crypto mining software, but Glasswire shows it not using very much data (>500 MBS)

[+BudMan MVC]

What is the exact details of that process - NT Kern something..

 

But yeah IPv6 can change all the time - especially the temp ones.. Clients with IPv6 almost always going to have multiple IPv6 addresses..

 

45GB sure seems like a lot in like 1 hour?  That seems like a lot, wonder if just local traffic your machine creating to itself?

 

You really need something to see what is going out your wan and from what IPs - this way your sure to be able to track down what device(s) are generating the wan traffic.  While you could get lucky and it could be one of your machines that your running glasswire on - it also could be something else on your network that is pushing you so high..

 

While It is a good idea to be able to validate your isp numbers, it really should be rare that they would F it up really bad.. Not completely unheard of - have seen reports of users ISP mixing up customers account metering with other customers, etc..  But normally it based on mac address so doesn't really matter if your using IPv4 or IPv6 and or if your IPv6 addresses are changing all the time, etc.

 

Do you have or could you get a smart switch where you could connect your modem to your router via the switch - so you could atleast get interface counters for a day or too..   Does there panel for your usage allow you to break it down per day.. That way you could compare the numbers they are showing for days you have numbers for your switch..

 

If you could run 3rd party firmware on your router, you should be able to get numbers for wan traffic right off your router.

 

edit:  Even those numbers for months you only did 800GB sure seem high to me, especially for a house that isn't streaming services like netflix or hulu, youtube TV, etc.  I mean 800GB for some youtube videos seems insane to me..  So I can for sure understand your concern..

[jnelsoninjax]

How can I go about determining if my outdoor cameras are broadcasting outside of the local network?

[DKAngel]

sure its not windows update ?

[jnelsoninjax]

On 21/11/2021 at 18:39, DKAngel said:

sure its not windows update ?

Checked that already, it is set to local network only

[+BudMan MVC]

On 21/11/2021 at 14:38, jnelsoninjax said:

broadcasting outside of the local network?

sniff would be how I would do it - again 3rd party firmware on your router..  But you need the equipment/software to be able to measure and see the traffic

 

What are the details of that nt kern - what is the exe that is running, what are the details it shows when you click into - so we can figure out what is causing 45GB of traffic in a day in 1 hour.  Did it happen on day 2, or is that today?  And tmrw we can see if generated again large amount of traffic.

[jnelsoninjax]

On 21/11/2021 at 19:05, BudMan said:

sniff would be how I would do it - again 3rd party firmware on your router..  But you need the equipment/software to be able to measure and see the traffic

 

What are the details of that nt kern - what is the exe that is running, what are the details it shows when you click into - so we can figure out what is causing 45GB of traffic in a day in 1 hour.  Did it happen on day 2, or is that today?  And tmrw we can see if generated again large amount of traffic.

ntoskrnl.exe all the host traffic shows local (192) addresses and the IPV6 address, which has the most data. Can you recommend a smart switch that I could use to monitor the traffic?

Edit: I just checked and NTKernl only shows up on the 20th and today,, and today's usage is showing 206.3 GB

[DKAngel]

well it doesnt take much to rack up data these days, with the 2 pc's the 3 switches 2 tablets and 3 phones my family rocked up over 950Gig lastmonth

[+BudMan MVC]

On 21/11/2021 at 18:11, jnelsoninjax said:

206.3 GB

So IPv5 talking to IPv6? That makes zero sense..

On 21/11/2021 at 18:22, DKAngel said:

family rocked up over 950Gig lastmonth

Yeah and they actually streaming content?  Movies, TVshows, Music etc.. From what he is saying they do not do that - and only watch some you tube videos..  Which seems a bit insane for 800 some GB..

[jnelsoninjax]

On 21/11/2021 at 21:00, BudMan said:

So IPv5 talking to IPv6? That makes zero sense..

Yeah and they actually streaming content?  Movies, TVshows, Music etc.. From what he is saying they do not do that - and only watch some you tube videos..  Which seems a bit insane for 800 some GB..

If you are interested, I can let you remote in and you can see it yourself, I can not screen shot it as it does not stay up when focus is lost. Here is a screenshot from Networx:

[adrynalyne]

On 21/11/2021 at 19:33, jnelsoninjax said:

If you are interested, I can let you remote in and you can see it yourself, I can not screen shot it as it does not stay up when focus is lost. Here is a screenshot from Networx:

Try ctrl-shift-s or prt screen to screenshot those windows that like to disappear. 

[+BudMan MVC]

Ok I installed glasswire to try and get some info about the nt kern you were seeing - how many hosts was it talking to exactly?  Now glasswire has only been running for a few minutes.  But I had no issues grabbing screenshots of it

 

 

And it shows only talking to talking to my nas IP currently 192.168.9.10 is my nas, I will keep an eye on and and let it run for day or so..

 

If you want suggestion for screen capture software - huge fan for years of this.  https://www.faststone.org/FSCaptureDetail.htm

 

I use it daily, and not sure what I would do without it - its one of my most used apps that is for sure.. I post on quite a bit of forums and the ability to grab and work with screenshots easy is one of my must have abilities..

 

edit:  hmmm now it shows talking to 9.98 which is one of my switches.. But I don't have its gui open or anything - not sure why it would show such traffic

 

 

Ah that is inbound from the switch - prob some sort of broadcast or discovery.. I do run LLDP I believe, I would have to sniff and see what traffic that is exactly..   But yeah the details of that process that is showing that 40 some GB of traffic in an hour - and from what or to where would be most informative..

 

edit2:

Ok figured out what that traffic was from my switch.. Just some multicast noise..

 

 

 

[jnelsoninjax]

Can you suggest a smart switch that I could use to monitor data as you recommended?

[+BudMan MVC]

So that is inbound traffic to the box from that 2601:341 address, 315GB - that is a LOT!!

 

I only see this for my nt kern.. Glasswire been running near 24 hours now..

 

 

Is this box target for your local backups?  That is a lot of data to move - even locally. Is it video from your cameras?  I would think if your cameras it would be multiple IPs sending the data.  is that multiple days of transfer..

 

As to smart switch that would give you details of how much data has moved, or allow you to span a port and sniff.. This one is 30$

https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-05V2/dp/B08MV9315K

 

It gives info on port TX and RX, and also allows for port spanning - also comes with free license for their D-View software, which should be able to give you insight into what is going on in your network, and if your AP for your wifi is downstream of it details of your wifi traffic.. Up to 25 devices, etc.

[jnelsoninjax]

On 23/11/2021 at 07:14, BudMan said:

So that is inbound traffic to the box from that 2601:341 address, 315GB - that is a LOT!!

 

I only see this for my nt kern.. Glasswire been running near 24 hours now..

 

 

Is this box target for your local backups?  That is a lot of data to move - even locally. Is it video from your cameras?  I would think if your cameras it would be multiple IPs sending the data.  is that multiple days of transfer..

 

As to smart switch that would give you details of how much data has moved, or allow you to span a port and sniff.. This one is 30$

https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-05V2/dp/B08MV9315K

 

It gives info on port TX and RX, and also allows for port spanning - also comes with free license for their D-View software, which should be able to give you insight into what is going on in your network, and if your AP for your wifi is downstream of it details of your wifi traffic.. Up to 25 devices, etc.

Thanks @BudMan. I have been asking the same question on Glasswire's forums and, so far, all I have been told is to check if the data usage showing is all traffic or just external, it turns out that it defaults to all traffic, and once I change it to outgoing, the numbers are much lower, and all of the NT Kernel usage is outbound again with all the data going to the IPV6 address :

[+Warwagon MVC]

I think you need a router running OpenWRT and the free YAMON bandwidth monitor.. it will tell you which computer is eating all your bandwidth. In her case there are some stuff hiding behind an edge router, which you wouldn't have so in your case every device would be visable.

 

I recommend buying a cheap used Linksys AC1900 v1 on eBay. Then put the custom firmware on it. It's a great router. Got one for my gf's house and parents. ... I was using one too for the last 5 years up until last month when I put together a PFsense computer

 

Honestly YAmon is what I miss from my old router as nothing I can find on PFsence gives you that much detail .. ntopng  comes close and does give a lot of info, but nothing as simple and as day by day as Yamon. bandwithd is ok but doesn't let you rename the ip's.

 

[jnelsoninjax]

On 23/11/2021 at 09:52, warwagon said:

I think you need a router running OpenWRT and the free YAMON bandwidth monitor.. it will tell you which computer is eating all your bandwidth. In her case there are some stuff hiding behind an edge router, which you wouldn't have so in your case every device would be visable.

 

What routers support openwwrt?

[+Warwagon MVC]

On 23/11/2021 at 08:55, jnelsoninjax said:

What routers support openwwrt?

you'd have to look on their list of supported routers, but I know this one does

 

Linksys AC1900 v1 $40 - Ebay

 

Maybe Budman has a better recommendation. 

[+BudMan MVC]

ok some microsoft-ds is just port 445 file sharing traffic.  What is odd from my install of glasswire is not showing that traffic.. I have moved gigs and gigs of traffic from my pc to my nas in the last 24 hours.. I would guess maybe its not seeing traffic on my 192.168.10/24 network - this is 2nd nic only connected to my nas.. But glasswire is showing some traffic from this network..  I can not find any settings in the thing to determine which interfaces it listens on, maybe it doesn't listen on multiple interfaces.

 

But I see its own IP 192.168.10.9 as inbound traffic for that nt kern,  Strange..

 

Going to move some smb data to my nas via its 192.168.9 address..

 

Ok there you go - saw that

 

 

So it seems this glasswire not all that good at tracking traffic if you might happen to have more than 1 interface on your machine..

[zim2323]

Why not disable IPv6 in your local settings and force whatever is doing that to try and talk via IPv4?  If it can't, then it just stops.  Something stops working or you realize you don't need it.

[+BudMan MVC]

On 23/11/2021 at 09:20, zim2323 said:

Why not disable IPv6 in your local settings and force whatever is doing that to try and talk via IPv4?

I would agree - use of IPv6 unless you have some specific need at this point in time is just complexity for no real reason.  And unless your up to speed on its differences and its management - it really does nothing for you.

 

I only run it on my network in a very limited fashion.. I really have zero use for it.. But I run it on a couple of things because I can as the only reason..

 

Now at some point in the future, sure IPv6 will be the mainstream and IPv4 will go away - but that is years and years down the road..

[zim2323]

On 23/11/2021 at 10:25, BudMan said:

I would agree - use of IPv6 unless you have some specific need at this point in time is just complexity for no real reason.  And unless your up to speed on its differences and its management - it really does nothing for you.

 

I only run it on my network in a very limited fashion.. I really have zero use for it.. But I run it on a couple of things because I can as the only reason..

 

Now at some point in the future, sure IPv6 will be the mainstream and IPv4 will go away - but that is years and years down the road..

I've never found IPv6 to be very friendly with name resolution in general.  My other thought to this was that if that device stops working, may just need reboot to force IPv4, but should force it to IPv4 either way and hopefully get better name resolution and an idea of what is talking to that System Service.  I have some devices on my network, were it not for me setting ESET's firewall to full manual control, would never know that it was trying to communicate with my PC via discovery.  Some devices (pre IOT era) that I have just show up as a generic device name on my router.

 

Important thing, I think, for the purpose of this issue is to completely separate local traffic from Internet, and the suggestion to get a device to monitor bandwidth on the Internet facing device WAN port is key.  And, if memory serves me correctly, if he figures out what is eating up bandwidth from his kernel and he blocks/kills it on his PC it's possible that a network/IoT aware device will/may find another device to piggy back off of and continue to use that bandwidth.

 

Windows update ADVANCED SETTINGS...   check that Delivery Optimization isn't using your PC as a staging point for local/remote devices for Windows Updates.  I think this was mentioned earlier.  I can't remember if SCCM Branch Cache from the Enterprise world is being re-used in Windows 10/11 Windows Updates, and I can't remember whether it uses System/NT Kernel for that work or not.

 

Thoughts?

 

[jnelsoninjax]

On 23/11/2021 at 10:55, zim2323 said:

I've never found IPv6 to be very friendly with name resolution in general.  My other thought to this was that if that device stops working, may just need reboot to force IPv4, but should force it to IPv4 either way and hopefully get better name resolution and an idea of what is talking to that System Service.  I have some devices on my network, were it not for me setting ESET's firewall to full manual control, would never know that it was trying to communicate with my PC via discovery.  Some devices (pre IOT era) that I have just show up as a generic device name on my router.

 

Important thing, I think, for the purpose of this issue is to completely separate local traffic from Internet, and the suggestion to get a device to monitor bandwidth on the Internet facing device WAN port is key.  And, if memory serves me correctly, if he figures out what is eating up bandwidth from his kernel and he blocks/kills it on his PC it's possible that a network/IoT aware device will/may find another device to piggy back off of and continue to use that bandwidth.

 

Windows update ADVANCED SETTINGS...   check that Delivery Optimization isn't using your PC as a staging point for local/remote devices for Windows Updates.  I think this was mentioned earlier.  I can't remember if SCCM Branch Cache from the Enterprise world is being re-used in Windows 10/11 Windows Updates, and I can't remember whether it uses System/NT Kernel for that work or not.

 

Thoughts?

 

I have previously stated that I checked that setting and it is set for local network only. As far as disabling IPV6,how do I go about doing that?

[+BudMan MVC]

On 23/11/2021 at 09:55, zim2323 said:

I've never found IPv6 to be very friendly with name resolution in general

That is just tiny tip of the iceberg to be honest..  Unless you are into IT, lab setup, like to keep up with all things in IT, etc. At this point in time I see zero use for IPv6 in a home network.. Now if your behind a cgnat and only way to allow inbound traffic to something you want to serve to the public internet, etc. Ok sure - it can very very useful that way.. And don't get me wrong it is for sure the future.. And it would be in everyone's best interest to speed that up, etc.

 

Problem is, there is a pretty drastic learning curve going to IPv6 from a management, security point of view.. Name resolution part of that, firewalls another part..  As example IPv6 clients love to use temp IPv6 so they can create outbound connections using all kinds of different addresses.  So at your edge firewall trying limit say some IPv6 enabled iot device from phoning home can be challenging from multiple points of view.  Depending on your skill set and the hardware your working with.  Not only can their tmp addresses change - their actual IPv6 prefix can change sometimes when the wind blows at your isp, etc.

 

A few users turning it off is in no way going to slow down the transition to it.   So if your not up to speed in its use, and are wanting to actually manage your network, etc. Then yeah prob best to just turn it off completely.  Now then again typical home user that just plugs ###### in and wants to surf the web - they prob have no idea what an IPv4 is anyway - so if their stuff is working, no reason to turn it off, etc.  If they are just flat network discovery for their file sharing prob not going to have issues etc.   But in a scenario like this, without full understanding of what IPv6 address is what - and trying to track down bandwidth hog, etc.  Turning IPv6 just off would be good course of action.