Windows XP Transfering Crazy Amounts of Packets...

put the free version of zonealarm (www.zonelabs.com) on one / all of the machines for a couple of hours and see which applications try to access the internet.
Go through this list and / or post it here to try and identify which one is causing the problem

Sounds like somebody is running BitTorrent, Gnutella, or Kazaa.  If you really want to get to the bottom of this, go get yourself a copy of EtheReal (http://www.ethereal.com), sniff the network with the filter "host 192.168.0.101" (substituting the IP address of the XP box you want to figure out, of course), and see what the traffic is.  If you've never done this before, you ought to:  It's a heck of a learning experience.

Rob---

Cannot be running Kazaa or anything like that, i have all web access blocked, and cant add programs to the computers...

<<Cannot be running Kazaa>>

Huh.  In that case, what I suggested about using Ethereal to examine the traffic goes double... and I'll be interested to hear what the traffic turns out to be!

Okay, im downloading ethereal now, ill post what it turns out to be...

Yes, use Ethereal instead of Zone Alarm.  You can also install XP SP2 which puts Internet Firewall on, and also will prompt you when programs try to access the web.  It would work well if you're not comfortable reading a packet sniffer like Ethereal.

TT

Sounds like a "loop" behaviour to me.

Take a look at the IP's and Arp table on the machine, what you need to check for a loop is:

1. That same IP address doesn't have more than 1 MAC address. (arp -a in a CMD window)
2. That you don't have the same IP address on more than 1 machine. (ipconfig in a CMD window)

The idea of ethereal is OK, but I would check the configuration of the XP machines first.

In ethereal don't filter anything, but check what types of traffic (protocols) are passing by. "APP loop" can be identified by zillions of broadcasts running like crazy around the network, until the switch/router is dead.

sounds like a DDOS to me.

If you get nowhere with ethereal, try Outpost. That is a personal firewall with real-time network monitor.

Also, if you unplug the network cables from the rogue machines, does the internet connection stay up.

Finally, your Firebox should have a traffic monitor. Crank up the logging and see what's afoot there.

keep us posted.

with a DDOS wouldnt it pick up a virus?  I have the latest version of Sophos installed & updated and its finding nothing.

hi emilbus20 ,


there are many TCP /ip tracres .One among is TCP view

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

its very sinple file dont take much time....... very easy to use .......... not as complicated as Ether real........

find out which is unnessasary TCP /udp connection and from which path it is sending packets out........

If virus then u may find some unknown .exe files  thn u can delete it...................

all the best..........        

Do you have the watch guard security event procesoor program?

Load it up and look at the bandwidth tab. Then take a look at the hostwatch and see which computers have perminate access to some IP's.

Okay, i just used the ethereal to view what was going on, and i found that it was send a crazy amount of UDP packets, so i went into the XP firewall, and i looked at the services it was allowing, and there were these 2 services that it was letting run from udp called "msmsgs" so i cancled them both, and then did a msconfig to look what was loading, and a couple of things that looked funky were loading so i killed them, restarted and the problem is gone.  thats 1 down 4 to go...

brb

emilbus

Do you have the Watch Guard Security Event Processor?

You'd be able to find out which PC is connected to which IP.