Friday, March 05, 2010

Little Snitch exposes network killing MobileMe behavior

My mothers modem lights were flickering madly -- but I couldn't see why. All was quiet.

It wasn't just the lights -- the network performance sucked. Sometimes things would rush down, but at other times they'd just hang. Crazy.

Naturally I blamed Videotron. Nice people, but last time we had a problem they had to replace her router twice. As usual I got an agreeable support person. Everything tested out for him, but I couldn't run the Videotron speed test - it took ages to load. He wanted to test further, but I thanked him and told him I'd check things out internally.

You see, I'd lied to him about not having a router installed. Yeah, that's bad. I felt guilty because once he'd confirmed their network was ok I had a hunch where the problem was.

I turned my suspicions to the other machines on the WLAN, including my MacBook. Sure enough, when I shut the MacBook the modem lights slowed down and the Videotron speed test showed 1mbps downlink and 128K uplink - just what Mom pays for.

So what the heck was the MacBook doing? It's not an XP machine, so I wasn't worried about malware. I don't like installing low level apps that require uninstallers, but I needed to know what was going on. So I installed the $30 Little Snitch 2 utility in demo mode
...Little Snitch has a free, built-in demo mode that provides the same protection and functionality as the full version. The demo runs for three hours, and it can be restarted as often as you like...
It's geeky, but, in short, LittleSnitch worked. The culprit? MobileMe iDisk file sync. If you have a local cached version of your iDisk share OS X Sync is very demanding about synchronizing with the remote MobileMe iDisk. I wouldn't notice this at home, but at my mother's OS X Sync was saturating the 128 kpbs uplink trying to sync a 28 MB file. The only clue to what's going on is a spinning icon seen if you view a Finder window sidebar. Turning off MobileMe sync doesn't stop this. You can only stop it by clicking on the spinning icon or by turning off local disk caching altogether.

So I was wrong, I did have malware. Apple malware.
My Google Reader Shared items (feed)

No comments: