Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Excessive connections on systems fill Sonicwall Cache of 4096.

Posted on 2004-08-10
5
Medium Priority
?
361 Views
Last Modified: 2012-05-05
I have been having problems with our system.  We thought it was just a Backdoor trojan...but we have isolated all of the machines and thoroughly cleaned them.  But I am still getting heavy utilization on our system which makes it excessively slow and sporadically decline connections because it exceeds the 4096.  I have 15 servers and about 50 client pcs.  I have shutdown the VPN to prevent machines not yet cleaned from accessing the system.  I do not have a clue which direction to turn at this point.  I am running mcAffee AV on all the machines.  Any help would be great.  I am looking into a Fluke One Touch tool to possible help but justifying the cost to management is always a challenge.  Thank you in advance for your assistance.
0
Comment
Question by:sissyl
5 Comments
 
LVL 15

Accepted Solution

by:
adamdrayer earned 2000 total points
ID: 11766136

Look at something called http://www.ethereal.com.  It can capture network traffic and identify where it originates.

I'm assuming your on Windows.
0
 
LVL 1

Expert Comment

by:oxymoronx
ID: 11766141
Check your outbound port connections on the firewall and isolate which doors the traffic is attempting to get out of.  I'd run a pc analyzer on every pc to determine exactly what is running.  remember that mcaffee won't pick up adware, spyware, and peer to peer applications.  find out what everyone is doing at the local pc level.  is someone running a gameserver you're not aware of?  peer to peer applications can do the same thing and a simple host file will direct the p2p client to any port available for outgoing traffic.

just a couple of thoughts.
0
 
LVL 8

Expert Comment

by:Marakush
ID: 11766391
I would tend to agree with adamdrayer, run ethreal for about  1 hour or set the packet capture for like 10 meg, it will show where the greatiest amount of traffic is comming from without having to go to each PC and test it.


Marakush
0
 
LVL 10

Expert Comment

by:ngravatt
ID: 11767145
you could also use a HUB to sniff the network traffic.  When we have these problems, instead of installing the ethereal software on the target PC, we have already installed it on a laptop.  We take the network cable out of the target PC plug it into the uplink port of the HUB and then plug a cable from the hub to the PC.  Also, the laptop is plugged into the hub.  Since a HUB broadcast all packets to every port, you can see all the traffic going to and from the PC on the laptop (which is running etherreal).
0
 
LVL 1

Expert Comment

by:tropsmr2
ID: 11769390
To add to the rest:

You MUST use a hub if your Ethereal trace is to be successful.  The NETGEAR DS104 is a good choice as it supports both 10 and 100 (must make sure that the sniffer selects the same speed as whatever you are sniffing).

On a heavily loaded network, it should only take a minute or two Ethereal trace to determine the problem.  

Beware of the SASSER worm as it will quickly load a net as it searches for victim machines.
Post the trace and let's see what we come up with....

0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question