Tracking Down Bandwidth Hogs: Netflow Home Edition

Recently Comcast announced they were going to be doing some testing of data caps in certain markets, including mine.  I’m a cord-cutter and I’ve been very happy with Comcast’s speed and reliability, but when you view a lot of streaming video (Netflix, Hulu, Amazon Prime, iTunes)  and do a lot of cloud backups of your data, 300GB suddenly doesn’t seem so much.

Fortunately, Comcast has graciously decided to give its customers a grace period before they actually start charging for overages, so I’ve been trying to manage my data use a little more proactively.  Looking at previous months, I saw that I was typically using 500-600GB of data.  After cutting my streaming usage way back, it seemed that I was still using a tremendous amount of data and exceeding my cap well before the end of the month, and I couldn’t really figure out why.

It so happens that the company I work for makes a great enterprise product for finding just these sort of things, using NetFlow.  Unfortunately, we don’t (currently) produce a home edition, so I decide to try the next best thing.

The first step was to configure my router, which is running  DD-WRT firmware, to export “RFlow”.  As best I can tell, RFlow is an implementation of some version of NetFlow.  Presumably NetFlow is trademarked, so they have to call it something else.   Add to the mix nprobe and ntopng, and I was able to find that one host was using a very large percentage of the total bandwidth.



So the host, which is my Macbook Pro, had used over 1GB of bandwidth during the reporting period, but what really surprised me was that it wasn’t predominantly downloading data, but sending data.  This set off all kinds of alarm bells and gave me a mild panic.  I’m thinking virus, botnet, who knows what evil malware I may have gotten, despite considering myself fairly savvy.

Unfortunately, I couldn’t tell much more about the traffic other than it was SSL.  But now that I had it narrowed down to a host, I remembered a handy utility I’d discovered awhile back called Little Snitch.  It’s basically a firewall which allows you to selectively allow and deny connections from your Mac.  Being required to whitelist each application that requests access to the network gets pretty tiresome after awhile, so I had stopped using it.  But turns out, the latest version has a “passive” mode, where it will monitor what’s going on but won’t actively block anything.  I let it run for awhile and was able to collect some interesting data.


Outlook?  What the hell are you doing?  After about an hour it had sent nearly half a gigabyte of data.  I’ll grant you that my emails may be overly wordy at time, but I hadn’t actually sent any.

Turns out, Outlook has a rather nasty little bug having to do with folder syncing that makes it use a metric crap-ton of bandwidth.  There doesn’t seem to be a fix that I could find, so for now, I’m just shutting down Outlook when I’m not actively using it.

And thus ends my bandwidth hog detective story.

Comments powered by Talkyard.