Is it pretty safe to bet that if one user has @ 80+ connections, he's doing P2P or?
I've got one guy slowed down to 256k. But he just puts his pc on auto and does his thing.
Here's a pic of some of the ports/connections.

Look at the connection details. It's terminated on the router IP address (192.168.88.1) on port 64874. That's the HTTP servlet of the Hotspot, and only HTTP ports (tcp/80,3128,8080 by the default rules) are redirected to it.

That guy's trying to hit a bunch of web sites and keeps on being served a login page. Could be a worm infection randomly probing web servers for vulnerabilities, could be some app (a badly written Twitter watcher, for example), could be any number of things - but it isn't P2P.

silly, and redacted

EXACTLY. Cee U Next Tuesday! is what I'm going to tell him if he keeps it up.
Now he's got close to @ 800 connections going.. *&ck him.
I do have some bittorrent rules in place. The P2P/bittorrent queues are lighting up. So, he's definitely doing bittorrent.
I changed the login page, previous to rebooting the AP. New login page:
"Please note: P2P and Bittorrent users will be throttled back to 64-128k due to degradation of the network.
bla bla bla.
I'll think about refunding him if he gives me any grief.
Ok, I've redacted your redaction

Look at the connection details. It's terminated on the router IP address (192.168.88.1) on port 64874. That's the HTTP servlet of the Hotspot, and only HTTP ports (tcp/80,3128,8080 by the default rules) are redirected to it.

That guy's trying to hit a bunch of web sites and keeps on being served a login page. Could be a worm infection randomly probing web servers for vulnerabilities, could be some app (a badly written Twitter watcher, for example), could be any number of things - but it isn't P2P.

So, really?. I've got some bittorrent firewall rules in place. I'm trying to find the data to print in console.
Can't figure it out being somewhat of a noob.
But, here's a snip/pic of a very few of the connections

That new picture is p2p. The original one was HTTP being consumed by the Hotspot servlet.

That new picture is p2p. The original one was HTTP being consumed by the Hotspot servlet.

Here's another pic same guy-(first pic). I think I scared the other guy off.
So, What's this fewi?
Bad app? This is servlet port?
Ok this guy's been on my hotspot for @ 3 months now.
He's doing something screwy.
You suggesting, he's infected? or?
Yeah the previous guy is taken his P2P and run.

This might deserve a new thread, but maybe not.
Are these connections legit?
Thanks,

It's hard to say based on a bunch of context free screen shots. 64784 is a Hotspot servlet port that consumes HTTP. A slow web page with lots of resources could explain that, so would a malware infected host scanning web servers.

It's hard to say based on a bunch of context free screen shots. 64784 is a Hotspot servlet port that consumes HTTP. A slow web page with lots of resources could explain that, so would a malware infected host scanning web servers.

So,
I guess before I cut him off, I'll recommend he do some spyware scanning. I don't want him screwing up this upcoming onslaught of users (race event)
Thanks.

Cee U Next Tuesday!

Whay do you want to see him next Tuesday ?