OK, so I'm seeing some UDP traffic, but not nearly enough to account for video uploads:
03:23:29.885091 IP 192.168.13.102.51880 > 101.1.17.22.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 f67f c0a8 0d66 E..H..@.@......f 0x0010: 6501 1116 caa8 caa8 0034 0a5c 0107 caa8 e........4.\.... 0x0020: c0a8 0d66 bd79 0a00 7271 c9ef 2f62 8027 ...f.y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:29.887982 IP 192.168.13.102.51880 > 218.30.35.92.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 6f1c c0a8 0d66 E..H..@.@.o....f 0x0010: da1e 235c caa8 caa8 0034 82f8 0107 caa8 ..#\.....4...... 0x0020: c0a8 0d66 bd79 0a00 7271 c9ef 2f62 8027 ...f.y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:29.888179 IP 192.168.13.102.51880 > 220.231.142.137.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 0126 c0a8 0d66 E..H..@.@..&...f 0x0010: dce7 8e89 caa8 caa8 0034 1502 0107 caa8 .........4...... 0x0020: c0a8 0d66 bd79 0a00 7271 c9ef 2f62 8027 ...f.y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:29.888361 IP 192.168.13.102.51880 > 146.0.227.241.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 f6a4 c0a8 0d66 E..H..@.@......f 0x0010: 9200 e3f1 caa8 caa8 0034 0a81 0107 caa8 .........4...... 0x0020: c0a8 0d66 bd79 0a00 7271 c9ef 2f62 8027 ...f.y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:29.960728 IP 218.30.35.92.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 6dcd 4000 7711 ca4e da1e 235c E..Hm.@.w..N..#\ 0x0010: c0a8 0d66 caa8 caa8 0034 ebf9 0207 caa8 ...f.....4...... 0x0020: 0000 0000 bd79 0a00 7271 c9ef 2f62 8027 .....y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 0000 0000 0000 0000 ........ 03:23:30.100237 IP 146.0.227.241.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 2f89 4000 7411 931b 9200 e3f1 E..H/.@.t....... 0x0010: c0a8 0d66 caa8 caa8 0034 7382 0207 caa8 ...f.....4s..... 0x0020: 0000 0000 bd79 0a00 7271 c9ef 2f62 8027 .....y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 0000 0000 0000 0000 ........ 03:23:30.171686 IP 101.1.17.22.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 1396 4000 7511 ade9 6501 1116 E..H..@.u...e... 0x0010: c0a8 0d66 caa8 caa8 0034 735d 0207 caa8 ...f.....4s].... 0x0020: 0000 0000 bd79 0a00 7271 c9ef 2f62 8027 .....y..rq../b.' 0x0030: 6849 8cb1 769d be04 0000 0000 0900 0000 hI..v........... 0x0040: 0000 0000 0000 0000 ........ 03:23:30.878257 IP 192.168.13.102.51880 > 101.1.17.22.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 f67f c0a8 0d66 E..H..@.@......f 0x0010: 6501 1116 caa8 caa8 0034 a90a 0107 caa8 e........4...... 0x0020: c0a8 0d66 bd79 0a00 8966 00a1 e65c a176 ...f.y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:30.878457 IP 192.168.13.102.51880 > 218.30.35.92.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 6f1c c0a8 0d66 E..H..@.@.o....f 0x0010: da1e 235c caa8 caa8 0034 21a7 0107 caa8 ..#\.....4!..... 0x0020: c0a8 0d66 bd79 0a00 8966 00a1 e65c a176 ...f.y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:30.879865 IP 192.168.13.102.51880 > 220.231.142.137.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 0126 c0a8 0d66 E..H..@.@..&...f 0x0010: dce7 8e89 caa8 caa8 0034 b3b0 0107 caa8 .........4...... 0x0020: c0a8 0d66 bd79 0a00 8966 00a1 e65c a176 ...f.y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:30.880060 IP 192.168.13.102.51880 > 146.0.227.241.51880: UDP, length 44 0x0000: 4500 0048 0000 4000 4011 f6a4 c0a8 0d66 E..H..@.@......f 0x0010: 9200 e3f1 caa8 caa8 0034 a92f 0107 caa8 .........4./.... 0x0020: c0a8 0d66 bd79 0a00 8966 00a1 e65c a176 ...f.y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 542f 85bf 9303 2f00 T/..../. 03:23:30.952986 IP 218.30.35.92.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 7f74 4000 7711 b8a7 da1e 235c E..H.t@.w.....#\ 0x0010: c0a8 0d66 caa8 caa8 0034 8aa8 0207 caa8 ...f.....4...... 0x0020: 0000 0000 bd79 0a00 8966 00a1 e65c a176 .....y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 0000 0000 0000 0000 ........ 03:23:31.095703 IP 146.0.227.241.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 4492 4000 7411 7e12 9200 e3f1 E..HD.@.t.~..... 0x0010: c0a8 0d66 caa8 caa8 0034 1231 0207 caa8 ...f.....4.1.... 0x0020: 0000 0000 bd79 0a00 8966 00a1 e65c a176 .....y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 0000 0000 0000 0000 ........ 03:23:31.156689 IP 101.1.17.22.51880 > 192.168.13.102.51880: UDP, length 44 0x0000: 4500 0048 1faf 4000 7511 a1d0 6501 1116 E..H..@.u...e... 0x0010: c0a8 0d66 caa8 caa8 0034 120c 0207 caa8 ...f.....4...... 0x0020: 0000 0000 bd79 0a00 8966 00a1 e65c a176 .....y...f...\.v 0x0030: a177 ade0 57a1 be04 0000 0000 0900 0000 .w..W........... 0x0040: 0000 0000 0000 0000
the IP addresses are all registered to Chinese entities. two were APNIC and one was RIPE.
jcomeau@aspire:~$ whois 218.30.35.92 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html% Information related to '218.30.32.0 - 218.30.55.255'
inetnum: 218.30.32.0 - 218.30.55.255 netname: CHINANET-US-POP descr: Chinanet POP in American descr: 201 S. Lake Ave. Suite 604, Pasadena, CA 91101 country: CN admin-c: CH93-AP tech-c: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20020221 status: ALLOCATED NON-PORTABLE source: APNIC
so it looks like all I need to do is block outgoing port 51880 to stop it, unless it has a sneaky backup mechanism (such as disguising the uploads as DNS queries or something).
last updated 2017-01-02 21:31:42. served from tektonic.jcomeau.com