Millions of packets

T

tripex

Gawd
Joined
Jun 8, 2002
Messages
854
Hey you guys,

I have a smallish 10 computers network, configured as WORKGROUP.

All computers running Windows XP, with some shared printers to the mix.

Internet access available for everyone.



Now my problem is:

There are at least 3 computers, that generate shit load of traffic (specially received packets).

They have like 1 million received packets in 10 or 15 minutes.

But, i have scanned them with SnD, Lavasoft SE, McAfee 8i, MS Windows Defender and MS Malware removal tool and they're totally clean.

All machines updated with Autopatcher Jun2007.



What could be the problem?? I have noticed that there seems to be some relation between at least 2 of those computers. I mean, these 2 computers generate lots of traffic, when they are both turned on, at the same time. It's like they're communicating with each other.


Besides this, there is no problem. They all print ok, access the net ok, but i'm still worried about it. What can i do?
 
try netstat and see where the connections are going.

DL free connection scanner like MS Network Monitor 3 and see what the traffic is.
 
I agree with Hypernova... Use a packet capture program like MS Network Monitor 3 or Wireshark to see where all the packets are coming from. Look at the Source address in the packets. This will tell you where they're from.

If it's an address on the internet, look it up and see who / what it is. In that case, you really need to take a closer look at the PC's in question. (They're not doing something like listening to streaming audio, right?)

If the Source address is an internal machine, take a close look at that machine to determine what it's doing.

If you want to upload a packet capture, there's plenty of people around who can help decipher it.
 
365 packets in 288 seconds... That's only 1.2 packets a second, which would be about 1200 in 10 minutes (slightly lower than 1,000,000. )

Looks like most of the traffic is NetBios name queries (192.168.0.52 asking for a machine named ZUNGUZA); if you don't have a DNS server, you are stuck with NetBios for local name resolution. NetBios is rather chatty.

I see some attempts at DNS resolution by 192.168.0.52 against the DNS server at 192.168.0.2.

I also seem some ARP requests, which are all normal.

Basically, I don't see any traffic which looks 'bad' or 'evil'.. just a few Windows boxes trying to get each other's names and MAC addresses.
 
Fint said:
365 packets in 288 seconds... That's only 1.2 packets a second, which would be about 1200 in 10 minutes (slightly lower than 1,000,000. )

Looks like most of the traffic is NetBios name queries (192.168.0.52 asking for a machine named ZUNGUZA); if you don't have a DNS server, you are stuck with NetBios for local name resolution. NetBios is rather chatty.

I see some attempts at DNS resolution by 192.168.0.52 against the DNS server at 192.168.0.2.

I also seem some ARP requests, which are all normal.

Basically, I don't see any traffic which looks 'bad' or 'evil'.. just a few Windows boxes trying to get each other's names and MAC addresses.
Click to expand...



Hi Fint, first of all, thanks for your time. I really appreciate it.


Also, i mixed the whole thing! :(
I originally posted about a workgroup network where i have problems.

But the file I posted belongs to a computer that is on a small local domain (with a Win 2003 Server AD+DC).
This small network is from a friend who has a similar problem to mine. So i captured the packets at one of his workstations - the one with millions of packets.

Now I'm posting a bigger file, 1 meg (compacted in 140 KB). Same computer, bigger timespan.
Can you check it?

http://files-upload.com/files/514772/millpackets.rar



PS - The ZUNGUZA computer doesnt exist anymore. It was removed a couple of weeks ago. Why would a computer try look for it? :(
Maybe a deceased shared printer... i'll check and remove if thats the case.
 
Wireshark has some pretty decent reports in it that will help figure out what's going on.

Open your file in Wireshark, then go to 'Statistics' and then 'Conversations'. Once that loads, on the 'Ethernet' tab you can see a summary of which devices were doing all the talking; scroll down for the highest count by packets. Select the bottom line, and right-click (with one with 5012 packets) and do 'Apply as filter', then 'selected' and then 'a <-> b'.

Now Wireshark will show you only data going from A to B, which was the highest volume by packet. You can see that all of this is some sort of printer talk between 192.168.0.52 and 192.168.0.60 (52 is requesting a printer from .60, named \\rh\HP LaserJet 1200 Series PCL' but .60 is closing the request very quickly). 52 doesn't seem to appreciate this, as it keeps retrying quite often.

Now, as to why .60 is telling .52 to take a hike, I don't know, but now you know its a printer issue between those two devices.
 
Fint said:
Wireshark has some pretty decent reports in it that will help figure out what's going on.

Open your file in Wireshark, then go to 'Statistics' and then 'Conversations'. Once that loads, on the 'Ethernet' tab you can see a summary of which devices were doing all the talking; scroll down for the highest count by packets. Select the bottom line, and right-click (with one with 5012 packets) and do 'Apply as filter', then 'selected' and then 'a <-> b'.

Now Wireshark will show you only data going from A to B, which was the highest volume by packet. You can see that all of this is some sort of printer talk between 192.168.0.52 and 192.168.0.60 (52 is requesting a printer from .60, named \\rh\HP LaserJet 1200 Series PCL' but .60 is closing the request very quickly). 52 doesn't seem to appreciate this, as it keeps retrying quite often.

Now, as to why .60 is telling .52 to take a hike, I don't know, but now you know its a printer issue between those two devices.
Click to expand...


Thanks, i did what you say and yes, theres lots of traffic between those two computers.
But i cant fix it, the problem remains.

I wonder if this somekind of DNS issue on my crappy Windows 2003 server.
 
You must log in or register to reply here.
Back
Top