Hi Kim,
The topic where we left off can be found here:
https://community.myhughesnet.com/hughesnet/topics/i-have-a-few-requests-for-hughesnet
I'll repost my last reply for you:
Hi Kim,
I hope all is going well this morning ?
In your last post you posed several questions. Let me try to answer them:
" I already tried contacting HN the day it happened?"
You would have been asked to run a modem isolation test to determine if the Hughes modem was using data on its own.
That having been done along with Amanda's suggestion to post here in the Community suggests that Hughes has determined that the usage is by SOMETHING on your network and for a multitude of reasons can not dig deeper into your "network".
The "normal" process at this point would be to alert you to get "professional services"
Hughes has done referrals HTS (Home Technical Services), a third party paid service that for a fee or a annual subscription will remote into your system. Personally, No Thanks
Second option ..... That place that shall remain unnamed but is known to employee Geeks. No No No Thanks.
Third option: Take everything in your network to a known well respected local computer shop. Always an option of course but those types of places also vary in their skill levels and have zero understanding of just how important every tiny setting is while running on a high latency data capped service.
That leaves a fourth option and that is working with those members of the Community.
"My immediate question is... When this huge data amount occurs again, what do I do?"
Hopefully when that occurs we will have things in place to answer: Who, What, When and Where .. and then take steps to control or eliminate the culprit(s) as the situation calls for.
" I need to troubleshoot what to do when it happens again"
We need to start off with some Divide & Conquer
We need to understand a couple of changes in the landscape regarding operating systems
We need to understand some Network basics so as to reduce our "usage exposure"
We need to keep and open mind and consider all devices and all software as "guilty until proven innocent".
Questions:
Of the computer: What are the Operating Systems ?
Of the computer: What Anti-Virus programs do you have installed ?
Of the computer: What Anti-Malware software do you have installed ?
Of the computer: What browser do you normally use ?
Your Router: Can you post the Brand, Model and Version so that I may download the manual for it ?
Your Plan: Can you confirm that you have the 50/50 Ultra plan ?
Your usage consists of two parts, Download and Upload. Can you post a screenshot of your usage history so that I can compare ratios of upload to download ? (and yes, that is a loaded question.)
This is pointing the cart before the horse but at the center of every Network is .... a Router. There can't be a Network without one.
Are you able too, have you given any consideration too, buying a Router that will track usage by device ID ?
The laptop that you referred too, it that the HP PC you listed or is that in addition to that machine ?
Can you/have you installed Glasswire on all computers ?
Do you feel comfortable in setting and using GlassWire ? If not or if you need some tips see all of my responses to Yorkytown in this topic:
https://community.myhughesnet.com/hughesnet/topics/data-drain-cannot-find-the-cause
I mentioned at the beginning we need to institute Divide & Conquer and that means that at the start we need to remove your router from the equation for a short period of time.
I know that that is a painful disruption and it want you to understand why this is needed.
It won't last long but it is essential.
A router really complicates finding data leaks because it opens up soooo many potential connection avenues.
Lets look a block diagram of a router to help visualize these avenues:
The first area has to do with the "internals" of the Router itself:
Its firmware
Its "access" security settings
Its enabled "features"
The point is the Router itself can use data ... without you being aware.
The second area is related to the Routers wired LAN ports and multiplied by the number of wired devices connected.
The third area is the Routers wireless connection channels and settings.
In the whole, having a Router connected at the start really complicates things to no end.
Therefore it is essential that it be disconnected at the beginning of our troubleshooting. It will, be reintroduced soon and its functions re-enabled in stages as we go through each of its functional areas.
Our first step is to directly connect a single computer that has GlassWire installed and see what programs and processes are connecting and using data.
In response to your questions posed in this topic:
"So, when I went to bed at 11:15pm, the Anytime Data was 9.8GB, and Bonus Bytes 3.5GB"
"This morning the Anytime Data is 11.9 GB and the Bonus Bytes was 3.6 GB."
I'm confused:
End: 11:15 PM: Anytime 9.8 GB: Bonus 3.5 GB
Start: this AM: Anytime 11.9 GB: Bonus 3.6 GB
-------------------- -------------------
UP 2.1 GB UP 0.1 GB
I fail to see an issue if you had MORE data in the morning at startup than when you shut down the previous night.
Also please post a screenshot of the "meter" that you are using as there are THREE USAGE METERS and THREE HISTORY PAGES. Each of them has differing "resolutions" and a history of course is just that, a history and is not intended nor can be a "real time" display.
Also you had reported some weather related connectivity issues. The modem is going to report to the Gateway its "usage", the Gateway will update the "meters" in this order:
1st: Dashboard meter: (the most accurate)
#2: That will in tern update the Modems SCC usage display (192.168.0.1)
#3: The Modem will then update the Download Status Meter display:
Are you sure that whatever devices are connected to the service aren't using the cloud? I don't know what you have, but Apple devices are known connect to the iCloud service, sometimes using quite a bit of data. And you don't have a satellite TV receiver connected to Hughesnet, right?
And, although Glasswire will only measure the data on the computer it's installed on, it's sill helpful. Are you averse to using Glasswire, and if so, why?
Well, as long as you have something to measure them, that's good. I remember on another thread where someone's iCloud backups were chewing through a ton of data, and a lot more than 400MB.
Well, "a lot" is relative. I don't have any Apple devices, nor any devices to speak of, save my computers. I don't know what constitute a lot when it comes to cloud services, as I don't use them, so I don't know if 400MB is a lot or not, for that particular thing, that is. 2.1GB is certainly a lot.
I hope that you are eventually able to use some type of software on every individual device you have. It would be interesting to find out what's using it, and more importantly, why. I guess the only thing that could easily narrow it down is one of those more expensive routers with the Merlin software, but that's spending a lot of money on something that really shouldn't be needed.
Hi Rich,
"I don't know where the gateway server for HN on the west cost is, if there is one,"
For Echostar17 there are about 17 Gateways in total plus 2 NOC's
For a greater understanding of beam/gateway architecture and finding the location of the one that handles your traffic see the beginning and very end of my topic here:
https://community.myhughesnet.com/hughesnet/topics/beams-gateways-and-loading-overloading
"but is it possible a maintenance window is involved?"
Its not impossible it is however unlikely.
Engineering will at times run some remote speed tests on a users system that has an elevated compliant. That will use some data however they compensate the user by adding in Tokens.
The time frame you mentioned is also a favorite of many wireless devices (tablets, iphone, ipad ...). to awake from hibernation (as compared to a true "power off" state) and check for updates and there has been some .. and will be more according to the latest US CERT.gov report:
https://www.us-cert.gov/ncas/bulletins/SB16-242
In fact there is even a Dlink 822 family firmware vulnerability listed that may lead to either "issues" or Dlink routers "calling home" and getting firmware updates:
The fact is, there is always a bunch of background process activity going on that many users simply are unaware of.
By the way, you can subscribe to the uscert.gov security bulletins.
Kim,
In our original postings I would have posted this:
Divide and Conquer is the name of the game ... and it is essential.
A typical "home network" looks like this:
It is much too complicated to determine the "leak"
The Modem has access ... but we already performed an isolation test
The Router "guts" have access
Anything and everything with wireless range .. both authorize AND unauthorized devices COULD have access
Fi nally all wired computers have access.
During the troubleshooting phase the "network" MUST be reduced to the minimum number of variables.
It needs to have the router removed from the equation so as to look like this:
The number of variables has been brought down to a manageable level.
The main take-away of the above is to illustrate the absolute need to reduce the number of "data paths" to ONE.
I then go on to say:
"It now is time to download and install some software to track usage and identify what program and what process is or has been running and using data.
For this we need Glasswire:
https://www.glasswire.com/ help/
An important point here .....
GlassWire will only monitor the single computer upon which it is installed.
Later as the router is reintroduced, GlassWire will have to be installed on every Windows computer that is connected to the router"
Later on in that post I addressed the problems associated with wireless devices:
"Now comes the stickey part the re-introduction of the routers wireless function.
Its tough because I know of no software that will load on the variety of devices that CAN connect ... cell phone, tablet and so forth.
On laptop computers you can od course load GlassWire but that still leaves many potential avenues open.
The "Poor Mans" method requires great discipline. ALL devices other than a single one have to be and remain in a "hard off" state and that is not easy to do.
Run that single device over time and monitor usage carefully while still running Glasswire and the "difference" is ... the amount used by THAT device."
Honestly, the biggest problem faced is the reluctance of users to remove the router in the early phases of the investigation.
Not removing the router allows for a large number of "end around" connections that can use data.
The idea was to:
#1: Simplify the network by removing the router and connecting a single computer to the modem.
#2: Installing Glasswire on THAT computer to measure and record Who, What, When and Where data was being used on THAT machine .... and only THAT machine.
#3: When the first computer is "under control" we move on to the next computer repeating steps #1 & #2
#4: Finally when all wired computers are known to be running well ..... we need to make a guided assessment of your routers GUI settings BUT THE "RADIO" DISABLED.
Once the router main settings have been reviewed we can reconnect the router (sans "radio") and connect all the WIRED devices to the router and check operation of the network. It is important for a user to understand that there are portions of the router itself that connect to the Internet and can use data. This is in ADDITION to any connected devices.
I don't expect you to know this, I don't expect you to make those setting changes by yourself. That is why I asked you previously .... DO YOU KNOW HOW TO TAKE A SCREENSHOT AND POST IT HERE IN THE COMMUNITY ...
As I said: a LINIEAR, GUIDED effort to find the leak.
With 65,536 comm ports PER computer, PLUS router GUI settings PLUS innate router vulnerabilities PLUS wireless channel vulnerabilities PLUS wireless connected devices. both authorized and unauthorized. and their many varied apps and background processes it becomes Mission Impossible to find the cause with out breaking to network down to the simplest most common connection ... a single computer directly connected, monitored and proven "clean and fit for duty.
I never misled you on the function and scope of Glasswire and what and how it monitored.
It appears that you just didn't read what a wrote, chose to "pick % choose" what steps you wished to follow in spite of my having said it was a progressive linear designed to be sure of a solid foundation before proceeding to the next step .... or you simply didn't understand something .... at which point you should have stopped, posted the question or asked for clarification.
True, hopefully it will not have data limits.
It is said that fully 25-30% of all computers are infected with virus/malware/adware infections ... despite running an A/V program.
That's a high percentage.
We never did get an output of what Glasswire found running on the PC's let alone Router GUI settings/security or wireless settings/encryption.
As you say, moot point for Kim at this point but there are many others that will read this thread and wonder at the "failure".
The root cause of the failure in this case was a reluctance to follow the steps outlined.