Here are some screen caps from Activity Monitor and Little Snitch while downloading songs that I purchased on iTunes from the cloud.
This one shows kernel task running at root priv that has sent more than twice the data that it received. (I blacked out the username)
Here it is a little later.
And here is what I see after two albums are downloaded:
And the little snitch capture file just shows this:
Id = 26332 Source = 0.0.15.153 Destination = 23.66.230.73 Captured Length = 54 Packet Length = 54 Protocol = TCP Date Received = 2015-03-18 15:07:40 +0000 Time Delta = 186.6962959766388 Information = 10066 -> HTTP ([ACK], Seq=1189641772, Ack=599210064, Win=65535)
Id = 26333 Source = 23.66.230.73 Destination = 0.0.15.153 Captured Length = 1502 Packet Length = 1502 Protocol = TCP Date Received = 2015-03-18 15:07:40 +0000 Time Delta = 186.6977059841156 Information = HTTP -> 10066 ([ACK], Seq=599210064, Ack=1189641772, Win=65535)
Id = 26334 Source = 0.0.15.153 Destination = 23.66.230.73 Captured Length = 54 Packet Length = 54 Protocol = TCP Date Received = 2015-03-18 15:07:40 +0000 Time Delta = 186.6977059841156 Information = 10066 -> HTTP ([ACK], Seq=1189641772, Ack=599211512, Win=65535)
Id = 26335 Source = 23.66.230.73 Destination = 0.0.15.153 Captured Length = 1502 Packet Length = 1502 Protocol = TCP Date Received = 2015-03-18 15:07:40 +0000 Time Delta = 186.6989898681641 Information = HTTP -> 10066 ([ACK], Seq=599211512, Ack=1189641772, Win=65535)
Id = 26336 Source = 0.0.15.153 Destination = 23.66.230.73 Captured Length = 54 Packet Length = 54 Protocol = TCP Date Received = 2015-03-18 15:07:40 +0000 Time Delta = 186.6989898681641 Information = 10066 -> HTTP ([ACK], Seq=1189641772, Ack=599212960, Win=65535)
This goes on forever. (well not forever- about 20 megabytes)
Those are weird IP addresses). One is akamai - ok that's probably the cdn that Apple uses. But I don't understand the other one 0.0.15.153
Can anyone shed light on this behavior? Maybe little snitch is only showing the user packets and not what that kernel task is doing because there should be a lot more outgoing packets to make up for the excessive bytes (more than double) compared to what I receive. And the little snitch graph is mostly green (outgoing) and not showing what's incoming like activity monitor does. Is there a way to capture packets from a kernel task running as root?
Tnx.
Aucun commentaire:
Enregistrer un commentaire