help me trace net activity 2

[daveaaa]

I have a windows xp machine connected to the net via cable modem.

Recently I have noticed that the modem's traffic light is always on.

I am using Zone Alarm Pro as a firewall. Zone alarm shows no traffic.

I downloaded DU Meter and it shows 2-5kB download traffic 24x7.

I have engaged Zone Alarm's Stop feature which is supposed to stop all traffic. I have no programs that have been authorized to communicate once the lock is engaged. It isn't stopping it.

I am trying to figure out what it is on my machine that is downloading and occassionally uploading.

I have Norton Anti Virus and it is up to date. I have scanned my machine for virii and it shows as being clean.

The only way so far to stop this traffic is to unplug my machine from the hub.

Can anyone help me figure out what is causing this traffic? Is there an app I can download?

Thanks.

 

[Salem]

I've no idea what could be causing this traffic.

To have a look at the low-level, I would suggest you try Ethereal ( from

http://www.ethereal.com/

), which can capture every single packet of data sent/received on your local network (even packets between other machines on your network).

 

[daveaaa]

Thanks for the program suggestion, it was indeed helpful. It appears the download traffic is from my ISP, althoughthey didn't do this in the past.

Of course that raises some questions since they are transmitting something to me 24x7 at a rate of 2-5kB/sec that my software firewall cannot stop.

I will be giving them a call.

 

[vop]

The 'stop' feature should work unless you have allowed pass through on certain apps.

It kinda shows you how incomplete a solution a software firewall can be. I use to get a minimum of 100 hits a day on ZA - many of them them from my ISP (probably connection status pings). I put in a Linksys router almost a year ago and uninvited incoming traffic has pretty near ceased completely.

Since routers are so inexpensive these days, it might be time to consider one.

 

[daveaaa]

Good advice Vop, a buddy at work has a router he isn't using that he offered to give me, I should take him up on the offer.

I called the cable company (my ISP) last night and couldn't get anybody with an hour of waiting. The recording said they were having heavy call volume related to the worm going around.

Still, what is odd is that the modem light indicates traffic, DU Meter indicates 99.9% is incoming traffic, Ethereal clearly shows every last packet as being from the cable company, but ZA Pro just sits there showing nothing and the internet lock does nothing to stop this traffic. I double checked and have not cleared anything to pass the lock.

Yeah, a router is a good idea at this point.

 

[miblo]

You can't stop the traffic until it has traversed over the line to your machine...

Probes from worms/viruses/script-kiddies will probably always keep your line busy, unless your ISP blocks them at 'their end'.

 

[MyHerbalTea]

Another thing to consider is that a hardware solution as a router will be much more effective than a software solution like ZA.

 

[happytom]

If you want to see the programs that are useing ports then look at the eathereal logs then run fport.exe. Fport.exe will look at your open ports and then map the program that is running on that port. Fport is free and takes only a secound, run it from a command prompt.

http://www.foundstone.com/index.htm....htm&subcontent=/resources/proddesc/fport.htm

Last night I lay in bed looking up at the stars in the sky and I thought to myself, where the hell is the ceiling?

 

[Wazz]

A router is a great peice of kit to add infront of your modem to help prevent un-wanted connections. That is, as long as you set the router up correctly.

Did you take your mates router? If so what is it and do you need any help to make sure that its config is correct?

 

[daveoasis]

daveaaa - You also might correspond with the GRC.com host Steve Gibson who is a very techie nerd and developed Spinrite years ago, kept it upgraded, etc. I am sure he will give you similar advice but will be interested in giving you more feedback.

Dave

 

[eyec]

stop and think about it.

a cable/dsl modem is an "always on" device. the traffic you are seeing is normal internet traffic from 1) your ISP monitoring the state of your connection, and 2) internet traffic looking for your connection or any other connection along its path from point A to point B. your connection is not a dedicated entity on the internet, it is basically an open connection on a busy information highway.

even when you turn off your modem's power this traffic is still present, you just don't see it.

the purpose of a firewall is to monitor that traffic and determine whether it "belongs" or is "allowed" to enter your connection. it resides in a place after the modem lights flicker not while they are flickering.

in the case with cable modems you have even more traffic "at the modem" becasue the cable company shares your connection with others on the same ISP connection hub at their company.

you are best to define your firewall settings as tightly as possible. then keep it and your OS, all programs, virus/malware/spyware software up to date. even then a new way to sneak into your connection will be found by somebody with too much time on their hands.