Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Windows XP Transfering Crazy Amounts of Packets...

I have noticed this problem on a 4 machines, around the time when my watchguard firebox would not be able to reach the internet, and it would say lost connection.  Theyb are all XP machines.  Its like something is making them transmit a bunch of packets, and its overloading the firebox and inturn making my internet connection drop for like 2 minutes every couple of hours.

When i do a status on 4 xp machines in the building they are saying transfered 56,342,423,234  recieved 312,132 - which is f'd up.  I have a virus protection on both machines, updated it found nothing, and no spyware installed.  

Help!

0
emilbus20
Asked:
emilbus20
  • 4
  • 2
  • 2
  • +6
1 Solution
 
liddlerCommented:
put the free version of zonealarm (www.zonelabs.com) on one / all of the machines for a couple of hours and see which applications try to access the internet.
Go through this list and / or post it here to try and identify which one is causing the problem
0
 
RHenningsgardCommented:
Sounds like somebody is running BitTorrent, Gnutella, or Kazaa.  If you really want to get to the bottom of this, go get yourself a copy of EtheReal (http://www.ethereal.com), sniff the network with the filter "host 192.168.0.101" (substituting the IP address of the XP box you want to figure out, of course), and see what the traffic is.  If you've never done this before, you ought to:  It's a heck of a learning experience.

Rob---
0
 
emilbus20Author Commented:
Cannot be running Kazaa or anything like that, i have all web access blocked, and cant add programs to the computers...
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
RHenningsgardCommented:
<<Cannot be running Kazaa>>

Huh.  In that case, what I suggested about using Ethereal to examine the traffic goes double... and I'll be interested to hear what the traffic turns out to be!
0
 
emilbus20Author Commented:
Okay, im downloading ethereal now, ill post what it turns out to be...
0
 
tonyteriCommented:
Yes, use Ethereal instead of Zone Alarm.  You can also install XP SP2 which puts Internet Firewall on, and also will prompt you when programs try to access the web.  It would work well if you're not comfortable reading a packet sniffer like Ethereal.

TT
0
 
muhalokCommented:
Sounds like a "loop" behaviour to me.

Take a look at the IP's and Arp table on the machine, what you need to check for a loop is:

1. That same IP address doesn't have more than 1 MAC address. (arp -a in a CMD window)
2. That you don't have the same IP address on more than 1 machine. (ipconfig in a CMD window)

The idea of ethereal is OK, but I would check the configuration of the XP machines first.

In ethereal don't filter anything, but check what types of traffic (protocols) are passing by. "APP loop" can be identified by zillions of broadcasts running like crazy around the network, until the switch/router is dead.
0
 
stevemjpCommented:
sounds like a DDOS to me.

If you get nowhere with ethereal, try Outpost. That is a personal firewall with real-time network monitor.

Also, if you unplug the network cables from the rogue machines, does the internet connection stay up.

Finally, your Firebox should have a traffic monitor. Crank up the logging and see what's afoot there.

keep us posted.
0
 
emilbus20Author Commented:
with a DDOS wouldnt it pick up a virus?  I have the latest version of Sophos installed & updated and its finding nothing.
0
 
thribhuCommented:
hi emilbus20 ,


there are many TCP /ip tracres .One among is TCP view

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

its very sinple file dont take much time....... very easy to use .......... not as complicated as Ether real........

find out which is unnessasary TCP /udp connection and from which path it is sending packets out........

If virus then u may find some unknown .exe files  thn u can delete it...................

all the best..........        
0
 
georgecooldudeCommented:
Do you have the watch guard security event procesoor program?

Load it up and look at the bandwidth tab. Then take a look at the hostwatch and see which computers have perminate access to some IP's.
0
 
emilbus20Author Commented:
Okay, i just used the ethereal to view what was going on, and i found that it was send a crazy amount of UDP packets, so i went into the XP firewall, and i looked at the services it was allowing, and there were these 2 services that it was letting run from udp called "msmsgs" so i cancled them both, and then did a msconfig to look what was loading, and a couple of things that looked funky were loading so i killed them, restarted and the problem is gone.  thats 1 down 4 to go...

brb

emilbus
0
 
georgecooldudeCommented:
Do you have the Watch Guard Security Event Processor?

You'd be able to find out which PC is connected to which IP.
0
 
lpse2000Commented:
I had the same problem on several of my Gateway Laptops running XP. I fixed the problem by disabling the NIC uninstalling the drivers and reinstalling the drivers. Hope this helps. You could also try getting updated drivers.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now