Spyware?

[hyphenjones]

I was round at a fiends today and she has been having major issues with the speed of her broadband, it's meant to be 8meg but internet frog assesses it as around about 1meg.

We contacted the provider who said that there was no problem with thier end and that the only thing that would cause this is spyware.

I was told to run netstat (utilities>terminal then type netstat) to see how many tcp items there are, roughly seven came up and I was told that these represented spyware and that removing the spyware would free up the speed.

Here's where I'm befuddled, I ran the same test on my own mac at home and a sinilar amount of tcp items came up, although not in the same status. I have had some slowing of my browsing but nothing major.

I didn't think there was any spyware that affected macs so I'm a wee bit worried to find that there might be spyware on my system and would love to know if this is a pile of cack or a real concern.

If it helps my friend is on a 14" iBook G4, I'm a PowerBook G5.

 

[bobw]

Doubtful you have Spyware.

Post what Netstat gives you.

And, how is the machine connected to the modem? Directly, Router?

 

[hyphenjones]

Netstat gves me

Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 23 10.0.1.2.52798 loginnet.passpor.https LAST_ACK
tcp4 0 0 localhost.netinfo-loca localhost.988 ESTABLISHED
tcp4 0 0 localhost.988 localhost.netinfo-loca ESTABLISHED
udp4 0 0 *.* *.*
udp4 0 0 *.svrloc *.*
udp4 0 0 *.mdns *.*
udp4 0 0 *.* *.*
udp4 0 0 localhost.49166 localhost.1023
udp4 0 0 *.* *.*
udp4 0 0 localhost.49155 localhost.1022
udp4 0 0 localhost.49154 localhost.1022
udp4 0 0 localhost.1022 *.*
udp4 0 0 localhost.1023 *.*
udp4 0 0 169.254.36.172.ntp *.*
udp4 0 0 localhost.ntp *.*
udp4 0 0 *.ntp *.*
udp4 0 0 *.ipp *.*
udp4 0 0 *.bootpc *.*
udp4 0 0 localhost.netinfo-loca *.*
udp4 0 0 *.syslog *.*
udp6 0 0 *.514 *.*
icm6 0 0 *.* *.*
icm6 0 0 *.* *.*
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
16e4620 stream 0 0 0 16e4968 0 0
16e4968 stream 0 0 0 16e4620 0 0
16e4818 stream 0 0 0 16e4460 0 0
16e4460 stream 0 0 0 16e4818 0 0
16e4540 stream 0 0 1ac8428 0 0 0 /var/run/slp_ipc
16e43f0 stream 0 0 1b18270 0 0 0 /tmp/icssuis501
16e47e0 stream 0 0 0 16e4888 0 0 /var/run/pppconfd
16e4888 stream 0 0 0 16e47e0 0 0
16e4850 stream 0 0 0 16e4b98 0 0 /var/run/pppconfd
16e4b98 stream 0 0 0 16e4850 0 0
16e48f8 stream 0 0 0 16e4a10 0 0
16e4a10 stream 0 0 0 16e48f8 0 0
16e4af0 stream 0 0 0 16e4a80 0 0
16e4a80 stream 0 0 0 16e4af0 0 0
16e4b28 stream 0 0 0 16e4b60 0 0
16e4b60 stream 0 0 0 16e4b28 0 0
16e49d8 stream 0 0 0 16e4930 0 0
16e4930 stream 0 0 0 16e49d8 0 0
16e4ce8 stream 0 0 196b7c8 0 0 0 /var/run/mDNSResponder
16e4dc8 stream 0 0 196dd30 0 0 0 /var/run/pppconfd
16e45e8 dgram 0 0 0 16e4fc0 0 16e47a8
16e47a8 dgram 0 0 0 16e4fc0 0 16e4ab8
16e4700 dgram 0 0 0 16e4738 16e4738 0
16e4738 dgram 0 0 0 16e4700 16e4700 0
16e4ab8 dgram 0 0 0 16e4fc0 0 16e4a48
16e4a48 dgram 0 0 0 16e4fc0 0 16e4ea8
16e4ea8 dgram 0 0 0 16e4fc0 0 16e49a0
16e49a0 dgram 0 0 0 16e4fc0 0 16e4bd0
16e4bd0 dgram 0 0 0 16e4fc0 0 16e4e00
16e4e00 dgram 0 0 0 16e4fc0 0 16e4d90
16e4d90 dgram 0 0 0 16e4fc0 0 16e4ee0
16e4ee0 dgram 0 0 0 16e4fc0 0 16e4d20
16e4c40 dgram 0 0 0 16e4d58 16e4d58 0
16e4d58 dgram 0 0 0 16e4c40 16e4c40 0
16e4d20 dgram 0 0 0 16e4fc0 0 16e4c08
16e4c08 dgram 0 0 0 16e4fc0 0 16e4f88
16e4c78 dgram 0 0 0 16e4cb0 16e4cb0 0
16e4cb0 dgram 0 0 0 16e4c78 16e4c78 0
16e4f88 dgram 0 0 0 16e4fc0 0 16e4e38
16e4e38 dgram 0 0 0 16e4fc0 0 16e4e70
16e4e70 dgram 0 0 0 16e4fc0 0 16e4f50
16e4f50 dgram 0 0 0 16e4fc0 0 0
16e4fc0 dgram 0 0 16fe268 0 16e45e8 0 /var/run/syslog


this has changed in the last half hour, there were 7/8 tcp items.

Im connected using Airport Express, friend is on a different wifi system.

 

[bobw]

Nothing strange there.

Have your friend connect directly to the modem and see what happens.

 

[unispherephoto]

bob, can you explain what the 'STATE' info means? i have tcp addresses that say 'closing'. 'fin_wait_1', 'last_ack', 'established'.
is there anything to look for that would indicate problems?

im directly connected to a dsl modem.

 

[bobw]

STATE is just the current State of a connection, Established, Close

 

[unispherephoto]

so all tcp and udp connections are normal? theres nothing to be on the lookout for?

 

[bobw]

yes, in what you posted, it's normal.

 

[Mikuro]

I think the problem is with Internet Frog. Sites like that should come with a disclaimer: "Not representative of actual performance."

I just ran the test myself. It ranked my download speed as half what I typically get, and my upload speed at about a third of what I typically get (in real-world use).

It might be because it's based on Java. FWIW, I find http://www.bandwidthplace.com/speedtest/ to pretty accurately measure my average (not maximum) speed, which is around 250K/sec (1mbps). My max speed is over 500K/sec (4mbps), but there are only a few servers that can sustain that speed for me.

These tests are only as good as the servers they run on. Most servers can't send me data as fast as I can take it in. This depends a lot on geography, the server's load, and all sorts of things. The only place I consistently get >500K/sec (4mbps) from is Apple's site. You might want to try downloading a file from there (say, the 52MB 10.4.4 update) just as a test. But again, it probably depends on geography, so maybe that wouldn't be the best site for you.

In any case, I don't think you have anything to worry about as far as spyware goes.

 

[ra3ndy]

Never hurts to have a 3rd opinion in the matter, give CNet's bandwidth test a run.

Also, if you have a cable modem, remember that you're sharing a bandwidth pipeline with your entire district. If there's a lot of other subscribers, your speeds will vary depending on the amount of people using the system.