Hi there,
Yesterday I noticed that my computer had processes that were communicating with multiple servers in the Taiwan, Russia and the Netherlands under the root user and with no PID when being examined with nethogs.
Some of the nethogs output for the strange connections looked like this:

PID / USER / PROGRAM
? / root / 192.168.0.20:62406-31.135.240.103:17167

? / root / 192.168.0.20:62406-95.211.148.218:50064

? / root / 192.168.0.20:52313-140.123.91.103:47678


Not being able to find the cause of this with my limited knowledge I decided I would do a wipe of absolutely everything and have a fresh install of Neon.

Today however, with my fresh KDE Neon installation with updates I installed nethogs and didn't notice any activity so I started browsing the web with firefox and installed the add-ons Ublock Origin and VimFX and after a short while I noticed the strange connection was happening again. So I looked up the IP and it is owned by Google using port 443 (https). Data was being sent with or without Firefox being opened.

The output of nethogs looked like this:

PID / USER / PROGRAM
? / root / 192.168.0.20:57312-216.58.199.46:443

? / root / 192.168.0.20:47766-216.58.203.97:443

The main questions I have are;
1. Is this normal behavior for KDE Neon?
2. Why are these connections happening?
3. Why does nethogs show these connections running as root with no PID?

I would love an answer on the forum here, but I would also appreciate if anyone could point me in the right direction to find answers myself if an answer can't be given here.

I'm curious as to how you found out that you were communicating with multiple servers, and how you did you find out the ip address?
Second question, if you install Gufw firewall do you still notice the communication?

I choose to try out 216.58.199.46 (assuming HTTPS judging by the port number). Chromium says the cert is a thing claiming to be *.google.com.
Probably not KDE Neon, but have you considered your browser/its addons doing something Google related?

I really doubt that this is Neon - I have it on 4 PCs and never saw any suspicious traffic.

Regarding 216.58.199.46:

$ host 216.58.199.46
46.199.58.216.in-addr.arpa domain name pointer syd09s12-in-f14.1e100.net.
46.199.58.216.in-addr.arpa domain name pointer syd09s12-in-f46.1e100.net.

and see https://superuser.com/questions/75841/w ... open-to-it

Regarding root owner an no pid: usually this means kernel networking without any associated process. For example, if you mount NFS, your host communicates with NFS-server using subroutines without any PID. This is normal

I am not sure about Taiwan, Russia IPs though. I know that Chrome puts some threads into separate namespaces, so maybe nethogs cannot detect this and as a result reports root and no pid.

Regards,
Alex

Also, note that 1e100.net is Google.

Thanks to everyone for their replies. I really appreciate it. I have come to the conclusion that the "mysterious" traffic going to to google after the KDE Neon reinstall was indeed being caused by Firefox. It turns out it is normal for Firefox to send quite a lot of information to google services. I have since stopped using firefox and use Icecat (the GNU version of firefox) and there is no more of this traffic.

As to the communication with the servers in Russia, the Netherlands and Taiwan, I still don't know what the cause of that was, but it's not happening anymore.

nunyabusiness wrote:I have since stopped using firefox and use Icecat (the GNU version of firefox) and there is no more of this traffic.

How did you get Icecat ?

arturasb wrote:How did you get Icecat ?

Probably at the website?

https://www.gnu.org/software/gnuzilla/

compatico wrote:Probably at the website?

https://www.gnu.org/software/gnuzilla/

Well, my question actually was - did you get DEB package ? If so - where did you get it ?
As far as I know Gnuzilla doesn't provide distro-specific packages ? Or am I wrong ?

Disable safe browsing in Firefox, remove google search.

As long as Neon doesn't communicate with the Borg or Cortana, everything is just fine

What is the difference between Firefox and IceCat, in a setting just off the options that I mentioned. As I recall the debian began to exceed the Firefox.
IceCat comes pre-loaded with blocker, https and has a smaller range of add-ons
@ Raddison what is the point of your writing? Neon is not Windows.

alideda wrote:@ Raddison what is the point of your writing? Neon is not Windows.

There's no point in it just purpose: to make people smile. Humour is beneficial to one's health. There's no telling whether it was funny or not. Seemed funny to me though.