I looked into packet capture logs and was suspicious of BitTorrent Sync activities, but it was very difficult to distinguish it from other processes, as it uses TCP and UDP packets on different ports. BTSync was clearly calling home, but what, and how often?
Tying a packet capture to a process proves not to be trivial in Linux, but there is a workaround which I found not to be well documented: uid + ulog.
We will launch the application as a specific user (btsync in this case), and then use the iptable's ULOG and uid-owner options to track its network activities.
and enable the pcap style logging so that we can read the full contents of the packets. Change the line
This will multicast ("copy") the packets generated by the btsync owner ("packet creator") to userspace ("out of kernel") so that we can capture them via the ulogd daemon. Caveat: we can only set this filter for the outgoing packets. -I OUTPUT 1 will insert this rule as first into the chain. This change is only temporary - the filter will be removed once you restart.
All filtered packets will be saved in these two files:
daysleeper (zavináč) centrum (tečka) cz