Windows XP Transfering Crazy Amounts of Packets...

I have noticed this problem on a 4 machines, around the time when my watchguard firebox would not be able to reach the internet, and it would say lost connection.  Theyb are all XP machines.  Its like something is making them transmit a bunch of packets, and its overloading the firebox and inturn making my internet connection drop for like 2 minutes every couple of hours.

When i do a status on 4 xp machines in the building they are saying transfered 56,342,423,234  recieved 312,132 - which is f'd up.  I have a virus protection on both machines, updated it found nothing, and no spyware installed.  


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

put the free version of zonealarm ( on one / all of the machines for a couple of hours and see which applications try to access the internet.
Go through this list and / or post it here to try and identify which one is causing the problem
Sounds like somebody is running BitTorrent, Gnutella, or Kazaa.  If you really want to get to the bottom of this, go get yourself a copy of EtheReal (, sniff the network with the filter "host" (substituting the IP address of the XP box you want to figure out, of course), and see what the traffic is.  If you've never done this before, you ought to:  It's a heck of a learning experience.

emilbus20Author Commented:
Cannot be running Kazaa or anything like that, i have all web access blocked, and cant add programs to the computers...
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

<<Cannot be running Kazaa>>

Huh.  In that case, what I suggested about using Ethereal to examine the traffic goes double... and I'll be interested to hear what the traffic turns out to be!
emilbus20Author Commented:
Okay, im downloading ethereal now, ill post what it turns out to be...
Yes, use Ethereal instead of Zone Alarm.  You can also install XP SP2 which puts Internet Firewall on, and also will prompt you when programs try to access the web.  It would work well if you're not comfortable reading a packet sniffer like Ethereal.

Sounds like a "loop" behaviour to me.

Take a look at the IP's and Arp table on the machine, what you need to check for a loop is:

1. That same IP address doesn't have more than 1 MAC address. (arp -a in a CMD window)
2. That you don't have the same IP address on more than 1 machine. (ipconfig in a CMD window)

The idea of ethereal is OK, but I would check the configuration of the XP machines first.

In ethereal don't filter anything, but check what types of traffic (protocols) are passing by. "APP loop" can be identified by zillions of broadcasts running like crazy around the network, until the switch/router is dead.
sounds like a DDOS to me.

If you get nowhere with ethereal, try Outpost. That is a personal firewall with real-time network monitor.

Also, if you unplug the network cables from the rogue machines, does the internet connection stay up.

Finally, your Firebox should have a traffic monitor. Crank up the logging and see what's afoot there.

keep us posted.
emilbus20Author Commented:
with a DDOS wouldnt it pick up a virus?  I have the latest version of Sophos installed & updated and its finding nothing.
hi emilbus20 ,

there are many TCP /ip tracres .One among is TCP view

its very sinple file dont take much time....... very easy to use .......... not as complicated as Ether real........

find out which is unnessasary TCP /udp connection and from which path it is sending packets out........

If virus then u may find some unknown .exe files  thn u can delete it...................

all the best..........        
Do you have the watch guard security event procesoor program?

Load it up and look at the bandwidth tab. Then take a look at the hostwatch and see which computers have perminate access to some IP's.
emilbus20Author Commented:
Okay, i just used the ethereal to view what was going on, and i found that it was send a crazy amount of UDP packets, so i went into the XP firewall, and i looked at the services it was allowing, and there were these 2 services that it was letting run from udp called "msmsgs" so i cancled them both, and then did a msconfig to look what was loading, and a couple of things that looked funky were loading so i killed them, restarted and the problem is gone.  thats 1 down 4 to go...


Do you have the Watch Guard Security Event Processor?

You'd be able to find out which PC is connected to which IP.
I had the same problem on several of my Gateway Laptops running XP. I fixed the problem by disabling the NIC uninstalling the drivers and reinstalling the drivers. Hope this helps. You could also try getting updated drivers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.