Why does my pc make so many connections? (lemmy.ml)

submitted 4 days ago* (last edited 4 days ago) by Clark@lemmy.ml to c/privacy@lemmy.ml

29 comments fedilink hide all child comments

Hello all,

According to the Wireshark record my computer connects to various services often, including Amazon, Hetzner, 1337 Services GmbH, Evanzo GmbH and ThomasFamilyInvestments. The most often were the connections to mail.my-mail.rocks which is a part of Netcup GmbH. I have a somewhat minimal distro and the attached recordings were made when no app was open including no browser. I can send the other screenshots showing other connections too. I'm suspecting of malware since some time ago but can you help me clarify these connections please?

all 30 comments

sorted by: hot top controversial new old

[-] Zerush@lemmy.ml 15 points 3 days ago

Use Portmaster

[-] Harvey656@lemmy.world 2 points 2 days ago

This is the way

[-] Zerush@lemmy.ml 7 points 2 days ago* (last edited 2 days ago)

Portmaster is mandatory nowadays, like also InviZible Pro in Android

[-] Harvey656@lemmy.world 1 points 2 days ago

Oooooo I haven't seen that one before, thanks!

[-] MangoPenguin 32 points 4 days ago

Do you have any apps open in the foreground or background while doing the packet capture? Check with top or htop and make sure all your apps are truly closed.

Amazon, Hetzner, and the others are VPS providers among other services, so seeing connections to those by apps could be fairly normal as they often check for updates or download supporting items to make the app work.

[-] Clark@lemmy.ml 4 points 4 days ago

Thank you for the informations. There were nothing in the foreground but tor was apparently running in the background. But I'm still not sure if these services were all due to Tor. I need to run another record I guess

[-] rumba@lemmy.zip 3 points 2 days ago* (last edited 2 days ago)

Yeah, * Tor. Its primary job is to make and destroy tons of connections to keep you private.

Edit: Still getting used to FUTO keyboard. It doesn't need me to say comma

[-] MangoPenguin 14 points 3 days ago

Tor creates a ton of connections to all kinds of places, so that might have been the source.

[-] eldavi@lemmy.ml 8 points 4 days ago

it sounds like you'll need a better handle on what's running on your computer.

if this matters to you enough: you can start with pruning the systemd services that are running to remove the ones you don't want so that you can know for certain what is supposed to be running and then run another capture to see where it's calling out to.

[-] iglou@programming.dev 6 points 3 days ago

Per its nature, tor is definitely going to create a lot of noise in your capture. Shut it down and try again, see if you still have so many connections.

It is highly unlikely that you have malware that you can't see, so if you still see them after shutting down tor, use tools that tell you which app has established connections.

[-] infjarchninja@lemmy.ml 19 points 3 days ago

I find wireshark too confusing unless you have a lot of experience with it.

It looks like you are using linux because I see Wlan0 at the top of the image

I use ss

ss --help

to see what you are connecting to

ss -x -a

ss -o state established

ss -o state established '( dport = :http or sport = :http )'

what processes are using open sockets

ss -pl

TCP sockets

ss -t -a

UDP sockets

ss -t -a

a deeper guide here:

https://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html

[-] int32@lemmy.dbzer0.com 3 points 2 days ago

SS is a weird name but ok.

[-] Revan343@lemmy.ca 3 points 2 days ago* (last edited 2 days ago)

Socket shark, maybe? The repeating 2 digit namespace is valuable enough that there was no way ss was going unused, nazi-association be damned

[-] ki9@lemmy.gf4.pw 4 points 3 days ago

-u for udp in the last one.

[-] anon5621@lemmy.ml 17 points 4 days ago

Just open sudo ss -tulpn u will see all programs with opened port and u will killing disabling until u will find source of network noise

[-] nitrolife@rekabu.ru 8 points 4 days ago

But without "l". This connections created as client I think:

ss -tupn

[-] Clark@lemmy.ml 1 points 4 days ago* (last edited 4 days ago)

i only have these over long term but brave was closed when recording:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp ESTAB 0 0 192.168.1.100%wlan0:68 192.168.1.1:67 users:(("NetworkManager",pid=1065,fd=27))
tcp ESTAB 0 0 192.168.1.100:57728 185.246.86.175:9001 users:(("tor",pid=1143,fd=16))
tcp ESTAB 0 0 192.168.1.100:60406 54.36.178.108:443 users:(("brave",pid=5153,fd=27))
tcp ESTAB 0 0 192.168.1.100:40606 89.58.56.112:587 users:(("tor",pid=1143,fd=12))

[-] nitrolife@rekabu.ru 10 points 4 days ago* (last edited 4 days ago)

If you are receiving data from tor, then you are most likely seeing these connections. They also change over time, so tor relay nodes change and can be located anywhere.

In addition, in the example you have port 9001, which means that relaying is most likely enabled in your client and you are a relay for other participants. Check the settings of the tor (relay/bridge).

[-] Clark@lemmy.ml 2 points 4 days ago* (last edited 4 days ago)

Thanks for the informations. This clarifies a lot.

[-] melroy@kbin.melroy.org 1 points 3 days ago

Also it seems that your browser is still active on your computer called brave?

[-] Clark@lemmy.ml 1 points 3 days ago

No, it wasn't at the time of recording. It was a confirmation later on that tor and network manager were the only apps using the ports with brave opened.

[-] habitualTartare@lemmy.world 15 points 4 days ago* (last edited 4 days ago)

That mail/[.]my-mail/[.]rocks maps to the tor network.

https://metrics.torproject.org/rs.html#details/E3F16EEB32F9C0B28325891F7BAACA8EC212343D

[-] Clark@lemmy.ml 3 points 4 days ago

so am i running a relay in the background although tor browser is closed?

[-] habitualTartare@lemmy.world 7 points 4 days ago

If it's like a vpn interface, it's still running as a deamon in the background even if the browsers are closed.

Like others have said you can check what application is using each open port. You can also check running processes (ps | grep keywords) and interfaces (ip a).

[-] Fijxu@programming.dev 8 points 4 days ago

Use bandwhich to see which programs are using traffic ;)

[-] Clark@lemmy.ml 2 points 3 days ago

I will try it, thank you :)

[-] krolden@lemmy.ml 2 points 4 days ago

Because you're on the internet

[-] Clark@lemmy.ml 3 points 4 days ago* (last edited 4 days ago)

Does also your computer connect to Amazon, Hetzner, 1337 Services GmbH, Evanzo GmbH and ThomasFamilyInvestments without a reason?

[-] krolden@lemmy.ml 1 points 4 days ago

Everything has a reason

this post was submitted on 03 Sep 2025

70 points (100.0% liked)

Privacy

41525 readers

341 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS