What is this network traffic after logon?

[dan_6576435436]

Linux Mint 19 (cinnamon)

On boot up I see connections to the following:

1. golem.canonical.com and pugot.canonical.com
2. all-systems.mcast.net and igmp.mcast.net
3. 224.0.0.251 (multicast, is this local?)
4. 151.101.18.217 (resolves as fastly.com) - TCP and TLSv2, seems to start with Mint Update Manager
5. 80.3.197.104.bc.googleusercontent.com - TCP and HTTP, occurring a few minutes after logon (probably not exclusively then)
6. 171.143.198.104.bc.googleusercontent.com

I guess 1. 2. and 3. are to do with system updates, and should be of no concern to me, but what are 4. and particularly 5. and 6. doing?

I'm coming at this from a privacy angle, but also with a wish to minimise traffic as I will be on a low data allowance connection at times.

Some programs accessing the network interface, not sure which connections these correspond with at the moment:

• flatpak
• usr/bin/python3
• usr/sbin/NetworkManager

Part 2.

Additionally with System Monitor, vnstat etc, I see a sort of pulse every second of 50bits or so. I have since realised (via Wireshark) that this is Scanning Tree Protocol (and presumably just local traffic between my laptop and router) which will not presumably impact on my ISP allowance, but is there any way I can exclude this data from the vnstat feed I use in Conky on my desktop, so that I see the true data use which matches what my ISP will be charging me for?

[gm10]

1. golem.canonical.com and pugot.canonical.com
2. all-systems.mcast.net and igmp.mcast.net
3. 224.0.0.251 (multicast, is this local?)
4. 151.101.18.217 (resolves as fastly.com) - TCP and TLSv2, seems to start with Mint Update Manager
5. 80.3.197.104.bc.googleusercontent.com - TCP and HTTP, occurring a few minutes after logon (probably not exclusively then)
6. 171.143.198.104.bc.googleusercontent.com

I guess 1. 2. and 3. are to do with system updates, and should be of no concern to me, but what are 4. and particularly 5. and 6. doing?

I'm coming at this from a privacy angle, but also with a wish to minimise traffic as I will be on a low data allowance connection at times.

1. is ntp.ubuntu.com to update system time - this can be disabled or redirected to another address
2.+3. is avahi daemon trying to set up mDNS - this can be disabled on most systems, but more for system resources that daemon uses, it generates no relevant network traffic
4. I don't know this one, if it's related to Update Manager then maybe it's the mirror you selected, but you should see more connections than just this one when Update Manager refreshes
5. is connectivity-check.ubuntu.com which the system pings every 5 minutes to check if you've got an Internet connection - this can be disabled.
6, I don't recognize this one

edit: seems I had skipped #2, fixed

[DAMIEN1307]

#3- usually has to do with either avahi-daemon or cups
#5-just a guess, i know its in virginia, are you using 8.8.8.8 as a DNS? if so that is google using its own googleusercontent.com
#6-is this,

Code: Select all

171.143.198.104
IP Address Lookup
IP Address	171.143.198.104
Hostname	n/a
IP Address Location
Country	United States (US)
ISP	Bank of America
ASN	
Connection Type	Corporate
Latitude/Longitude	37.7510, -97.8220

[gm10]

#6-is this,

Code: Select all

171.143.198.104

Is it though?

Code: Select all

$ host 171.143.198.104.bc.googleusercontent.com
171.143.198.104.bc.googleusercontent.com has address 104.198.143.171

hostname != IP address

[DAMIEN1307]

Code: Select all

NetRange:       171.128.0.0 - 171.206.255.255
CIDR:           171.206.0.0/16, 171.192.0.0/13, 171.204.0.0/15, 171.128.0.0/10, 171.200.0.0/14
NetName:        BAC-171-128-0-0-1
NetHandle:      NET-171-128-0-0-1
Parent:         APNIC-ERX-171 (NET-171-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   Bank of America (BANKOF-2-Z)
RegDate:        1995-02-01
Updated:        2012-04-02
Ref:            https://rdap.arin.net/registry/ip/171.128.0.0


OrgName:        Bank of America
OrgId:          BANKOF-2-Z
Address:        2000 Clayton Road
Address:        M/S CA4-704-04-21
City:           Concord
StateProv:      CA
PostalCode:     94520
Country:        US
RegDate:        2010-09-07
Updated:        2016-01-13
Comment:        For abuse issues contact abuse@bankofamerica.com
Ref:            https://rdap.arin.net/registry/entity/BANKOF-2-Z


OrgAbuseHandle: ABUSE608-ARIN
OrgAbuseName:   ABUSE
OrgAbusePhone:  +1-704-386-5000
OrgAbuseEmail:  ABUSE@bankofamerica.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE608-ARIN

OrgTechHandle: LAU-ARIN
OrgTechName:   Uribarri, Luis Alfonso
OrgTechPhone:  +1-646-593-2809
OrgTechEmail:  luis.a.uribarri@bankofamerica.com
OrgTechRef:    https://rdap.arin.net/registry/entity/LAU-ARIN

OrgTechHandle: SPD3-ARIN
OrgTechName:   Dornan, Sean Patrick
OrgTechPhone:  +1-586-273-1444
OrgTechEmail:  sean.dornan@bankofamerica.com
OrgTechRef:    https://rdap.arin.net/registry/entity/SPD3-ARIN

OrgTechHandle: ZB29-ARIN
OrgTechName:   HOSTMASTER
OrgTechPhone:  +1-800-207-2322
OrgTechEmail:  joseph.lias_jr@bankofamerica.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ZB29-ARIN

[gm10]

Yes, but he isn't connecting to those IPs. You are confusing the hostname with an IP.

[DAMIEN1307]

Google is storing images in a the domain, called googleusercontent.com. This domain is used for a variety of purposes, including cached copies of websites visited by the Google search engine, but the general purpose of this domain appears to be to store static content: i.e. content that is not expected to change...this is what i was trying to get at here. so i was assuming that the OP had viewed or done business with BofA.

[gm10]

Google is storing images in a the domain, called googleusercontent.com. This domain is used for a variety of purposes, including cached copies of websites visited by the Google search engine, but the general purpose of this domain appears to be to store static content: i.e. content that is not expected to change...this is what i was trying to get at here. so i was assuming that the OP had viewed or done business with BofA.

That's all good and well, but BofA and their IP are nevertheless entirely unrelated to that hostname OP talked about. Please really do look at what I posted:

Code: Select all

171.143.198.104.bc.googleusercontent.com has address 104.198.143.171

Compare hostname and IP and hopefully you'll understand.