Excessive connections on systems fill Sonicwall Cache of 4096.

I have been having problems with our system.  We thought it was just a Backdoor trojan...but we have isolated all of the machines and thoroughly cleaned them.  But I am still getting heavy utilization on our system which makes it excessively slow and sporadically decline connections because it exceeds the 4096.  I have 15 servers and about 50 client pcs.  I have shutdown the VPN to prevent machines not yet cleaned from accessing the system.  I do not have a clue which direction to turn at this point.  I am running mcAffee AV on all the machines.  Any help would be great.  I am looking into a Fluke One Touch tool to possible help but justifying the cost to management is always a challenge.  Thank you in advance for your assistance.
sissylIT DirectorAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
adamdrayerConnect With a Mentor Commented:

Look at something called http://www.ethereal.com.  It can capture network traffic and identify where it originates.

I'm assuming your on Windows.
0
 
oxymoronxCommented:
Check your outbound port connections on the firewall and isolate which doors the traffic is attempting to get out of.  I'd run a pc analyzer on every pc to determine exactly what is running.  remember that mcaffee won't pick up adware, spyware, and peer to peer applications.  find out what everyone is doing at the local pc level.  is someone running a gameserver you're not aware of?  peer to peer applications can do the same thing and a simple host file will direct the p2p client to any port available for outgoing traffic.

just a couple of thoughts.
0
 
MarakushCommented:
I would tend to agree with adamdrayer, run ethreal for about  1 hour or set the packet capture for like 10 meg, it will show where the greatiest amount of traffic is comming from without having to go to each PC and test it.


Marakush
0
 
ngravattCommented:
you could also use a HUB to sniff the network traffic.  When we have these problems, instead of installing the ethereal software on the target PC, we have already installed it on a laptop.  We take the network cable out of the target PC plug it into the uplink port of the HUB and then plug a cable from the hub to the PC.  Also, the laptop is plugged into the hub.  Since a HUB broadcast all packets to every port, you can see all the traffic going to and from the PC on the laptop (which is running etherreal).
0
 
tropsmr2Commented:
To add to the rest:

You MUST use a hub if your Ethereal trace is to be successful.  The NETGEAR DS104 is a good choice as it supports both 10 and 100 (must make sure that the sniffer selects the same speed as whatever you are sniffing).

On a heavily loaded network, it should only take a minute or two Ethereal trace to determine the problem.  

Beware of the SASSER worm as it will quickly load a net as it searches for victim machines.
Post the trace and let's see what we come up with....

0
All Courses

From novice to tech pro — start learning today.