Which service is causing excessive packet transmission on network?

[JerryGuinn]

I have a laptop on our small 10Base-T network which is running XP Pro (everyone else is running W2K). 24/7, I see activity on our network hub AND cable modem at a rate of once per second from this PC. I've looked at the laptop's network connection properties and find that there are over *5 million* packets sent and received from this PC ... much more activity than any other machine I have. The user takes the laptop home with him every night, so he has additional network connections for his home broadband, Earthlink, and AOL accounts. This user is sort of a renegade and I don't know everything that he has installed; but I have blocked his AOL IM on my firewall and have had him remove Napster filesharing. I've looked at the Win Task Manager/Processes to try to determine what is going on, but haven't been able to locate it. We're running Norton Antivirus Corporate Ver. 8 with real-time detection and I don't see a problem related to that.

How can I determine what is causing this activity? My concern is that he has something on his PC that has created a back door to allow outside access into our network.

 

[rwullems]

well, if you are really using a hub, that makes it simple,
install a packet analyzer like ethereal on a win2k machine and sniff the network traffic generated by this guy's laptop by setting a filter on his IP or even better, MAC address.
Using ethereal you can look into the packets to see what they are carrying (e.g. what protocol or application is generating this traffic and what ports are used.)
regards,
Robert

 

[bcastner]

Two comments that might help:

1. A lot of the "traffic" statistics are crap. I hade a Sony Vaio that was reporting bits until I upgraded the drivers for the Lan adapter. MS was just not clear enough in the driver specification about the metrix to be used:

http://support.microsoft.com/default.aspx?scid=kb;en-us;296669&Product=winxp

2. If flipping between Home and Work, see my advice about cleaning the device, particularly Steps #2-#3 here: faq608-4650

 

[vbrocks]

If you have w2kserver then use network monitor. Check to see if there are a lot of broadcasts going on.....

 

[krcoleman]

I have a similar problem with an XP Pro machine set up for VPN to the office network, that is continually exchanging packets with one of my Home Network computers which has our printers connected to it.

The traffic looks like this:

KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 146 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 179 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 146 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 179 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 180 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 180 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 91 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 91 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 103 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 103 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 172 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 172 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 354 bytes, protocol: 6
D800-2YQ1831:4835->KEVINSONY:139 : 354 bytes, protocol: 6
KEVINSONY:139->D800-2YQ1831:4835 : 40 bytes, protocol: 6
(Captured with BWMeter - a shareware network monitor)

where KEVINSONY is the home Windows XP computer with the printers and D800-2YQ1831 is the XP Pro laptop.

The traffic is constant even when nothing else is going on, and consumes about 1 Mb/s of bandwidth

The third computer on the home network does not generate any significant traffic when it is idle.

Does anyone have any suggestions on what would be causing this chatter? or where I should look for the next clue?

- Kevin

 

[vbrocks]

Kevin,
Try using Ethereal. It is better and more informative. What is protocol:6 ? ........

 

[raztaboule]

i suppose that this number it's the protocol number assigned by the IANA . 6 is TCP. nothing helpful here i'am affraid.
but perhaps you can identified which process is using the 4835 tcp ports , have look here :
"

http://www.experts-exchange.com/

Networking/WinNT_Networking/Q_20851867.html"

i don't try it because i'm under Linux so i just have to call "lsof" )
but i hope it will be helpfull for you.

 

[theoxyde]

Port 139 is used by Windows Authentication for file sharing, domain login, and all kinds of other "stuff". Check for activity in shared folders or printers. You may also have an application that is negotiating security as well.

 

[krcoleman]

Problem solved!

Thanks to all for your suggestions. I downloaded Ethereal and used it to capture the traffic. I was amazed at the detail of the analysis ...

In the messages there were many attempts by the XP Pro laptop to open or close remote printers with lots of "out of sequence" TCP messages. It was evident that sharing over the home network was shaky (although I was still able to print and share files during all of this)

To cure the problem, I deleted all the remote printers from the Windows XP Pro laptop, deleted the remote SharedDocs from My Network Places, and rebooted both machines.

I then restarted the VPN connection on the laptop (not sure if this is important - but it makes the laptop happier in general.

Finally, I browsed in My Network Places to rediscover the local PC and its printers.

At this moment, all devices are happy and quiet and all functionality is restored.

Thanks again,
Kevin

 

[JerryGuinn]

Followup on "Jerry Guinn"
Belated thanks to those who responded. I took advice and installed a packet analyzer to monitor this IP. The resulting log file entries were all identical except for the port number; this varied from entry to entry. A single log file is as follows:

********************************************************

POST /WANCommonInterfaceConfig HTTP/1.1
Content-Type: text/xml; charset="utf-8"
SOAPAction: "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1#GetTotalPacketsReceived"
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Host: 192.168.1.1:6688
Content-Length: 315
Connection: Keep-Alive
Pragma: no-cache

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="

http://schemas.xmlsoap.org/soap/envelope/"

SOAP-ENV:encodingStyle="

http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetTotalPacketsReceived

xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"/></SOAP-ENV:Body></SOAP-ENV:Envelope>

*****************************************************

As I said, note in the "Host" line, 192.168.1.1 is the packet destination from the laptop (my gateway), and the port number (I'm assuming that's what it is) is different in each log file entry.

Any ideas?

 

[rwullems]

Well, without spending to much time, use the part below as a search string in google, and you will find enough reading for a week about your problem.

schemas-upnp-org:service:WANCommonInterfaceConfig

Regards,
Robert