You are here

Residual network traffic after closing torrent client

Submitted by Druss on Thu, 2007-12-20 22:50

Recently, when I was just about to shut down my Windows box, I noticed that my ethernet system tray icon was all lit up even though I had closed all applications. These kinds of things usually point at some kind of trojan in your system. So, I took some time to investigate it.

First of all, I opened up the command prompt (Start -> run -> cmd) and typed in netstat -a which lists all connections (Type netstat /? for other switches). I found a few firefox connections which timed out quickly. But, more importantly, I found a few tell-tale connections being made to the port used by my torrent client. Aha! I thought. However, after a minute's wait, even these connections timed out and died. Now all the connections listed in the netstat table were benign LAN nonsense (NetBIOS etc.)

Meanwhile, the ethernet icon was still blinking away merrily and I was really becoming curious. I checked all running tasks etc. to see if it was some kind of trojan (which would have usually become apparent via the netstat) and found nada. Hmm ...

Next, I downloaded and installed Wireshark neƩ Ethereal, an excellent (and free) network analyser. I set it up to capture all packets on my Ethernet interface to see just what the fuck was going on. Once I hit the capture button, the screen was filled with a list of ping packets to my Bit torrent port. Essentially, they were all pinging my client to check if it was available and Windows was replying with a "port not accessible" message. The torrent I was downloading prior to closing was on a public tracker and I also had DHT enabled in uTorrent and I guess there was no real way for the client to tell the DHT swarm that it was closing down. I'm also assuming that given enough time, these pings would also have timed out.

Anyway, problem solved!