Unknown traffic reported in Speed tab

[Sokak]

running uTorrent 1.8.3, found some strange network usage as reported in-program

there's an extra 5KB/s upload and download for 3 hours from noon to 3pm EDT on July 29th, approx 50MB transferred up and down

I don't have any data on it in a finer grain than 5 minute step so it may not have been a consistent transfer speed

throughout the time on the graph I was seeding 1 torrent; no downloads; the thin red line represents the set 20KB/s upload cap

the single seed is connected to about 50 peers at a time and is transferring to 3-4 of them

the internet connection is a 6m/512k dsl line, I get good speeds on it

Is this behavior related to protocol traffic or DHT? I've never seen regular overhead this high

[DreadWingKnight]

Do you have any RSS feeds?

[Sokak]

Nothing listed under RSS Downloader

[Switeck]

Very old clients (in particular Transmission v1.34 and earlier) requests ~100 16KB blocks of the torrent they're downloading at a time. These would create a lot more overhead than those that only request 1-4 at a time.

Older BitComet clients encrypted handshakes can be high bandwidth as well...but that wouldn't be continuous over a 3 hour period.

Logging uTorrent traffic in uTorrent's logger tab/window to a file might've offered more clues...but you'd probably need to log lots of activity types, making for a VERY huge log file.

[Sokak]

back with more info now

at 4am EDT the same pattern of traffic started again

the traffic is continuous all the way down to the 5 and 1 second resolutions of the Speed tab

I'm not sure of exactly what to look for in the logger, but there was 1 peer in particular that stood out

86.88.149.107 in the categories 'incoming connections', 'disconnects', and 'outgoing have messages', respectively

the above peer stands out for comprising a majority of all logged activity and also because of the rather unique client 'Enhanced CTorrent'

http://www.rahul.net/dholmes/ctorrent/

stopping all active torrents (in my case the single seed) stops the unknown traffic; the above peer will show up on the peer list for the active torrent for about 1 second every several seconds

however I don't really know what normal operation would look like in the logger so the above client is only an educated guess as to the culprit

[Switeck]

Was that 1 peer on MULTIPLE torrents at once?

You shouldn't get multiple handshakes without multiple disconnects otherwise!

My guess is 'Enhanced CTorrent' is a very "noisy" client. If you use ipfilter.dat to ban it temporarily, the extra speed used (as shown by the Speed tab) would probably decrease immensely. If that's not the case...that ip + client is probably not the cause of your problem.

[Sokak]

Was that 1 peer on MULTIPLE torrents at once?

You shouldn't get multiple handshakes without multiple disconnects otherwise!

There was only 1 torrent running and there was a 1:1 ratio of handshakes and disconnects as you would expect.

I'm now fairly confident that the suspicious peer was the culprit in this case

However, the behavior may have been at least partially caused by the fact that I was selectively downloading from the single active torrent; thus even though I was finished downloading from the torrent I was not a true seeder with a complete copy

If this same behavior occurs again I'll try filtering any suspicious IPs to confirm that they are the cause